Total CVEs

142,696

Critical Severity

4,021

High Severity

14,390

Last 7 Days

1,439
Quick preset (or use dates below)
Clear Filters
Showing 14,221 - 14,240 of 14,816 CVEs
CVE-2025-13848 MEDIUM - 6.4

The STM Gallery 1.9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'composicion' parameter in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-l...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13847 MEDIUM - 6.4

The PhotoFade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'time' parameter in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13841 MEDIUM - 6.4

The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escapi...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13722 MEDIUM - 5.3

The Fluent Forms โ€“ Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX action. This makes ...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13694 MEDIUM - 5.3

The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or considering if the serv...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13667 MEDIUM - 6.4

The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authentic...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13657 MEDIUM - 4.3

The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handle_query_args() function. This makes it possible for unauthenticated attackers to update the plugin&...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13531 MEDIUM - 6.4

The Stylish Order Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_name' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with S...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13529 MEDIUM - 5.3

The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_p...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13527 MEDIUM - 4.3

The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. This makes it possible for unauthenticated attackers to reset the plugin's settings...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13521 MEDIUM - 4.3

The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin sett...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13520 MEDIUM - 4.3

The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin s...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13519 MEDIUM - 6.1

The SVG Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on multiple AJAX actions including 'save_data', 'delete_data', and 'add_popup'. This mak...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13497 MEDIUM - 6.4

The Recras WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'recrasname' shortcode attribute in all versions up to, and including, 6.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacker...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13496 MEDIUM - 5.3

The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access ...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13419 MEDIUM - 5.3

The Guest posting / Frontend Posting / Front Editor โ€“ WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it ...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13418 MEDIUM - 6.4

The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'plan_icons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Au...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13369 MEDIUM - 6.1

The Premmerce WooCommerce Customers Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' parameters in all versions up to, and including, 1.1.14 due to...

Published: Jan 07, 2026
Source: NVD
CVE-2025-12648 MEDIUM - 5.3

The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files/<user_id>/) without implementing proper access cont...

Published: Jan 07, 2026
Source: NVD
CVE-2025-12540 MEDIUM - 4.7

The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can all...

Published: Jan 07, 2026
Source: NVD