VYPR

Vendor CVEs

WordPress

All CVEs

32,708 total · sorted by risk
  • CVE-2018-7315CriFeb 22, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Ek Rishta 2.9 component for Joomla! via the gender, age1, age2, religion, mothertounge, caste, or country parameter.

  • CVE-2018-7312CriFeb 22, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Alexandria Book Library 3.1.2 component for Joomla! via the letter parameter.

  • CVE-2018-7180CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! via the publicid parameter.

  • CVE-2018-7177CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Saxum Numerology 3.0.4 component for Joomla! via the publicid parameter.

  • CVE-2018-6584CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.04

    SQL Injection exists in the DT Register 3.2.7 component for Joomla! via a task=edit&id= request.

  • CVE-2018-6373CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.02

    SQL Injection exists in the Fastball 2.5 component for Joomla! via the season parameter in a view=player action.

  • CVE-2018-6372CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the JB Bus 2.3 component for Joomla! via the order_number parameter.

  • CVE-2018-6005CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Realpin through 1.5.04 component for Joomla! via the pinboard parameter.

  • CVE-2018-6004CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the File Download Tracker 3.0 component for Joomla! via the dynfield[phone] or sess parameter.

  • CVE-2018-5991CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Form Maker 3.6.12 component for Joomla! via the id, from, or to parameter in a view=stats request, a different vulnerability than CVE-2015-2798.

  • CVE-2018-5983CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the JquickContact 1.3.2.2.1 component for Joomla! via a task=refresh&sid= request.

  • CVE-2018-5982CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Advertisement Board 3.1.0 component for Joomla! via a task=show_rss_categories&catname= request.

  • CVE-2018-5981CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via the tag_id parameter or gallery_id parameter.

  • CVE-2018-5980CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.04

    SQL Injection exists in the Solidres 2.5.1 component for Joomla! via the direction parameter in a hub.search action.

  • CVE-2018-5974CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the SimpleCalendar 3.1.9 component for Joomla! via the catid array parameter.

  • CVE-2018-5971CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the MediaLibrary Free 4.0.12 component for Joomla! via the id parameter or the mid array parameter.

  • CVE-2018-6604CriFeb 5, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Zh YandexMap 6.2.1.0 component for Joomla! via the id parameter in a task=getPlacemarkDetails request.

  • CVE-2018-6582CriFeb 5, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Zh GoogleMap 8.4.0.0 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.

  • CVE-2018-6581CriFeb 2, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the JMS Music 1.1.1 component for Joomla! via a search with the keyword, artist, or username parameter.

  • CVE-2018-6579CriFeb 2, 2018
    risk 0.67cvss 9.8epss 0.04

    SQL Injection exists in the JEXTN Reverse Auction 3.1.0 component for Joomla! via a view=products&uid= request.

  • CVE-2018-6578CriFeb 2, 2018
    risk 0.67cvss 9.8epss 0.04

    SQL Injection exists in the JE PayperVideo 3.0.0 component for Joomla! via the usr_plan parameter in a view=myplans&task=myplans.usersubscriptions request.

  • CVE-2018-6577CriFeb 2, 2018
    risk 0.67cvss 9.8epss 0.02

    SQL Injection exists in the JEXTN Membership 3.1.0 component for Joomla! via the usr_plan parameter in a view=myplans&task=myplans.usersubscriptions request.

  • CVE-2018-6398CriJan 30, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the CP Event Calendar 3.0.1 component for Joomla! via the id parameter in a task=load action.

  • CVE-2018-6395CriJan 30, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla! via the id parameter in a view=load action.

  • CVE-2018-5315CriJan 12, 2018
    risk 0.67cvss 9.8epss 0.05

    The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection via the event_id parameter to event.php.

  • CVE-2017-15977CriOct 31, 2017
    risk 0.67cvss 9.8epss 0.03

    Protected Links - Expiring Download Links 1.0 allows SQL Injection via the username parameter.

