Total CVEs

143,745

Critical Severity

4,091

High Severity

14,757

Last 7 Days

1,550
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,661 - 14,680 of 14,877 CVEs
CVE-2025-14028 MEDIUM - 4.4

The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with a...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13990 MEDIUM - 4.3

The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create, update, or delete emp...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13974 MEDIUM - 4.4

The Email Customizer for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administr...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13887 MEDIUM - 6.4

The AI BotKit โ€“ AI Chatbot & Live Support for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the `ai_botkit_widget` shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. T...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13849 MEDIUM - 6.4

The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level ...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13848 MEDIUM - 6.4

The STM Gallery 1.9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'composicion' parameter in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-l...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13847 MEDIUM - 6.4

The PhotoFade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'time' parameter in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13841 MEDIUM - 6.4

The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escapi...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13722 MEDIUM - 5.3

The Fluent Forms โ€“ Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX action. This makes ...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13694 MEDIUM - 5.3

The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or considering if the serv...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13667 MEDIUM - 6.4

The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authentic...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13657 MEDIUM - 4.3

The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handle_query_args() function. This makes it possible for unauthenticated attackers to update the plugin&...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13531 MEDIUM - 6.4

The Stylish Order Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_name' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with S...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13529 MEDIUM - 5.3

The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_p...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13527 MEDIUM - 4.3

The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. This makes it possible for unauthenticated attackers to reset the plugin's settings...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13521 MEDIUM - 4.3

The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin sett...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13520 MEDIUM - 4.3

The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin s...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13519 MEDIUM - 6.1

The SVG Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on multiple AJAX actions including 'save_data', 'delete_data', and 'add_popup'. This mak...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13497 MEDIUM - 6.4

The Recras WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'recrasname' shortcode attribute in all versions up to, and including, 6.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacker...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13496 MEDIUM - 5.3

The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access ...

Published: Jan 07, 2026
Source: NVD