Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2025-11877 The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes f... | 7.5 | HIGH | β | 0 |
| CVE-2025-12030 The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the update_item... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-12449 The aBlocks β WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJ... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-12540 The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics clien... | 4.7 | MEDIUM | β | 0 |
| CVE-2025-12648 The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directorie... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-12958 The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankology_code_block' page in all versions up ... | 2.7 | LOW | β | 0 |
| CVE-2025-13369 The Premmerce WooCommerce Customers Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' pa... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-13371 The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card... | 8.6 | HIGH | β | 0 |
| CVE-2025-13418 The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'plan_icons' parameter in all versions up to, and including, 5.1.12 due to insufficient input san... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13419 The Guest posting / Frontend Posting / Front Editor β WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bf... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-13493 The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in ... | 7.5 | HIGH | β | 0 |
| CVE-2025-13496 The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-13497 The Recras WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'recrasname' shortcode attribute in all versions up to, and including, 6.4.1. This is due to insufficient... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13519 The SVG Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on multiple AJAX a... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-13520 The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settin... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-13521 The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings ... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-13527 The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-13529 The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it poss... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-13531 The Stylish Order Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_name' parameter in all versions up to, and including, 1.0 due to insufficient input sa... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13657 The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the hand... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-13667 The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitiza... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13694 The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDE... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-13722 The Fluent Forms β Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-13801 The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.8.8 via the file parameter. This makes it possible for unauthenticated attackers to read ... | 7.5 | HIGH | β | 0 |
| CVE-2025-13841 The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and i... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13847 The PhotoFade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'time' parameter in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output e... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13848 The STM Gallery 1.9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'composicion' parameter in all versions up to, and including, 0.9 due to insufficient input sanitization a... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13849 The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and ou... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13887 The AI BotKit β AI Chatbot & Live Support for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the `ai_botkit_widget` shortcode in all versions up ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13974 The Email Customizer for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to, and including, 2.6.7 due to insufficient input ... | 4.4 | MEDIUM | β | 0 |
| CVE-2025-13990 The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrat... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14028 The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and out... | 4.4 | MEDIUM | β | 0 |
| CVE-2025-14053 The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14057 The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and o... | 4.4 | MEDIUM | β | 0 |
| CVE-2025-14059 The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in all versions up to, and including, 1.6.1. This is due to missing path validation in the create_template RES... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-22521 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects H... | 7.5 | HIGH | β | 0 |
| CVE-2025-14070 The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.6... | 7.5 | HIGH | β | 0 |
| CVE-2025-14077 The Simcast plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the settingsPage funct... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14109 The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitizat... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14110 The WP Js List Pages Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.21 due to insufficient inp... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14112 The Snillrik Restaurant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'menu_style' shortcode attribute in all versions up to, and including, 2.2.1 due to insufficient input... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14113 The Viitor Button Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' shortcode attribute in all versions up to, and including, 3.0.0 due to insufficient input ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-22522 Missing Authorization vulnerability in Munir Kamal Block Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Block Slider: from n/a through 2.2.3. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-14114 The 1180px Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.1.1 due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14118 The Starred Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF variable in all versions up to, and including, 1.4.2 due to insufficient input sanitization and... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-14121 The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edd_download_info_link' shortcode in all versions up to, and including, 1.1 due to insufficient input s... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14122 The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliding_faq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization an... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14127 The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient inpu... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-14128 The Stumble! for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.1.1 due to insufficient ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-20963 Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 8.8 | HIGH | KEV | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.