Wordpress CVEs and Security Vulnerabilities

Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (10790 CVEs found)

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-69090	2 Ovatheme, Wordpress	2 Remons, Wordpress	2026-03-06	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Remons remons allows PHP Local File Inclusion.This issue affects Remons: from n/a through <= 1.3.4.
CVE-2025-69338	2 Don-themes, Wordpress	2 Riode, Wordpress	2026-03-06	9.3 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in don-themes Riode Core riode-core allows Blind SQL Injection.This issue affects Riode Core: from n/a through <= 1.6.26.
CVE-2026-28555	2 Gvectors, Wordpress	2 Wpforo Forum, Wordpress	2026-03-06	4.3 Medium
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum discussions.
CVE-2026-28556	2 Gvectors, Wordpress	2 Wpforo Forum, Wordpress	2026-03-06	5.4 Medium
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topic_move, topic_merge, and topic_split form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without moderator permissions, including relocating topics to private forums.
CVE-2026-28557	2 Gvectors, Wordpress	2 Wpforo Forum, Wordpress	2026-03-06	6.5 Medium
wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles.
CVE-2026-28050	2 Themerex, Wordpress	2 Beacon, Wordpress	2026-03-06	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Beacon beacon allows PHP Local File Inclusion.This issue affects Beacon: from n/a through <= 2.24.
CVE-2026-28048	2 Magentech, Wordpress	2 Flashmart, Wordpress	2026-03-06	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech FlashMart flashmart allows PHP Local File Inclusion.This issue affects FlashMart: from n/a through <= 2.0.15.
CVE-2026-28046	2 Themerex, Wordpress	2 Law Office, Wordpress	2026-03-06	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Law Office law-office allows PHP Local File Inclusion.This issue affects Law Office: from n/a through <= 3.3.0.
CVE-2025-69339	2 Don-themes, Wordpress	2 Molla, Wordpress	2026-03-06	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Molla molla allows PHP Local File Inclusion.This issue affects Molla: from n/a through <= 1.5.16.
CVE-2025-69340	2 Buddhathemes, Wordpress	2 Wedesigntech Ultimate Booking Addon, Wordpress	2026-03-06	7.5 High
Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3.
CVE-2025-69343	2 Jeroen Schmit, Wordpress	2 Theater For Wordpress, Wordpress	2026-03-06	N/A
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for WordPress: from n/a through <= 0.19.
CVE-2025-69411	2 Robert Seyfriedsberger, Wordpress	2 Ioncube Tester Plus, Wordpress	2026-03-06	7.5 High
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Robert Seyfriedsberger ionCube tester plus ioncube-tester-plus allows Path Traversal.This issue affects ionCube tester plus: from n/a through <= 1.3.
CVE-2026-22385	2 Don-themes, Wordpress	2 Wolmart, Wordpress	2026-03-06	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Wolmart wolmart allows PHP Local File Inclusion.This issue affects Wolmart: from n/a through <= 1.9.6.
CVE-2026-22387	2 Mikado-themes, Wordpress	2 Aviana, Wordpress	2026-03-06	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Aviana aviana allows PHP Local File Inclusion.This issue affects Aviana: from n/a through <= 2.1.
CVE-2026-22390	2 Builderall, Wordpress	2 Builder For Wordpress, Wordpress	2026-03-06	N/A
Improper Control of Generation of Code ('Code Injection') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Code Injection.This issue affects Builderall Builder for WordPress: from n/a through <= 3.0.1.
CVE-2026-22394	2 Mikado-themes, Wordpress	2 Evently, Wordpress	2026-03-06	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Evently evently allows PHP Local File Inclusion.This issue affects Evently: from n/a through <= 1.7.
CVE-2026-22397	2 Mikado-themes, Wordpress	2 Fleur, Wordpress	2026-03-06	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Fleur fleur allows PHP Local File Inclusion.This issue affects Fleur: from n/a through <= 2.0.
CVE-2026-22403	2 Mikado-themes, Wordpress	2 Innovio, Wordpress	2026-03-06	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Innovio innovio allows PHP Local File Inclusion.This issue affects Innovio: from n/a through <= 1.7.
CVE-2026-22405	2 Mikado-themes, Wordpress	2 Overton, Wordpress	2026-03-06	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Overton overton allows PHP Local File Inclusion.This issue affects Overton: from n/a through <= 1.3.
CVE-2026-22408	2 Mikado-themes, Wordpress	2 Justicia, Wordpress	2026-03-06	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Justicia justicia allows PHP Local File Inclusion.This issue affects Justicia: from n/a through <= 1.2.

« first previous Page 10 of 540. next last »