Search Results (14083 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2016-20080 2 Brandfolder, Wordpress 2 Brandfolder, Wordpress 2026-06-23 6.2 Medium
WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wp_abspath parameter. Attackers can supply path traversal sequences or remote URLs through the wp_abspath parameter to read sensitive files like wp-config.php or execute remote code.
CVE-2016-20081 2 Husain, Wordpress 2 Hb Audio Gallery Lite, Wordpress 2026-06-23 7.5 High
WordPress Plugin HB Audio Gallery Lite 1.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the file_path parameter. Attackers can send requests to the audio-download.php endpoint with directory traversal sequences to access sensitive files like wp-config.php outside the intended gallery directory.
CVE-2016-20082 2 Abtest, Wordpress 2 Abtest, Wordpress 2026-06-23 6.2 Medium
WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Attackers can send GET requests to abtest_admin.php with malicious action values to include files from the admin directory and execute arbitrary code.
CVE-2016-20083 2 Henrikmelin, Wordpress 2 More Fields, Wordpress 2026-06-23 5.3 Medium
WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxes on the Write/Edit page via POST and GET requests to the options-general.php endpoint.
CVE-2018-25436 2 Shipster, Wordpress 2 Baggage Freight Shipping Australia, Wordpress 2026-06-23 9.8 Critical
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.
CVE-2018-25437 2 Cherryframework, Wordpress 2 Cherry Framework Themes, Wordpress 2026-06-23 7.5 High
WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Attackers can directly access the download_backup.php script in the admin/data_management directory to obtain ZIP archives containing the entire wp-content/themes directory contents.
CVE-2026-49062 2 Wordpress, Wp Engine 2 Wordpress, Faust.js 2026-06-23 8.8 High
Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation. This issue affects Faust.Js: from n/a through 1.8.7.
CVE-2026-49064 2 Stiofan, Wordpress 2 Getpaid, Wordpress 2026-06-23 7.5 High
Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data. This issue affects GetPaid: from n/a through 2.8.49.
CVE-2025-15658 2 Rewish, Wordpress 2 Wp Emmet, Wordpress 2026-06-23 5.9 Medium
Administrator Cross Site Scripting (XSS) in WP Emmet <= 0.3.4 versions.
CVE-2025-15659 2 Liseperu, Wordpress 2 Elizaibots, Wordpress 2026-06-23 6.5 Medium
Contributor Cross Site Scripting (XSS) in Elizaibots <= 1.0.2 versions.
CVE-2025-60175 2 Vynnus, Wordpress 2 Popad, Wordpress 2026-06-23 4.4 Medium
Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.
CVE-2025-68049 2 Bunny.net, Wordpress 2 Bunny.net, Wordpress 2026-06-23 6.3 Medium
Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.
CVE-2025-68840 2 Markbeljaars, Wordpress 2 Irobots.txt Seo, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.
CVE-2025-68851 2 Arrayhq, Wordpress 2 Okay Toolkit, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions.
CVE-2025-68872 2 Eli, Wordpress 2 Eli's Wordcents Adsense Widget With Analytics, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Eli&#039;s WordCents adSense Widget with Analytics <= 1.3.03.27 versions.
CVE-2025-69332 2 Mycred, Wordpress 2 Bookify, Wordpress 2026-06-23 6.5 Medium
Subscriber Broken Access Control in Bookify <= 1.1.1 versions.
CVE-2026-25425 2 Themegrill, Wordpress 2 User Registration, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions.
CVE-2026-34898 2 Wordpress, Wp Swings 2 Wordpress, Event Tickets Manager For Woocommerce 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.
CVE-2026-34901 2 Paul, Wordpress 2 Icontrolwp, Wordpress 2026-06-23 9.8 Critical
Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.
CVE-2026-39441 2 Naked Cat Plugins (by Webdados), Wordpress 2 Feed Kuantokusta For Woocommerce – Free, Wordpress 2026-06-23 9.3 Critical
Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions.