15850 matches found
CVE-2025-67926
CVE-2025-67926 is a public WordPress vulnerability described by Wordfence in the January 2026 weekly vulnerability report. It is a Missing Authorization issue in Fluent Support (WordPress plugin) where access control is incorrectly configured, affecting Fluent Support versions up to 1.10.4. The C...
CVE-2025-67919 WordPress Woffice Core plugin <= 5.4.30 - Insecure Direct Object References (IDOR) vulnerability
Authorization Bypass Through User-Controlled Key vulnerability in WofficeIO Woffice Core woffice-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woffice Core: from n/a through = 5.4.30...
CVE-2025-67915
CVE-2025-67915 affects the Timetics: Appointment Booking Calendar (WP Timetics Booking Plugin) Timetics <= 1.0.46. Wordfence reports an Incorrect Authorization issue (Authenticated Timetics Customer+) that enables user creation, i.e., an authentication/authorization bypass leading to account c...
CVE-2025-67913
CVE-2025-67913 describes a Missing Authorization vulnerability in Aruba HiSpeed Cache (aruba-hispeed-cache). Access to functionality is not properly constrained by ACLs, affecting Aruba HiSpeed Cache versions older than 3.0.3. Red Hat notes the issue under the same CVE and confirms patching in Ar...
CVE-2025-27002
CVE-2025-27002: Reflected XSS in CountDown With Image or Video Background (WordPress plugin). Affected: CountDown With Image or Video Background
CVE-2025-22726
CVE-2025-22726 is a Server-Side Request Forgery (SSRF) vulnerability in the WordPress plugin nK Themes Helper (nk-themes-helper). The vulnerability affects versions from 0 up to and including 1.7.9, allowing an attacker to cause the server to make arbitrary requests. The publicly cited CVSS vecto...
CVE-2025-23504
CVE-2025-23504 affects RiceTheme Felan Framework (felan-framework) up to version 1.1.3. The vulnerability is an Authentication Bypass via an alternate path or channel, enabling Authentication Abuse. Impact details stated across sources indicate high severity with potential total implications for ...
CVE-2025-22725
CVE-2025-22725 affects the WordPress plugin WP Virtual Assistant (VirtualAssistant) . The connected Wordfence report confirms an unauthenticated stored XSS vulnerability in the plugin’s web page generation, affecting the “Virtual Assistant” feature and versions up to 3.0/3.1 as cited. The CVE des...
CVE-2025-22713 WordPress WooCommerce Orders & Customers Exporter plugin <= 5.4 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows SQL Injection.This issue affects WooCommerce Orders & Customers Exporter: from n/a through = 5.4...
WordPress Felan Framework plugin <= 1.1.3 - Account Takeover vulnerability
Account Takeover vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Felan Framework versions = 1.1.3...
WordPress WP Virtual Assistant plugin <= 3.1 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin WP Virtual Assistant versions = 3.1...
WordPress WP Attractive Donations System - Easy Stripe & Paypal donations plugin <= 1.25 - Arbitrary Content Deletion vulnerability
WordPress WP Attractive Donations System - Easy Stripe & Paypal donations plugin = 1.25 - Arbitrary Content Deletion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin WP Attractive Donations System - Easy Stripe & Paypal donations versions = 1.25...
EUVD-2026-1597
The WP Cost Estimation plugin for WordPress is vulnerable to Upload Directory Traversal in versions before 9.660 via the uploadFormFiles function. This allows attackers to overwrite any file with a whitelisted type on an affected site...
WordPress plugin OchaHouse 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...
WordPress plugin Real Estate Pro 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...
WordPress plugin Image Slider Slideshow 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...
CVE-2025-13497
The Recras WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'recrasname' shortcode attribute in all versions up to, and including, 6.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-1524
The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-1627
The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2025-1453
The Category Posts Widget WordPress plugin before 4.9.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...