Export limit exceeded: 24986 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (24986 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6738 | 1 Pagelayer | 1 Pagelayer | 2026-04-08 | 5.4 Medium |
| The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagelayer_header_code', 'pagelayer_body_open_code', and 'pagelayer_footer_code' meta fields in all versions up to, and including, 1.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This appears to be a reintroduction of a vulnerability patched in version 1.7.7. | ||||
| CVE-2023-5254 | 1 Quantumcloud | 1 Wpbot | 2026-04-08 | 5.3 Medium |
| The ChatBot plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.8.9 via the qcld_wb_chatbot_check_user function. This can allow unauthenticated attackers to extract sensitive data including confirmation as to whether a user name exists on the site as well as order information for existing users. | ||||
| CVE-2023-5070 | 1 Ultimatelysocial | 1 Social Media Share Buttons \& Social Sharing Icons | 2026-04-08 | 6.5 Medium |
| The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.8.5 via the sfsi_save_export function. This can allow subscribers to export plugin settings that include social media authentication tokens and secrets as well as app passwords. | ||||
| CVE-2023-4917 | 1 Te-st | 1 Leyka | 2026-04-08 | 5.3 Medium |
| The Leyka plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.30.7 via the 'leyka_ajax_get_env_and_options' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including Sberbank API key and password, PayPal Client Secret, and more keys and passwords. | ||||
| CVE-2023-4796 | 1 Booster | 1 Booster For Woocommerce | 2026-04-08 | 4.3 Medium |
| The Booster for WooCommerce for WordPress is vulnerable to Information Disclosure via the 'wcj_wp_option' shortcode in versions up to, and including, 7.1.0 due to insufficient controls on the information retrievable via the shortcode. This makes it possible for authenticated attackers, with subscriber-level capabilities or above, to retrieve arbitrary sensitive site options. | ||||
| CVE-2023-3779 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2026-04-08 | 5.3 Medium |
| The Essential Addons For Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 5.8.1 due to the plugin adding the API key to the source code of any page running the MailChimp block. This makes it possible for unauthenticated attackers to obtain a site's MailChimp API key. We recommend resetting any MailChimp API keys if running a vulnerable version of this plugin with the MailChimp block enabled as the API key may have been compromised. This only affects sites running the premium version of the plugin and that have the Mailchimp block enabled on a page. | ||||
| CVE-2023-3132 | 1 Mainwp | 1 Mainwp Child | 2026-04-08 | 5.9 Medium |
| The MainWP Child plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.4.1.1 due to insufficient controls on the storage of back-up files. This makes it possible for unauthenticated attackers to extract sensitive data including the entire installations database if a backup occurs and the deletion of the back-up files fail. | ||||
| CVE-2023-2916 | 1 Revmakx | 1 Infinitewp Client | 2026-04-08 | 7.5 High |
| The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges. | ||||
| CVE-2023-1263 | 1 Niteothemes | 1 Coming Soon \& Maintenance | 2026-04-08 | 5.3 Medium |
| The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 4.1.6 via the cmp_get_post_detail function. This can allow unauthenticated individuals to obtain the contents of any non-password-protected, published post or page even when maintenance mode is enabled. | ||||
| CVE-2023-0814 | 1 Cozmoslabs | 1 Profile Builder | 2026-04-08 | 6.5 Medium |
| The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to sensitive information disclosure via the [user_meta] shortcode in versions up to, and including 3.9.0. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to retrieve sensitive user meta that can be used to gain access to a high privileged user account. This does require the Usermeta shortcode be enabled to be exploited. | ||||
| CVE-2022-4032 | 1 Expresstech | 1 Quiz And Survey Master | 2026-04-08 | 7.2 High |
| The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2022-2462 | 1 Transposh | 1 Transposh Wordpress Translation | 2026-04-08 | 5.3 Medium |
| The Transposh WordPress Translation plugin for WordPress is vulnerable to sensitive information disclosure to unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient permissions checking on the 'tp_history' AJAX action and insufficient restriction on the data returned in the response. This makes it possible for unauthenticated users to exfiltrate usernames of individuals who have translated text. | ||||
| CVE-2022-2117 | 1 Givewp | 1 Givewp | 2026-04-08 | 5.3 Medium |
| The GiveWP plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to, and including, 2.20.2 via the /donor-wall REST-API endpoint which provides unauthenticated users with donor information even when the donor wall is not enabled. This functionality has been completely removed in version 2.20.2. | ||||
| CVE-2021-4377 | 1 Wobbie | 1 Doneren Met Mollie | 2026-04-08 | 6.5 Medium |
| The Doneren met Mollie plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.8.5 via the dmm_export_donations() function which is called via the admin_post_dmm_export hook due to missing capability checks. This can allow authenticated attackers to extract a CSV file that contains sensitive information about the donors. | ||||
| CVE-2020-36723 | 1 Cridio | 1 Listingpro | 2026-04-08 | 5.3 Medium |
| The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the ~/listingpro-plugin/functions.php file. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, full names, email addresses, phone numbers, physical addresses and user post counts. | ||||
| CVE-2025-8620 | 3 Givew, Givewp, Wordpress | 3 Donation Plugin And Fundraising Platform, Givewp, Wordpress | 2026-04-08 | 5.3 Medium |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to extract donor names, emails, and donor id. CVE-2025-47444 is a duplicate of this issue. CVE-2025-47444 is a duplicate of this issue. | ||||
| CVE-2025-8091 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The EventON Lite plugin for WordPress is vulnerable to Information Exposure in all versions less than, or equal to, 2.4.6 via the add_single_eventon and add_eventon shortcodes due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2025-15527 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from posts they may not be able to edit or read otherwise. This also affects password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2025-13371 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 8.6 High |
| The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation. | ||||
| CVE-2025-12585 | 2 Mxchat, Wordpress | 2 Ai Chatbot For Wordpress, Wordpress | 2026-04-08 | 5.3 Medium |
| The MxChat – AI Chatbot for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 via upload filenames. This makes it possible for unauthenticated attackers to extract session values that can subsequently be used to access conversation data. | ||||