Export limit exceeded: 343808 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10102 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13897 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 6.5 Medium |
| The Moving Media Library plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the generate_json_page function in all versions up to, and including, 1.22. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2026-2269 | 2 Uncannyowl, Wordpress | 2 Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin, Wordpress | 2026-04-08 | 7.2 High |
| The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.0.0.3 via the download_url() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Additionally, the plugin stores the contents of the remote files on the server, which can be leveraged to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-6553 | 2 Ovatheme, Wordpress | 2 Events Manager Plugin, Wordpress | 2026-04-08 | 9.8 Critical |
| The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_checkout() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-10673 | 1 Themehunk | 1 Top Store | 2026-04-08 | 8.8 High |
| The Top Store theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the top_store_install_and_activate_callback() function in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins which can contain other exploitable vulnerabilities to elevate privileges and gain remote code execution. | ||||
| CVE-2024-9461 | 1 Boldgrid | 1 Total Upkeep | 2026-04-08 | 7.2 High |
| The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.6 via the cron_interval parameter. This is due to missing input validation and sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. | ||||
| CVE-2024-8126 | 2 Advancedfilemanager, Modalweb | 2 Advanced File Manager, Advanced File Manager | 2026-04-08 | 7.5 High |
| The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-12674 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 9.8 Critical |
| The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the create_media() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-9216 | 2026-04-08 | 8.8 High | ||
| The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-12583 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 9.9 Critical |
| The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. | ||||
| CVE-2025-13066 | 2 Kraftplugins, Wordpress | 2 Demo Importer Plus, Wordpress | 2026-04-08 | 8.8 High |
| The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-2780 | 3 Wofficeio, Wordpress, Xtendify | 3 Woffice Core, Wordpress, Woffice | 2026-04-08 | 8.8 High |
| The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-14390 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 8.8 High |
| The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. This is due to missing or incorrect nonce validation on the video_merchant_add_video_file() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-9290 | 2026-04-08 | 9.8 Critical | ||
| The Super Backup & Clone - Migrate for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and a missing capability check on the ibk_restore_migrate_check() function in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-13448 | 1 Themerex | 1 Addons | 2026-04-08 | 9.8 Critical |
| The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-1305 | 1 Spicethemes | 1 Newsblogger | 2026-04-08 | 8.8 High |
| The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.5.4. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-2421 | 2 Ghera74, Wordpress | 2 Ilghera Carta Docente For Woocommerce, Wordpress | 2026-04-08 | 6.5 Medium |
| The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. This is due to insufficient file path validation before performing a file deletion. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, such as wp-config.php, which can make site takeover and remote code execution possible. | ||||
| CVE-2024-10781 | 1 Cleantalk | 2 Antispam, Spam Protection\, Antispam\, Firewall | 2026-04-08 | 8.1 High |
| The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'api_key' value in the 'perform' function in all versions up to, and including, 6.44. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. | ||||
| CVE-2024-7855 | 1 Thimpress | 1 Wp Hotel Booking | 2026-04-08 | 8.8 High |
| The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-8614 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2026-04-08 | 9.9 Critical |
| The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_wp_handle_upload() function in all versions up to, and including, 2.6.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-13376 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 7.2 High |
| The ProjectList plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.0. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||