VYPR

Vendor CVEs

WordPress

All CVEs

33,184 total · sorted by risk
  • CVE-2024-12827CriJun 27, 2025
    risk 0.64cvss 9.8epss 0.00

    The DWT - Directory & Listing WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.6. This is due to the plugin not properly checking for an empty token value prior to resetting a user's password…

  • CVE-2025-49330CriJun 17, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin cf7-zoho allows Object Injection.This issue affects Integration for Contact Form 7 and Zoho CRM, Bigin: from n/a through <= 1.3.0.

  • CVE-2025-47559CriJun 17, 2025
    risk 0.64cvss 9.9epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through < 8.7.4.

  • CVE-2025-47452CriJun 17, 2025
    risk 0.64cvss 9.9epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in RexTheme WP VR wpvr allows Upload a Web Shell to a Web Server.This issue affects WP VR: from n/a through <= 8.5.26.

  • CVE-2025-31919CriJun 17, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in themeton Spare allows Object Injection. This issue affects Spare: from n/a through 1.7.

  • CVE-2025-30618CriJun 17, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in yuliaz Rapyd Payment Extension for WooCommerce rapyd-payments allows Object Injection.This issue affects Rapyd Payment Extension for WooCommerce: from n/a through <= 1.2.0.

  • CVE-2025-5288CriJun 13, 2025
    risk 0.64cvss 9.8epss 0.01

    The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated…

  • CVE-2025-4973CriJun 12, 2025
    risk 0.64cvss 9.8epss 0.00

    The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to authentication bypass in all versions up to, and including, 3.3.1. This is due to the plugin not properly verifying a user's identity prior to logging them in when…

  • CVE-2025-49507CriJun 10, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in LoftOcean CozyStay cozystay allows Object Injection.This issue affects CozyStay: from n/a through < 1.7.1.

  • CVE-2025-48140CriJun 9, 2025
    risk 0.64cvss 9.9epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in metalpriceapi MetalpriceAPI metalpriceapi allows Code Injection.This issue affects MetalpriceAPI: from n/a through <= 1.1.4.

  • CVE-2025-48129CriJun 9, 2025
    risk 0.64cvss 9.8epss 0.00

    Incorrect Privilege Assignment vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light allows Privilege Escalation.This issue affects Spreadsheet Price Changer for…

  • CVE-2025-47608CriJun 9, 2025
    risk 0.64cvss 9.3epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in sonalsinha21 Recover abandoned cart for WooCommerce recover-wc-abandoned-cart allows SQL Injection.This issue affects Recover abandoned cart for WooCommerce: from n/a through <=…

  • CVE-2025-31429CriJun 9, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in themeton PressGrid - Frontend Publish Reaction & Multimedia Theme allows Object Injection. This issue affects PressGrid - Frontend Publish Reaction & Multimedia Theme: from n/a through 1.3.1.

  • CVE-2025-31398CriJun 9, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in themeton PIMP - Creative MultiPurpose allows Object Injection. This issue affects PIMP - Creative MultiPurpose: from n/a through 1.7.

  • CVE-2025-31396CriJun 9, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5.

  • CVE-2025-31052CriJun 9, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in themeton The Fashion - Model Agency One Page Beauty Theme nrgfashion allows Object Injection.This issue affects The Fashion - Model Agency One Page Beauty Theme: from n/a through <= 1.4.4.

  • CVE-2025-31022CriJun 9, 2025
    risk 0.64cvss 9.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in PayU India PayU India payu-india allows Authentication Abuse.This issue affects PayU India: from n/a through < 3.8.8.

  • CVE-2025-49073CriJun 6, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in axiomthemes Sweet Dessert sweet-dessert allows Object Injection.This issue affects Sweet Dessert: from n/a through < 1.1.13.

  • CVE-2025-49072CriJun 6, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in AncoraThemes Mr. Murphy mr-murphy allows Object Injection.This issue affects Mr. Murphy: from n/a through < 1.2.12.1.

  • CVE-2025-5486CriJun 6, 2025
    risk 0.64cvss 9.8epss 0.00

    The WP Email Debug plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the WPMDBUG_handle_settings() function in versions 1.0 to 1.1.0. This makes it possible for unauthenticated attackers to enable debugging and send all emails to an…

  • CVE-2025-4578CriJun 4, 2025
    risk 0.64cvss 9.8epss 0.00

    The File Provider WordPress plugin through 1.2.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

  • CVE-2025-4797CriJun 3, 2025
    risk 0.64cvss 9.8epss 0.00

    The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie.…

  • CVE-2025-4631CriMay 31, 2025
    risk 0.64cvss 9.8epss 0.01

    The Profitori plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the stocktend_object endpoint in versions 2.0.6.0 to 2.1.1.3. This makes it possible to trigger the save_object_as_user() function for objects whose '_datatype' is set…

  • CVE-2025-4607CriMay 31, 2025
    risk 0.64cvss 9.8epss 0.00

    The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() function. This is due to the use of a weak, low-entropy OTP mechanism in the forget() function. This makes…

  • CVE-2025-48336CriMay 29, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in ThimPress Course Builder course-builder allows Object Injection.This issue affects Course Builder: from n/a through < 3.6.6.

