VYPR

Vendor CVEs

WordPress

All CVEs

33,184 total · sorted by risk
  • CVE-2025-26900CriFeb 25, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX flexmls-idx allows Object Injection.This issue affects Flexmls® IDX: from n/a through <= 3.14.27.

  • CVE-2025-26763CriFeb 22, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider ml-slider allows Object Injection.This issue affects Responsive Slider by MetaSlider: from n/a through <= 3.94.0.

  • CVE-2024-56000CriFeb 18, 2025
    risk 0.64cvss 9.8epss 0.01

    Incorrect Privilege Assignment vulnerability in SeventhQueen K Elements k-elements allows Privilege Escalation.This issue affects K Elements: from n/a through < 5.4.0.

  • CVE-2024-12860CriFeb 18, 2025
    risk 0.64cvss 9.8epss 0.00

    The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This…

  • CVE-2024-12562CriFeb 15, 2025
    risk 0.64cvss 9.8epss 0.01

    The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op' vulnerable parameter. This makes it possible for unauthenticated attackers to inject…

  • CVE-2024-13513CriFeb 15, 2025
    risk 0.64cvss 9.8epss 0.01

    The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. This makes it possible for unauthenticated attackers to extract sensitive data…

  • CVE-2025-22630CriFeb 14, 2025
    risk 0.64cvss 9.9epss 0.01

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Marketing Fire Widget Options widget-options allows OS Command Injection.This issue affects Widget Options: from n/a through <= 4.1.0.

  • CVE-2024-13182CriFeb 13, 2025
    risk 0.64cvss 9.8epss 0.01

    The WP Directorybox Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_parse_request' function. This makes it possible for unauthenticated attackers to log in as any…

  • CVE-2024-10763CriFeb 13, 2025
    risk 0.64cvss 9.8epss 0.04

    The Campress theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.35 via the 'campress_woocommerce_get_ajax_products' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server,…

  • CVE-2024-12213CriFeb 12, 2025
    risk 0.64cvss 9.8epss 0.01

    The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to 2.3.16. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an…

  • CVE-2024-13421CriFeb 12, 2025
    risk 0.64cvss 9.8epss 0.01

    The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to the plugin not properly restricting the roles allowed to be selected during registration. This makes it possible for unauthenticated…

  • CVE-2022-3180CriFeb 11, 2025
    risk 0.64cvss 9.8epss 0.09

    The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious administrator accounts.

  • CVE-2025-0181CriFeb 11, 2025
    risk 0.64cvss 9.8epss 0.01

    The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.8. This is due to the plugin not properly validating a user's identity prior to setting the current user and their authentication cookie.…

  • CVE-2025-0180CriFeb 11, 2025
    risk 0.64cvss 9.8epss 0.01

    The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.7. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated…

  • CVE-2024-13011CriFeb 10, 2025
    risk 0.64cvss 9.8epss 0.01

    The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up to, and including, 4.7. This makes it possible for unauthenticated attackers to upload…

  • CVE-2025-0316CriFeb 8, 2025
    risk 0.64cvss 9.8epss 0.01

    The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_enquiry_agent_contact_form_submit_callback' function. This makes it possible for unauthenticated…

  • CVE-2025-1061CriFeb 7, 2025
    risk 0.64cvss 9.8epss 0.01

    The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.16. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it…

  • CVE-2025-24677CriFeb 4, 2025
    risk 0.64cvss 9.9epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in wpspin Post/Page Copying Tool postpage-import-export-with-custom-fields-taxonomies allows Remote Code Inclusion.This issue affects Post/Page Copying Tool: from n/a through <= 2.0.3.

  • CVE-2025-0493CriJan 31, 2025
    risk 0.64cvss 9.8epss 0.01

    The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Limited Local File Inclusion in all versions up to, and including, 4.2.14 via the tabname parameter. This makes it possible for unauthenticated attackers to…

  • CVE-2024-13742CriJan 30, 2025
    risk 0.64cvss 9.8epss 0.01

    The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the reqpars parameter. This makes it possible for unauthenticated attackers to…

  • CVE-2024-12822CriJan 30, 2025
    risk 0.64cvss 9.8epss 0.01

    The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the add_capto_img() function in all versions up to, and including, 3.11.0. This makes it possible for…

  • CVE-2024-13448CriJan 28, 2025
    risk 0.64cvss 9.8epss 0.01

    The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload…

  • CVE-2025-24671CriJan 27, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Pdfcrowd Dev Team Save as PDF save-as-pdf-by-pdfcrowd allows Object Injection.This issue affects Save as PDF: from n/a through <= 4.4.0.

  • CVE-2025-24601CriJan 27, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in ThimPress FundPress fundpress allows Object Injection.This issue affects FundPress: from n/a through <= 2.0.6.

