Search Results (37315 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-13309 1 Wordpress 1 Wordpress 2026-04-21 4.3 Medium
The Accessiy By CodeConfig Accessibility – Easy One-Click Accessibility Toolbar That Truly Matters plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers with subscriber-level access and above to modify the plugin’s global accessibility settings.
CVE-2025-13358 1 Wordpress 1 Wordpress 2026-04-21 5.3 Medium
The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Settings::createPage()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary published pages on the site via the `ccpcaCreatePage` AJAX action.
CVE-2026-34717 2 Openproject, Opf 2 Openproject, Openproject 2026-04-21 9.9 Critical
OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3.
CVE-2025-13314 3 Markutos987, Woocommerce, Wordpress 3 Product Filtering For Woocommerce, Woocommerce, Wordpress 2026-04-21 5.3 Medium
The Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.6 due to a missing capability check on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin's settings and create arbitrary filter options.
CVE-2025-12655 2 Hippooo, Wordpress 2 Hippoo Mobile App For Woocommerce, Wordpress 2026-04-21 5.3 Medium
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => '__return_true'`, which allows unauthenticated access. This makes it possible for unauthenticated attackers to write arbitrary JSON content to the server's publicly accessible upload directory via the vulnerable endpoint.
CVE-2025-14169 3 Funnelkit, Woocommerce, Wordpress 4 Funnel Builder, Funnelkit Checkout, Woocommerce and 1 more 2026-04-21 7.5 High
The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-13089 2 Listingthemes, Wordpress 2 Wpdirectory Kit, Wordpress 2026-04-21 7.5 High
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'hide_fields' and the 'attr_search' parameter in all versions up to, and including, 1.4.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-14050 1 Wordpress 1 Wordpress 2026-04-21 4.9 Medium
The Design Import/Export plugin for WordPress is vulnerable to SQL Injection via XML File Import in all versions up to, and including, 2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-12362 3 Mycred, Saadiqbal, Wordpress 3 Mycred, Mycred, Wordpress 2026-04-21 5.3 Medium
The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to approve withdrawal requests, modify user point balances, and manipulate the payment processing system via the cashcred_pay_now AJAX action.
CVE-2025-13126 1 Wordpress 1 Wordpress 2026-04-21 7.5 High
The wpForo Forum plugin for WordPress is vulnerable to generic SQL Injection via the `post_args` and `topic_args` parameters in all versions up to, and including, 2.4.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-13956 2 Thimpress, Wordpress 2 Learnpress, Wordpress 2026-04-21 5.3 Medium
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts
CVE-2025-11991 1 Wordpress 1 Wordpress 2026-04-21 5.3 Medium
The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits.
CVE-2025-13498 2 Codename065, Wordpress 2 Download Manager Plugin, Wordpress 2026-04-21 4.3 Medium
The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the `wpdm_media_access` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve passwords and access control settings for protected media attachments, which can then be used to bypass the intended media protection and download restricted files.
CVE-2025-12898 2 Lbell, Wordpress 2 Pretty Google Calendar, Wordpress 2026-04-21 5.3 Medium
The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in the plugin's settings.
CVE-2025-12980 3 Post Grid Team By Wpxpo, Wordpress, Wpxpo 4 Postx-gutenberg Blocks For Post Grid, Wordpress, Postx and 1 more 2026-04-21 7.5 High
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes.
CVE-2025-9294 2 Expresstech, Wordpress 2 Quiz And Survey Master, Wordpress 2026-04-21 4.3 Medium
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results.
CVE-2025-13529 1 Wordpress 1 Wordpress 2026-04-21 5.3 Medium
The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_plugin_downgrade' parameter.
CVE-2025-13493 1 Wordpress 1 Wordpress 2026-04-21 7.5 High
The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions. This makes it possible for unauthenticated attackers to export complete user details (excluding passwords and sensitive tokens) in CSV format via the 'action' parameter.
CVE-2025-13496 1 Wordpress 1 Wordpress 2026-04-21 5.3 Medium
The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the 'moosend_landing_api_key' option value.
CVE-2025-15058 2 Spwebguy, Wordpress 2 Responsive Pricing Table, Wordpress 2026-04-21 6.4 Medium
The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.