Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,750
Quick preset (or use dates below)
Clear Filters
Showing 12,961 - 12,980 of 14,675 CVEs
CVE-2026-1300 MEDIUM - 4.4

The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple plugin settings parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1266 MEDIUM - 4.4

The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and a...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1208 MEDIUM - 4.3

The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings v...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1191 MEDIUM - 4.4

The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wp_footer` action. This makes it possible ...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1189 MEDIUM - 6.4

The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_id' parameter of the 'leadbi_form' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attri...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1127 MEDIUM - 6.1

The Timeline Event History plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `id` parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web sc...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1098 MEDIUM - 6.4

The CM CSS Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' shortcode attribute in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

Published: Jan 24, 2026
Source: NVD
CVE-2026-0687 MEDIUM - 4.3

The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mb_gallery' custom post type in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Author-level access ...

Published: Jan 24, 2026
Source: NVD
CVE-2025-15516 MEDIUM - 4.3

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and abov...

Vendor: plugins360
Product: All-in-One Video Gallery
Published: Jan 24, 2026
Source: NVD
CVE-2025-14907 MEDIUM - 4.3

The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the msp_admin_page() function. This makes it possible for unauthenticated attackers to modify plugin settings via a for...

Vendor: hallsofmontezuma
Product: Moderate Selected Posts
Published: Jan 24, 2026
Source: NVD
CVE-2025-14630 MEDIUM - 4.3

The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. This makes it possible for unauthenticated att...

Vendor: rtowebsites
Product: AdminQuickbar
Published: Jan 24, 2026
Source: NVD
CVE-2025-13205 MEDIUM - 4.3

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on the `SurveyJS_Clone...

Vendor: devsoftbaltic
Product: SurveyJS: Drag & Drop Form Builder
Published: Jan 24, 2026
Source: NVD
CVE-2025-13194 MEDIUM - 4.3

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the 'SurveyJS_RenameSurve...

Vendor: devsoftbaltic
Product: SurveyJS: Drag & Drop Form Builder
Published: Jan 24, 2026
Source: NVD
CVE-2025-13139 MEDIUM - 4.3

The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to ...

Vendor: devsoftbaltic
Product: SurveyJS: Drag & Drop Form Builder
Published: Jan 24, 2026
Source: NVD
CVE-2026-1103 MEDIUM - 5.4

The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only ch...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1099 MEDIUM - 6.4

The Administrative Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'login' and 'logout' shortcode attributes in all versions up to, and including, 0.3.4 due to insufficient input sanitization and output escaping. This makes it possible for aut...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1097 MEDIUM - 6.4

The ThemeRuby Multi Authors โ€“ Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escapin...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1095 MEDIUM - 6.4

The Canto Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fx' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1088 MEDIUM - 4.3

The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotion_loginform_process() AJAX action. This makes it possible for unauthenticated attackers to update the plugin's ...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1084 MEDIUM - 4.4

The Cookie consent for developers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple settings fields in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administra...

Published: Jan 24, 2026
Source: NVD