Export limit exceeded: 10162 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10162 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6316 | 1 Mw Wp Form Project | 1 Mw Wp Form | 2026-04-08 | 9.8 Critical |
| The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the '_single_file_upload' function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-6220 | 1 Piotnet | 1 Piotnet Forms | 2026-04-08 | 8.1 High |
| The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'piotnetforms_ajax_form_builder' function in versions up to, and including, 1.0.28. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-4142 | 1 Smackcoders | 1 Wp Ultimate Csv Importer | 2026-04-08 | 8 High |
| The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means remote code execution is still possible for site administrators, use the plugin with caution. | ||||
| CVE-2023-4141 | 1 Smackcoders | 1 Wp Ultimate Csv Importer | 2026-04-08 | 8 High |
| The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution. | ||||
| CVE-2023-3342 | 1 Wpeverest | 1 User Registration | 2026-04-08 | 9.9 Critical |
| The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the 'ur_upload_profile_pic' function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1. | ||||
| CVE-2022-4950 | 2 Coolplugins, Cryptocurrency Payment \& Donation Box Plugins | 10 Cool Timeline, Cryptocurrency Widgets, Cryptocurrency Widgets For Elementor and 7 more | 2026-04-08 | 8.8 High |
| Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber. | ||||
| CVE-2022-4949 | 2 Adsanityplugin, Xen | 2 Adsanity, Xen | 2026-04-08 | 8.8 High |
| The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload' function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers with Contributor+ level privileges to upload arbitrary files on the affected sites server which makes remote code execution possible. | ||||
| CVE-2022-3384 | 1 Ultimatemember | 1 Ultimate Member | 2026-04-08 | 7.2 High |
| The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). This is restricted to non-parameter PHP functions like phpinfo(); since user supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the server. | ||||
| CVE-2022-3383 | 1 Ultimatemember | 1 Ultimate Member | 2026-04-08 | 7.2 High |
| The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server. | ||||
| CVE-2022-2441 | 1 Orangelab | 1 Imagemagick Engine | 2026-04-08 | 8.8 High |
| The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they can trick a site administrator into performing an action such as clicking on a link. This makes it possible for an attacker to create and or modify files hosted on the server which can easily grant attackers backdoor access to the affected server. | ||||
| CVE-2022-0888 | 1 Ninjaforms | 1 Ninja Forms File Uploads | 2026-04-08 | 9.8 Critical |
| The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0 | ||||
| CVE-2021-4382 | 1 Recently Project | 1 Recently | 2026-04-08 | 8.8 High |
| The Recently plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the fetch_external_image() function in versions up to, and including, 3.0.4. This makes it possible for authenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2021-4368 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2026-04-08 | 9.9 Critical |
| The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This is due to lacking capability checks and a security nonce, all on the wpfm_save_settings AJAX action. This makes it possible for subscriber-level attackers to edit the plugin settings, such as the allowed upload file types. This can lead to remote code execution through other vulnerabilities. | ||||
| CVE-2016-15033 | 1 Delete All Comments Project | 1 Delete All Comments | 2026-04-08 | 9.8 Critical |
| The Delete All Comments plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the via the delete-all-comments.php file in versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2025-7341 | 1 Hasthemes | 1 Download Contact Form 7 Widget For Elementor Page Builder \& Gutenberg Blocks | 2026-04-08 | 9.1 Critical |
| The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-5058 | 1 Emagicone | 1 Emagicone Store Manager For Woocommerce | 2026-04-08 | 9.8 Critical |
| The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials. | ||||
| CVE-2025-4336 | 1 Emagicone | 1 Emagicone Store Manager For Woocommerce | 2026-04-08 | 8.1 High |
| The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials. | ||||
| CVE-2025-2512 | 1 File Away Project | 1 File Away | 2026-04-08 | 9.8 Critical |
| The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-9307 | 1 Themelooks | 2 Mfolio, Mfolio Lite | 2026-04-08 | 9.9 Critical |
| The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file or upload arbitrary EXE files on the affected site's server which may make remote code execution possible if the attacker can also gain access to run the .exe file, or trick a site visitor into downloading and running the .exe file. | ||||
| CVE-2024-8425 | 1 Wpswings | 1 Woocommerce Ultimate Gift Card | 2026-04-08 | 9.8 Critical |
| The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.9.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that this may have been patched on an older version than 2.9.2, however, we do not have access to older versions of the software to confirm when the patch was added. The only patched version we have confirmed is 2.9.3. | ||||