Total CVEs

142,666

Critical Severity

4,018

High Severity

14,386

Last 7 Days

1,417
Quick preset (or use dates below)
Clear Filters
Showing 14,161 - 14,180 of 14,805 CVEs
CVE-2025-15058 MEDIUM - 6.4

The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...

Published: Jan 07, 2026
Source: NVD
CVE-2025-15000 MEDIUM - 4.4

The Page Keys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_key’ parameter in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14999 MEDIUM - 4.3

The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. This makes it possible for unauthenticated attackers to modify plugin set...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14904 MEDIUM - 4.3

The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated attackers to update plugin settings via a fo...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14901 MEDIUM - 6.5

The Bit Form – Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce verification where the security check only bloc...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14891 MEDIUM - 6.4

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14888 MEDIUM - 4.4

The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-l...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14887 MEDIUM - 4.4

The twinklesmtp – Email Service Provider For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's sender settings in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping. This makes it possible for authenticated a...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14875 MEDIUM - 6.1

The HBLPAY Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cusdata’ parameter in all versions up to, and including, 5.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to ...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14867 MEDIUM - 6.5

The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to read the contents ...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14845 MEDIUM - 4.3

The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin&#...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14842 MEDIUM - 6.1

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14802 MEDIUM - 5.4

The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the e...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14796 MEDIUM - 6.4

The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image titles in all versions up to, and including, 1.0.4. This is due to insufficient input sanitization and output escaping on the 'attachment->title' attribute. This makes it possible for authen...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14792 MEDIUM - 4.4

The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admin...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14719 MEDIUM - 4.9

The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks

Published: Jan 07, 2026
Source: NVD
CVE-2025-14626 MEDIUM - 6.4

The QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.9.42 due to insufficient input sanitization and output escaping on user supplied attributes....

Published: Jan 07, 2026
Source: NVD
CVE-2025-14625 MEDIUM - 6.7

Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard on Windows (Nios II Command Shell modules), Altera Quartus Prime Lite on Windows (Nios II Command Shell modules) allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 19.1 through 24.1; Quartus Pr...

Vendor: intel
Product: quartus_prime
Published: Jan 07, 2026
Source: NVD
CVE-2025-14614 MEDIUM - 6.7

Insecure Temporary File vulnerability in Altera Quartus Prime Standard  Installer (SFX) on Windows, Altera Quartus Prime Lite  Installer (SFX) on Windows allows Explore for Predictable Temporary File Names.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: f...

Vendor: intel
Product: quartus_prime
Published: Jan 07, 2026
Source: NVD
CVE-2025-14468 MEDIUM - 4.3

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the amp_theme_ajaxcomments AJAX handler, which rejects requests with VALID nonces and accepts reques...

Published: Jan 07, 2026
Source: NVD