Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,707
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 11,461 - 11,480 of 14,221 CVEs
CVE-2025-14076 MEDIUM - 6.1

The iXML – Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attac...

Vendor: icount
Product: iXML – Google XML sitemap generator
Published: Feb 19, 2026
Source: NVD
CVE-2025-13930 MEDIUM - 5.3

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly verifying that a user is authorized to delete an attachment combined with flawed guest order owners...

Vendor: quadlayers
Product: Checkout Field Manager (Checkout Manager) for WooCommerce
Published: Feb 19, 2026
Source: NVD
CVE-2025-13864 MEDIUM - 5.3

The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` an...

Vendor: cloudways
Product: Breeze Cache
Published: Feb 19, 2026
Source: NVD
CVE-2025-13842 MEDIUM - 5.3

The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/bread...

Vendor: mtekk
Product: Breadcrumb NavXT
Published: Feb 19, 2026
Source: NVD
CVE-2025-13738 MEDIUM - 6.4

The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authen...

Vendor: magazine3
Product: Easy Table of Contents
Published: Feb 19, 2026
Source: NVD
CVE-2025-13732 MEDIUM - 6.4

The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient i...

Vendor: clavaque
Product: s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions
Published: Feb 19, 2026
Source: NVD
CVE-2025-13617 MEDIUM - 6.4

The Apollo13 Framework Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜a13_alt_link’ parameter in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contri...

Vendor: apollo13themes
Product: Apollo13 Framework Extensions
Published: Feb 19, 2026
Source: NVD
CVE-2025-13612 MEDIUM - 6.4

The Album and Image Gallery plus Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `aigpl-gallery-album` shortcode in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This m...

Vendor: essentialplugin
Product: Album and Image Gallery Plus Lightbox
Published: Feb 19, 2026
Source: NVD
CVE-2025-13587 MEDIUM - 6.5

The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS88_2FAVE::wp_login() method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, ...

Vendor: ss88_uk
Product: Two Factor (2FA) Authentication via Email
Published: Feb 19, 2026
Source: NVD
CVE-2025-13438 MEDIUM - 4.3

The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. This makes it possible for unauthentic...

Vendor: dienodigital
Product: Page Title, Description & Open Graph Updater
Published: Feb 19, 2026
Source: NVD
CVE-2025-13413 MEDIUM - 4.3

The Country Blocker for AdSense plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the CBFA_guardar_cbfa() function. This makes it possible for unauthenticated attackers to update the plugin's se...

Vendor: soyrodriguez
Product: Country Blocker for AdSense
Published: Feb 19, 2026
Source: NVD
CVE-2025-13113 MEDIUM - 5.3

The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without ...

Vendor: accessibewp
Product: Web Accessibility by accessiBe
Published: Feb 19, 2026
Source: NVD
CVE-2025-13091 MEDIUM - 4.3

The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and above...

Vendor: wpfable
Product: Shopire
Published: Feb 19, 2026
Source: NVD
CVE-2025-13079 MEDIUM - 5.3

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due to the plugin generating predictable unsubscribe tokens using deterministic data. This makes it possible...

Vendor: popupbuilder
Product: Popup Builder – Create highly converting, mobile friendly marketing popups.
Published: Feb 19, 2026
Source: NVD
CVE-2025-13048 MEDIUM - 6.4

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

Vendor: statcounter
Product: StatCounter – Free Real Time Visitor Stats
Published: Feb 19, 2026
Source: NVD
CVE-2025-12884 MEDIUM - 4.3

The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. This makes it po...

Vendor: monetizemore
Product: Advanced Ads – Ad Manager & AdSense
Published: Feb 19, 2026
Source: NVD
CVE-2025-12500 MEDIUM - 5.3

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "...

Vendor: quadlayers
Product: Checkout Field Manager (Checkout Manager) for WooCommerce
Published: Feb 19, 2026
Source: NVD
CVE-2025-12451 MEDIUM - 6.1

The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to...

Vendor: benjamin_zekavica
Product: Easy SVG Support
Published: Feb 19, 2026
Source: NVD
CVE-2025-12448 MEDIUM - 6.4

The Smartsupp – live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authen...

Vendor: smartsupp
Product: Smartsupp – live chat, AI shopping assistant and chatbots
Published: Feb 19, 2026
Source: NVD
CVE-2025-12375 MEDIUM - 6.4

The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the download_url(...

Vendor: printful
Product: Printful Integration for WooCommerce
Published: Feb 19, 2026
Source: NVD