Total CVEs

142,666

Critical Severity

4,018

High Severity

14,386

Last 7 Days

1,417
Quick preset (or use dates below)
Clear Filters
Showing 14,181 - 14,200 of 14,805 CVEs
CVE-2025-14465 MEDIUM - 4.3

The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabs_options_page_form_submit() function. This makes it possible for unauthenticated attackers to update p...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14460 MEDIUM - 5.3

The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback fr...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14453 MEDIUM - 6.4

The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style_css' shortcode attribute in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Co...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14370 MEDIUM - 5.3

The Quote Comments plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.0. This is due to missing authorization checks in the quotecomments_add_admin function. This makes it possible for authenticated attackers, with Subscriber-level access and above,...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14352 MEDIUM - 5.3

The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0. This is due to the plugin relying solely on nonce verification without capability check...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14147 MEDIUM - 6.4

The Easy GitHub Gist Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the gist shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated atta...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14145 MEDIUM - 6.4

The Niche Hero | Beautifully-designed blocks in seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spacing' parameter of the nh_row shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes i...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14144 MEDIUM - 6.4

The Mstoic Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'start' parameter of the ms_youtube_embeds shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14131 MEDIUM - 6.1

The WP Widget Changer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14130 MEDIUM - 6.1

The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to i...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14128 MEDIUM - 6.1

The Stumble! for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14127 MEDIUM - 6.1

The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers t...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14122 MEDIUM - 6.4

The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliding_faq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated at...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14121 MEDIUM - 6.4

The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edd_download_info_link' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for au...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14118 MEDIUM - 6.1

The Starred Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF variable in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14114 MEDIUM - 6.4

The 1180px Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contr...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14113 MEDIUM - 6.4

The Viitor Button Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' shortcode attribute in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14112 MEDIUM - 6.4

The Snillrik Restaurant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'menu_style' shortcode attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14110 MEDIUM - 6.4

The WP Js List Pages Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, w...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14109 MEDIUM - 6.4

The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contribu...

Published: Jan 07, 2026
Source: NVD