Vulnerabilities (CVE)

Total 301185 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-11269 1 Mitchelllevy 1 Ahathat 2025-06-12 N/A 7.2 HIGH
The AHAthat Plugin WordPress plugin through 1.6 does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks.
CVE-2024-11267 1 Joomlaserviceprovider 1 Jsp Store Locator 2025-06-12 N/A 8.8 HIGH
The JSP Store Locator WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing user with Contributor to perform SQL injection attacks.
CVE-2025-2048 1 Lana 1 Lana Downloads Manager 2025-06-12 N/A 4.1 MEDIUM
The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server
CVE-2024-12736 1 Bu 1 Bu Section Editing 2025-06-12 N/A 6.1 MEDIUM
The BU Section Editing WordPress plugin through 0.9.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVE-2024-11606 1 Tabs Shortcode Project 1 Tabs Shortcode 2025-06-12 N/A 5.3 MEDIUM
The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2024-8085 1 Solidcode 1 Peoplepond 2025-06-12 N/A 6.1 MEDIUM
The PeoplePond WordPress plugin through 1.1.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
CVE-2024-8082 1 Justintadlock 1 Widgets Reset 2025-06-12 N/A 4.3 MEDIUM
The Widgets Reset WordPress plugin through 0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-8050 1 Jfarthing 1 Custom Author Base 2025-06-12 N/A 4.3 MEDIUM
The Custom Author Base WordPress plugin through 1.1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-8032 1 Ulfbenjaminsson 1 Smooth Gallery Replacement 2025-06-12 N/A 6.1 MEDIUM
The Smooth Gallery Replacement WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
CVE-2025-26842 1 Znuny 1 Znuny 2025-06-12 N/A 7.5 HIGH
An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encrypted e-mail messages is visible to users with access to the CommunicationLog.
CVE-2024-8031 1 Wpbookingcalendar 1 Secure Downloads 2025-06-12 N/A 6.5 MEDIUM
The Secure Downloads WordPress plugin before 1.2.3 is vulnerable does not properly restrict which files can be downloaded. This makes it possible for authenticated attackers, with admin-level access and above, to download arbitrary files that may contain sensitive information like wp-config.php.
CVE-2025-26844 1 Znuny 1 Znuny 2025-06-12 N/A 9.8 CRITICAL
An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.
CVE-2022-4363 1 Cedcommerce 2 Wholesale Market, Wholesale Market For Woocommerce 2025-06-12 N/A 6.5 MEDIUM
The Wholesale Market WordPress plugin before 2.2.2, Wholesale Market for WooCommerce WordPress plugin before 2.0.1 have a flawed CSRF check when updating their settings, which could allow attackers to make a logged in admin update them via a CSRF attack
CVE-2025-43926 1 Znuny 1 Znuny 2025-06-12 N/A 6.1 MEDIUM
An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings.
CVE-2024-9236 1 Radiustheme 1 Team - Wordpress Team Members Showcase 2025-06-12 N/A 4.8 MEDIUM
The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2025-45887 1 Wanglongcn 1 Yifang 2025-06-12 N/A 9.1 CRITICAL
Yifang CMS v2.0.2 is vulnerable to Server-Side Request Forgery (SSRF) in /api/file/getRemoteContent.
CVE-2025-47786 1 Emlog 1 Emlog 2025-06-12 N/A 4.8 MEDIUM
Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In `/admin/comment.php`, the parameter `perpage_num` is not validated and is directly stored in the `admin_commend_perpage_num` field of the `emlog_options` table in the database. Moreover, the output is not filtered, resulting in the direct output of malicious code. As of time of publication, it is unclear if a patch exists.
CVE-2025-47785 1 Emlog 1 Emlog 2025-06-12 N/A 8.3 HIGH
Emlog is an open source website building system. In versions up to and including 2.5.9, SQL injection occurs because the $origContent parameter in admin/article_save.php is not strictly filtered. Since admin/article_save.php can be accessed by ordinary registered users, this will cause SQL injection to occur when the registered site is enabled, resulting in the injection of the admin account and password, which is then exploited by the backend remote code execution. As of time of publication, it is unknown whether a fix exists.
CVE-2025-2203 1 Funnelkit 1 Funnel Builder 2025-06-12 N/A 6.1 MEDIUM
The FunnelKit WordPress plugin before 3.10.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
CVE-2025-1454 1 Ninja Pages Project 1 Ninja Pages 2025-06-12 N/A 5.4 MEDIUM
The Ninja Pages WordPress plugin through 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).