  • CVE-2025-0357CriJan 25, 2025
    risk 0.64cvss 9.8epss 0.01

    The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPB_Profile_controller::handle_image_upload' function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to…

  • CVE-2024-13545CriJan 24, 2025
    risk 0.64cvss 9.8epss 0.01

    The Bootstrap Ultimate theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.9 via the path parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in…

  • CVE-2025-23914CriJan 22, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in muzaara Muzaara Google Ads Report muzaara-adwords-optimize-dashboard allows Object Injection.This issue affects Muzaara Google Ads Report: from n/a through <= 3.1.

  • CVE-2025-23932CriJan 22, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Marko-M Quick Count quick-count allows Object Injection.This issue affects Quick Count: from n/a through <= 3.00.

  • CVE-2025-23918CriJan 22, 2025
    risk 0.64cvss 9.9epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in Enrico Sandoli Smallerik File Browser smallerik-file-browser allows Upload a Web Shell to a Web Server.This issue affects Smallerik File Browser: from n/a through <= 1.1.

  • CVE-2024-12857CriJan 22, 2025
    risk 0.64cvss 9.8epss 0.01

    The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it possible for unauthenticated attackers to…

  • CVE-2024-13091CriJan 22, 2025
    risk 0.64cvss 9.8epss 0.01

    The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and including, 13.5.4. This makes it possible for unauthenticated attackers to upload…

  • CVE-2024-51888CriJan 21, 2025
    risk 0.64cvss 9.8epss 0.00

    Incorrect Privilege Assignment vulnerability in favethemes Homey Login Register homey-login-register allows Privilege Escalation.This issue affects Homey Login Register: from n/a through <= 2.4.0.

  • CVE-2024-49688CriJan 21, 2025
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in reputeinfosystems ARPrice arprice allows Object Injection.This issue affects ARPrice: from n/a through <= 4.1.3.

  • CVE-2024-32555CriJan 21, 2025
    risk 0.64cvss 9.8epss 0.01

    Incorrect Privilege Assignment vulnerability in InspiryThemes Easy Real Estate easy-real-estate allows Privilege Escalation.This issue affects Easy Real Estate: from n/a through <= 2.2.9.

  • CVE-2024-13375CriJan 18, 2025
    risk 0.64cvss 9.8epss 0.01

    The Adifier System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.1.7. This is due to the plugin not properly validating a user's identity prior to updating their details like password through the…

  • CVE-2025-23797CriJan 16, 2025
    risk 0.64cvss 9.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Mike Selander WP Options Editor wp-options-editor allows Privilege Escalation.This issue affects WP Options Editor: from n/a through <= 1.1.

  • CVE-2025-22782CriJan 15, 2025
    risk 0.64cvss 9.9epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Web Ready Now WR Price List Manager For Woocommerce wr-price-list-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects WR Price List Manager For Woocommerce: from n/a through <= 1.0.8.

  • CVE-2025-22777CriJan 13, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in StellarWP GiveWP give allows Object Injection.This issue affects GiveWP: from n/a through <= 3.19.3.

  • CVE-2024-10215CriJan 9, 2025
    risk 0.64cvss 9.8epss 0.01

    The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it…

  • CVE-2024-11642CriJan 9, 2025
    risk 0.64cvss 9.8epss 0.01

    The Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.4.12 via the 'locate_template'…

  • CVE-2024-11350CriJan 8, 2025
    risk 0.64cvss 9.8epss 0.01

    The AdForest theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.1.6. This is due to the plugin not properly validating a user's identity prior to updating their password through the adforest_reset_password()…

  • CVE-2024-11635CriJan 8, 2025
    risk 0.64cvss 9.8epss 0.01

    The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.

  • CVE-2024-49649CriJan 7, 2025
    risk 0.64cvss 9.8epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23.

  • CVE-2024-49222CriJan 7, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Object Injection.This issue affects WPGuppy: from n/a through <= 1.1.0.

  • CVE-2024-8855CriJan 7, 2025
    risk 0.64cvss 9.8epss 0.01

    The WordPress Auction Plugin WordPress plugin through 3.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing editors and above to perform SQL injection attacks

  • CVE-2024-12470CriJan 7, 2025
    risk 0.64cvss 9.8epss 0.01

    The School Management System – SakolaWP plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.8. This is due to the registration function not properly limiting what roles a user can register as. This makes it possible for…

  • CVE-2024-12264CriJan 7, 2025
    risk 0.64cvss 9.8epss 0.01

    The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's…

  • CVE-2024-12252CriJan 7, 2025
    risk 0.64cvss 9.8epss 0.03

    The SEO LAT Auto Post plugin for WordPress is vulnerable to file overwrite due to a missing capability check on the remote_update AJAX action in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to overwrite the…

  • CVE-2024-56066CriDec 31, 2024
    risk 0.64cvss 9.8epss 0.01

    Missing Authorization vulnerability in inspry Agency Toolkit agency-toolkit allows Privilege Escalation.This issue affects Agency Toolkit: from n/a through <= 1.0.23.

  • CVE-2024-56044CriDec 31, 2024
    risk 0.64cvss 9.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in VibeThemes WPLMS wplms_plugin allows Authentication Bypass.This issue affects WPLMS: from n/a through <= 1.9.9.

Page 18 of 664