  • CVE-2017-14507CriSep 29, 2017
    risk 0.67cvss 9.8epss 0.05

    Multiple SQL injection vulnerabilities in the Content Timeline plugin 4.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) timeline parameter in content_timeline_class.php; or the id parameter to (2) pages/content_timeline_edit.php or (3)…

  • CVE-2015-3313CriSep 7, 2017
    risk 0.67cvss 9.8epss 0.08

    SQL injection vulnerability in WordPress Community Events plugin before 1.4.

  • CVE-2017-9834CriSep 7, 2017
    risk 0.67cvss 9.8epss 0.04

    SQL injection vulnerability in the WatuPRO plugin before 5.5.3.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the watupro_questions parameter in a watupro_submit action to wp-admin/admin-ajax.php.

  • CVE-2017-6095CriFeb 21, 2017
    risk 0.67cvss 9.8epss 0.06

    A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/csvexport.php (Unauthenticated) with the GET Parameter: list_id.

  • CVE-2016-1000125CriOct 6, 2016
    risk 0.67cvss 9.8epss 0.03

    Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla

  • CVE-2016-1000124CriOct 6, 2016
    risk 0.67cvss 9.8epss 0.03

    Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6

  • CVE-2026-1306CriFeb 14, 2026
    risk 0.66cvss 9.8epss 0.04

    The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary…

  • CVE-2025-13486CriDec 3, 2025
    risk 0.66cvss 9.8epss 0.74

    The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes…

  • CVE-2025-11749CriNov 5, 2025
    risk 0.66cvss 9.8epss 0.75

    The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated…

  • CVE-2025-6440CriOct 24, 2025
    risk 0.66cvss 9.8epss 0.32

    The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and…

  • CVE-2025-48148CriAug 20, 2025
    risk 0.66cvss 10.0epss 0.15

    Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce storekeeper-for-woocommerce allows Using Malicious Files.This issue affects StoreKeeper for WooCommerce: from n/a through <= 14.4.4.

  • CVE-2025-47539CriMay 23, 2025
    risk 0.66cvss 9.8epss 0.31

    Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through <= 4.0.26.

  • CVE-2024-56064CriDec 31, 2024
    risk 0.66cvss 10.0epss 0.14

    Unrestricted Upload of File with Dangerous Type vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Upload a Web Shell to a Web Server.This issue affects WP SuperBackup: from n/a through <= 2.3.3.

  • CVE-2024-10924CriNov 15, 2024
    risk 0.66cvss 9.8epss 0.82

    The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user'…

  • CVE-2024-10470CriNov 9, 2024
    risk 0.66cvss 9.8epss 0.34

    The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions in all versions up to, and including,…

  • CVE-2024-8522CriSep 12, 2024
    risk 0.66cvss 10.0epss 0.63

    The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied…

  • CVE-2024-6386CriAug 21, 2024
    risk 0.66cvss 9.9epss 0.26

    The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated…

  • CVE-2024-5765CriJul 30, 2024
    risk 0.66cvss 9.8epss 0.27

    The WpStickyBar WordPress plugin through 2.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

  • CVE-2024-27954CriMay 17, 2024
    risk 0.66cvss 9.3epss 0.73

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server Side Request Forgery.This issue affects Automatic: from n/a through 3.92.0.

  • CVE-2023-1650CriMay 8, 2023
    risk 0.66cvss 9.8epss 0.34

    The AI ChatBot WordPress plugin before 4.4.7 unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog

  • CVE-2022-1281CriMay 2, 2022
    risk 0.66cvss 9.8epss 0.23

    The Photo Gallery WordPress plugin through 1.6.3 does not properly escape the $_POST['filter_tag'] parameter, which is appended to an SQL query, making SQL Injection attacks possible.

  • CVE-2022-1020CriApr 18, 2022
    risk 0.66cvss 9.8epss 0.27

    The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback…

  • CVE-2022-0349CriMar 7, 2022
    risk 0.66cvss 9.8epss 0.34

    The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection

  • CVE-2022-0651CriFeb 24, 2022
    risk 0.66cvss 9.8epss 0.33

    The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL…

Page 4 of 655