581 matches found
CVE-2025-0818
The CVE-2025-0818 entry maps to a Directory Traversal affecting several WordPress file-manager plugins using elFinder up to version 2.1.64. Connected sources confirm concrete exploit details: unauthenticated attackers can delete arbitrary files when a file-manager instance is exposed to users. Re...
CVE-2025-0818 Multiple elFinder Plugins <= (Various Versions) - Directory Traversal to Arbitrary File Deletion
Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to explicitly make an...
PT-2025-32965
Name of the Vulnerable Software and Affected Versions: Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress versions up to and including 1.4.3 Description: The plugin is susceptible to a PHP Object Injection due to the deserialization of untrusted input within the get lead...
How To Find SQL Injection Vulnerabilities in WordPress Plugins and Themes
SQL Injection SQLi , a vulnerability almost as old as database-driven web applications themselves CWE-89, persists as a classic example of failing to neutralize user-supplied input before it's used in a SQL query. So why does this well-understood vulnerability type continue to exist? In the...
CVE-2025-6730
CVE-2025-6730 : Bonanza – WooCommerce Free Gifts Lite (WordPress) up to version 1.0.0 is vulnerable to unauthorized data modification due to a missing capability check in xlo_optin_call(). Authenticated users with Subscriber level access and above can set the opt-in status to success. Impact is l...
CVE-2025-7696
The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verifyfieldval function. This makes it possible for...
CVE-2025-7696 Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.3 - Unauthenticated PHP Object Injection via verify_field_val Function
The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verifyfieldval function. This makes it possible for...
CVE-2025-7697 Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 - Unauthenticated PHP Object Injection via verify_field_val Function
The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verifyfieldval function. This makes it possible for...
CVE-2025-2537
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled ThickBox JavaScript library version 3.1 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-2540
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled prettyPhoto library version 3.1.6 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...
CVE-2024-5647
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library version 1.1.0 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...
CVE-2025-2537
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled ThickBox JavaScript library version 3.1 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
Wordfence Intelligence Weekly WordPress Vulnerability Report (June 23, 2025 to June 29, 2025)
Calling all Vulnerability Researchers and Bug Bounty Hunters! Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards forall in-scope submissions from our 'High Threat' list in software with fewer than 5 million active installs. Bounties up to $31,200 per...
CVE-2025-2537
CVE-2025-2537 involves Stored DOM-Based Cross-Site Scripting via the ThickBox JavaScript library (v3.1) in multiple WordPress plugins. The description and connected sources confirm an authenticated attacker with contributor-level access can inject scripts into pages, which execute for users visit...
CVE-2025-2540
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled prettyPhoto library version 3.1.6 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...
CVE-2025-2540
CVE-2025-2540 covers a class of stored DOM-based Cross-Site Scripting flaws in WordPress plugins that bundle the prettyPhoto JavaScript library (v3.1.6). The issue arises from insufficient input sanitization and output escaping on user-supplied attributes, enabling authenticated attackers with co...
CVE-2025-2540 Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via prettyPhoto JavaScript Library
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled prettyPhoto library version 3.1.6 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...
CVE-2025-2540 Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via prettyPhoto JavaScript Library
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled prettyPhoto library version 3.1.6 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...
CVE-2024-5647
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library version 1.1.0 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...
CVE-2024-5647
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library version 1.1.0 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...