Total CVEs

142,696

Critical Severity

4,021

High Severity

14,390

Last 7 Days

1,439
Quick preset (or use dates below)
Clear Filters
Showing 14,201 - 14,220 of 14,816 CVEs
CVE-2025-14130 MEDIUM - 6.1

The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to i...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14128 MEDIUM - 6.1

The Stumble! for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14127 MEDIUM - 6.1

The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers t...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14122 MEDIUM - 6.4

The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliding_faq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated at...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14121 MEDIUM - 6.4

The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edd_download_info_link' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for au...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14118 MEDIUM - 6.1

The Starred Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF variable in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14114 MEDIUM - 6.4

The 1180px Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contr...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14113 MEDIUM - 6.4

The Viitor Button Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' shortcode attribute in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14112 MEDIUM - 6.4

The Snillrik Restaurant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'menu_style' shortcode attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14110 MEDIUM - 6.4

The WP Js List Pages Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, w...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14109 MEDIUM - 6.4

The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contribu...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14077 MEDIUM - 4.3

The Simcast plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged req...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14059 MEDIUM - 6.5

The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in all versions up to, and including, 1.6.1. This is due to missing path validation in the create_template REST API endpoint where user-controlled input from the emailkit-editor-template parameter is passed dir...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14057 MEDIUM - 4.4

The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permiss...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14053 MEDIUM - 6.4

The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contr...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14028 MEDIUM - 4.4

The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with a...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13990 MEDIUM - 4.3

The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create, update, or delete emp...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13974 MEDIUM - 4.4

The Email Customizer for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administr...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13887 MEDIUM - 6.4

The AI BotKit โ€“ AI Chatbot & Live Support for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the `ai_botkit_widget` shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. T...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13849 MEDIUM - 6.4

The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level ...

Published: Jan 07, 2026
Source: NVD