VYPR
Vendor

WordPress

WordPress is a web content management system. It was originally created as a tool to publish blogs but has evolved to support publishing other web content, including more traditional websites, mailing lists, Internet forums, media galleries, membership sites, learning management systems, and online stores. Available as free and open-source software, WordPress is among the most popular content management systems – it was used by 22.52% of the top one million websites as of December 2024.

Founded 2003
Products
18,244
CVEs
32,703
Across products
1,604
Status
Private

Products

18,244
View all 18,244 products →

Recent CVEs

32,703
View all 32,703 CVEs →
  • CVE-2020-25213CriKEVSep 9, 2020
    risk 0.81cvss 10.0epss 0.97

    The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder…

  • CVE-2016-10033CriKEVDec 30, 2016
    risk 0.80cvss 9.8epss 1.00

    The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

  • CVE-2026-48907CriKEVJun 5, 2026
    risk 0.77cvss epss 0.80

    A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.

  • CVE-2026-48172CriKEVMay 21, 2026
    risk 0.76cvss 9.8epss 0.19

    LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash.…

  • CVE-2020-24186CriAug 24, 2020
    risk 0.76cvss 10.0epss 0.95

    A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.

  • CVE-2024-25600CriJun 4, 2024
    risk 0.75cvss 10.0epss 0.87

    Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection.This issue affects Bricks Builder: from n/a through 1.9.6.

  • CVE-2024-27956CriMar 21, 2024
    risk 0.75cvss 9.9epss 0.94

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.

  • CVE-2023-6553CriDec 15, 2023
    risk 0.75cvss 9.8epss 0.98

    The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that…

  • CVE-2024-5932CriAug 20, 2024
    risk 0.74cvss 10.0epss 0.74

    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated…

  • CVE-2024-1071CriMar 13, 2024
    risk 0.74cvss 9.8epss 0.89

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied…

  • CVE-2023-28121CriApr 12, 2023
    risk 0.74cvss 9.8epss 0.87

    An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the…

  • CVE-2021-24762CriFeb 1, 2022
    risk 0.74cvss 9.8epss 0.87

    The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.

  • CVE-2020-11530CriMay 8, 2020
    risk 0.74cvss 9.8epss 0.96

    A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerability is introduced in the id GET parameter supplied to get_script/index.php, and allows an attacker to execute arbitrary SQL queries in the context of the WP database user.

  • CVE-2020-8772CriFeb 6, 2020
    risk 0.74cvss 9.8epss 0.88

    The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_mmb_set_request in init.php. Any attacker who knows the username of an administrator can log in.

  • CVE-2019-20361CriJan 8, 2020
    risk 0.74cvss 9.8epss 0.85

    There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability).

  • CVE-2018-19207CriNov 12, 2018
    risk 0.74cvss 9.8epss 0.87

    The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018.

  • CVE-2018-3810CriJan 1, 2018
    risk 0.74cvss 9.8epss 0.91

    Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The…

  • CVE-2025-2294CriMar 28, 2025
    risk 0.73cvss 9.8epss 0.77

    The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the…

  • CVE-2024-44000CriOct 20, 2024
    risk 0.73cvss 9.8epss 0.83

    Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a through < 6.5.0.1.

  • CVE-2023-5360CriOct 31, 2023
    risk 0.73cvss 9.8epss 0.82

    The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.