Total
90892 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8082 | 1 Justintadlock | 1 Widgets Reset | 2025-06-12 | N/A | 4.3 MEDIUM |
| The Widgets Reset WordPress plugin through 0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-8050 | 1 Jfarthing | 1 Custom Author Base | 2025-06-12 | N/A | 4.3 MEDIUM |
| The Custom Author Base WordPress plugin through 1.1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-8032 | 1 Ulfbenjaminsson | 1 Smooth Gallery Replacement | 2025-06-12 | N/A | 6.1 MEDIUM |
| The Smooth Gallery Replacement WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2024-8031 | 1 Wpbookingcalendar | 1 Secure Downloads | 2025-06-12 | N/A | 6.5 MEDIUM |
| The Secure Downloads WordPress plugin before 1.2.3 is vulnerable does not properly restrict which files can be downloaded. This makes it possible for authenticated attackers, with admin-level access and above, to download arbitrary files that may contain sensitive information like wp-config.php. | |||||
| CVE-2022-4363 | 1 Cedcommerce | 2 Wholesale Market, Wholesale Market For Woocommerce | 2025-06-12 | N/A | 6.5 MEDIUM |
| The Wholesale Market WordPress plugin before 2.2.2, Wholesale Market for WooCommerce WordPress plugin before 2.0.1 have a flawed CSRF check when updating their settings, which could allow attackers to make a logged in admin update them via a CSRF attack | |||||
| CVE-2025-43926 | 1 Znuny | 1 Znuny | 2025-06-12 | N/A | 6.1 MEDIUM |
| An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings. | |||||
| CVE-2024-9236 | 1 Radiustheme | 1 Team - Wordpress Team Members Showcase | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-47786 | 1 Emlog | 1 Emlog | 2025-06-12 | N/A | 4.8 MEDIUM |
| Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In `/admin/comment.php`, the parameter `perpage_num` is not validated and is directly stored in the `admin_commend_perpage_num` field of the `emlog_options` table in the database. Moreover, the output is not filtered, resulting in the direct output of malicious code. As of time of publication, it is unclear if a patch exists. | |||||
| CVE-2025-2203 | 1 Funnelkit | 1 Funnel Builder | 2025-06-12 | N/A | 6.1 MEDIUM |
| The FunnelKit WordPress plugin before 3.10.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | |||||
| CVE-2025-1454 | 1 Ninja Pages Project | 1 Ninja Pages | 2025-06-12 | N/A | 5.4 MEDIUM |
| The Ninja Pages WordPress plugin through 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-1288 | 1 Bulktheme | 1 Wooexim | 2025-06-12 | N/A | 6.1 MEDIUM |
| The WOOEXIM WordPress plugin through 5.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make an unauthenticated user vulnerable to reflected XSS via a CSRF attack. | |||||
| CVE-2025-1286 | 1 Sfarbota | 1 Download Html Tinymce Button | 2025-06-12 | N/A | 6.1 MEDIUM |
| The Download HTML TinyMCE Button WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-9182 | 1 Wpmaspik | 1 Maspik | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Maspik WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2025-1033 | 1 Danielpowney | 1 Badgearoo | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-0329 | 1 Quantumcloud | 1 Wpbot | 2025-06-12 | N/A | 4.8 MEDIUM |
| The AI ChatBot for WordPress WordPress plugin before 6.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-9882 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-9879 | 1 Melapress | 1 Melapress File Monitor | 2025-06-12 | N/A | 5.4 MEDIUM |
| The Melapress File Monitor WordPress plugin before 2.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | |||||
| CVE-2024-9838 | 1 Flamescorpion | 1 Auto Affiliate Links | 2025-06-12 | N/A | 5.4 MEDIUM |
| The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | |||||
| CVE-2024-8759 | 1 Kylephillips | 1 Nested Pages | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Nested Pages WordPress plugin before 3.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-9663 | 1 Toolstack | 1 Cyan Backup | 2025-06-12 | N/A | 5.4 MEDIUM |
| The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||