422 matches found
CVE-2025-6754
CVE-2025-6754 (SEO Metrics for WordPress) : The WordPress plugin versions 1.0.5–1.0.15 are affected by privilege-escalation due to missing authorization checks in seo_metrics_handle_connect_button_click() and seo_metrics_handle_custom_endpoint(). An attacker with subscriber-level access can obtai...
CVE-2025-6831 User Registration <= 4.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via urcr_restrict Shortcode
The User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's urcrrestrict shortcode in all versions up to, and including, 4.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-6997 ThemeREX Addons <= 2.35.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trx_addons_get_svg_from_file Function
The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin’s SVG rendering routine calls the trxaddonsgetsvgfromfile function on an...
CVE-2025-7340
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the tempfileupload function in all versions up to, and including, 2.2.1. This makes it possible for...
CVE-2025-47652
CVE-2025-47652 concerns Infility Global plugin for WordPress (versions up to 2.13.4). The issue is a Reflected Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation. The CVSS v3.1 base score is 7.1 (High) with NETWORK attack vector, LOW impact on confidenti...
CVE-2025-48345
CVE-2025-48345 : Reflected XSS in the WordPress plugin Contact Form 7 Editor Button (versions ≤ 1.0.0). Root cause is improper input neutralization during web page generation, enabling a reflected payload to run in a victim’s browser. Affected software is the Contact Form 7 Editor Button plugin f...
CVE-2025-54037 WordPress News Kit Elementor Addons plugin <= 1.3.4 - Broken Access Control Vulnerability
Missing Authorization vulnerability in blazethemes News Kit Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects News Kit Elementor Addons: from n/a through 1.3.4...
CVE-2025-54026
CVE-2025-54026 corresponds to a SQL Injection vulnerability in GymBase Theme Classes (WordPress plugin). Affected versions are from n/a through 1.4; root cause cited as improper neutralization of SQL elements. Evidence from multiple sources confirms the issue is a database query vulnerability tha...
CVE-2025-53984 WordPress JetTabs plugin <= 2.2.9 - Cross Site Scripting (XSS) Vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Crocoblock JetTabs jet-tabs allows Stored XSS.This issue affects JetTabs: from n/a through = 2.2.9...
CVE-2025-49302 WordPress Easy Stripe plugin <= 1.1 - Remote Code Execution (RCE) Vulnerability
Improper Control of Generation of Code 'Code Injection' vulnerability in Scott Paterson Easy Stripe easy-stripe allows Remote Code Inclusion.This issue affects Easy Stripe: from n/a through = 1.1...
CVE-2025-52832 WordPress NGG Smart Image Search plugin <= 3.4.1 - SQL Injection Vulnerability
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in wpo-HR NGG Smart Image Search ngg-smart-image-search allows SQL Injection.This issue affects NGG Smart Image Search: from n/a through = 3.4.1...
CVE-2025-28963 WordPress URL Shortener plugin <= 3.0.7 - Server Side Request Forgery (SSRF) Vulnerability
Server-Side Request Forgery SSRF vulnerability in Md Yeasin Ul Haider URL Shortener allows Server Side Request Forgery. This issue affects URL Shortener: from n/a through 3.0.7...
CVE-2025-27358 WordPress Frontend File Manager plugin <= 23.6 - Content Injection vulnerability
Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in N-Media Frontend File Manager nmedia-user-file-uploader allows Code Injection.This issue affects Frontend File Manager: from n/a through = 23.6...
CVE-2025-24764 WordPress (Simply) Guest Author Name plugin <= 4.36 - Cross Site Scripting (XSS) Vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in A. Jones Simply Guest Author Name allows DOM-Based XSS. This issue affects Simply Guest Author Name: from n/a through 4.36...
CVE-2025-4380
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsatemplate' parameter of the bsapreviewcallback function. This makes it possible for unauthenticated attackers to includ...
CVE-2025-6687 Magic Buttons for Elementor <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via magic-button Shortcode
The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on the 'icon' user supplied attributes. This makes it...
CVE-2025-53338 WordPress re.place plugin <= 0.2.1 - Cross Site Request Forgery (CSRF) Vulnerability
Cross-Site Request Forgery CSRF vulnerability in dor re.place allows Stored XSS. This issue affects re.place: from n/a through 0.2.1...
CVE-2025-53295
CVE-2025-53295 concerns iCount Payment Gateway <= 2.0.6 with a Missing Authorization issue allowing access to constrained functionality. The provided data shows CVSS v3.1 base score 5.3 (Medium) and an unauthenticated/unauthorized access risk. Patch guidance appears in Patchstack: iCount Payme...
CVE-2025-53279
CVE-2025-53279 is a DOM-based XSS vulnerability in the Popup addon for Ninja Forms, caused by improper input neutralization during web page generation. Affected: Popup addon for Ninja Forms (versions up to 3.4). Impact and exploitability are described in public sources as XSS; CVSS details are pr...
CVE-2025-53197 WordPress Cookiebot plugin <= 4.5.8 - Cross Site Request Forgery (CSRF) Vulnerability
Cross-Site Request Forgery CSRF vulnerability in cookiebot Cookiebot allows Cross Site Request Forgery. This issue affects Cookiebot: from n/a through 4.5.8...