CVE-2025-58863

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in SdeWijs Zoomify embed for WP zoom-image-shortcode allows Stored XSS.This issue affects Zoomify embed for WP: from n/a through = 1.5.2...

Linux Distros Unpatched Vulnerability : CVE-2017-6814

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In WordPress before 4.7.3, there is authenticated Cross-Site Scripting XSS via Media File Metadata. This is demonstrated by both 1 mishandling of the playlist...

Linux Distros Unpatched Vulnerability : CVE-2018-10102

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Before WordPress 4.9.5, the version string was not escaped in the getthegenerator function, and could lead to XSS in a generator tag. CVE-2018-10102 Note that...

Linux Distros Unpatched Vulnerability : CVE-2017-5488

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Multiple cross-site scripting XSS vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or...

Linux Distros Unpatched Vulnerability : CVE-2012-0937

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL databas...

Linux Distros Unpatched Vulnerability : CVE-2011-4898

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname paramete...

WordPress plugin Avishi WP PayPal Payment Button 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forgery...

PT-2025-27586 · WordPress · The Ads Pro Plugin

Name of the Vulnerable Software and Affected Versions: The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager versions up to, and including, 4.89 Description: The issue allows unauthenticated attackers to include and execute arbitrary files on the server via the bsa template parameter o...

PT-2025-26208 · WordPress · Oceanwp

Name of the Vulnerable Software and Affected Versions: OceanWP theme for WordPress versions up to, and including, 4.0.9 Description: The issue is related to Stored Cross-Site Scripting via the Select HTML tag due to insufficient input sanitization and output escaping. This allows authenticated...

Hemi VDP: WordPress Version Exposure via ███████ on hemi.xyz

The WordPress CMS version was exposed in the XML file at https://hemi.xyz███. This disclosure allowed attackers to fingerprint the CMS version...

CVE-2025-3055

The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteavatarajax function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above,...

CVE-2025-47670

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through =...

CVE-2025-32292

Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis – Night Club, Concert, Festival WordPress jarvis allows Object Injection.This issue affects Jarvis – Night Club, Concert, Festival WordPress: from n/a through = 1.8.11...

CVE-2025-39485

CVE-2025-39485 concerns the Grand Tour | Travel Agency WordPress theme deserializing untrusted data, enabling PHP object injection in versions up to 5.5.1. Public sources confirm a WordPress theme vulnerability with a critical CVSS 9.8, affecting the Grand Tour theme and labeled as unpatched in t...

CVE-2024-2347

The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above,...

CVE-2024-9434

The WPGlobus Translate Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the ontranslateoptionspage function. This makes it possible for unauthenticated attackers to inject...

CVE-2024-6554

The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.18. This is due the plugin utilizing composer without preventing direct access to the files. This makes it possible for...

CVE-2024-12311

The Email Subscribers by Icegram Express WordPress plugin before 5.7.44 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks...

CVE-2023-28662

The Gift Cards Gift Vouchers and Packages WordPress Plugin, version = 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the wpgvdoajaxvoucherpdfsavefunc action...

CVE-2023-6561

The Featured Image from URL FIFU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the featured image alt text in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...