  • CVE-2025-48289CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in AncoraThemes Kids Planet kidsplanet allows Object Injection.This issue affects Kids Planet: from n/a through <= 2.2.14.

  • CVE-2025-48287CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros - Pagaleve wc-pagaleve allows Object Injection.This issue affects Pix 4x sem juros - Pagaleve: from n/a through <= 1.6.9.

  • CVE-2025-47663CriMay 23, 2025
    risk 0.64cvss 9.9epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System allows Upload a Web Shell to a Web Server. This issue affects Hospital Management System: from 47.0(20 through 11.

  • CVE-2025-47658CriMay 23, 2025
    risk 0.64cvss 9.9epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Upload a Web Shell to a Web Server.This issue affects ELEX WordPress HelpDesk & Customer…

  • CVE-2025-47568CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds dzs-zoomsounds allows Object Injection.This issue affects ZoomSounds: from n/a through <= 6.91.

  • CVE-2025-47532CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in CoinPayments CoinPayments.net Payment Gateway for WooCommerce coinpayments-payment-gateway-for-woocommerce allows Object Injection.This issue affects CoinPayments.net Payment Gateway for WooCommerce: from n/a through <= 1.0.17.

  • CVE-2025-47530CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in WPFunnels WPFunnels wpfunnels allows Object Injection.This issue affects WPFunnels: from n/a through <= 3.5.18.

  • CVE-2025-46490CriMay 23, 2025
    risk 0.64cvss 9.9epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in wordwebsoftware Crossword Compiler Puzzles crossword-compiler-puzzles allows Upload a Web Shell to a Web Server.This issue affects Crossword Compiler Puzzles: from n/a through <= 5.2.

  • CVE-2025-46468CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPFable Fable Extra fable-extra allows PHP Local File Inclusion.This issue affects Fable Extra: from n/a through <= 1.0.6.

  • CVE-2025-39503CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hotel gdlr-hotel allows Object Injection.This issue affects Goodlayers Hotel: from n/a through <= 3.1.4.

  • CVE-2025-39500CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hostel gdlr-hostel allows Object Injection.This issue affects Goodlayers Hostel: from n/a through <= 3.1.2.

  • CVE-2025-39499CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in BoldThemes Medicare medicare allows Object Injection.This issue affects Medicare: from n/a through <= 2.1.0.

  • CVE-2025-39495CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in BoldThemes Avantage avantage allows Object Injection.This issue affects Avantage: from n/a through <= 2.4.9.

  • CVE-2025-39489CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.00

    Incorrect Privilege Assignment vulnerability in pebas CouponXL couponxl allows Privilege Escalation.This issue affects CouponXL: from n/a through <= 4.5.0.

  • CVE-2025-39485CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Tour grandtour allows Object Injection.This issue affects Grand Tour: from n/a through <= 5.6.

  • CVE-2025-39480CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in ThemeMakers Car Dealer cardealer allows Object Injection.This issue affects Car Dealer: from n/a through < 1.6.8.

  • CVE-2025-32292CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis – Night Club, Concert, Festival WordPress jarvis allows Object Injection.This issue affects Jarvis – Night Club, Concert, Festival WordPress: from n/a through <= 1.8.11.

  • CVE-2025-31927CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in themeton Acerola allows Object Injection. This issue affects Acerola: from n/a through 1.6.5.

  • CVE-2025-31918CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.00

    Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro simple-business-directory-pro allows Privilege Escalation.This issue affects Simple Business Directory Pro: from n/a through < 15.6.9.

  • CVE-2025-31631CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in AncoraThemes Fish House fish-house allows Object Injection.This issue affects Fish House: from n/a through <= 1.2.7.

  • CVE-2025-31430CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in themeton The Business allows Object Injection. This issue affects The Business: from n/a through 1.6.1.

  • CVE-2025-31423CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in AncoraThemes Umberto umberto allows Object Injection.This issue affects Umberto: from n/a through <= 1.2.8.

  • CVE-2025-31069CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in themeton HotStar – Multi-Purpose Business Theme allows Object Injection. This issue affects HotStar – Multi-Purpose Business Theme: from n/a through 1.4.

  • CVE-2025-31049CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in themeton Dash allows Object Injection. This issue affects Dash: from n/a through 1.3.

  • CVE-2025-48340CriMay 19, 2025
    risk 0.64cvss 9.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through <= 1.02.

Page 15 of 664