Export limit exceeded: 10281 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10281 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11196 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The External Login plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.11.2 due to the 'exlog_test_connection' AJAX action lacking capability checks or nonce validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to query the configured external database and retrieve truncated usernames, email addresses, and password hashes via the diagnostic test results view. | ||||
| CVE-2025-12426 | 2 Ays-pro, Wordpress | 2 Quiz Maker, Wordpress | 2026-04-08 | 5.3 Medium |
| The Quiz Maker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.7.0.80. This is due to the plugin exposing quiz answers through the ays_quiz_check_answer AJAX action without proper authorization checks. The endpoint only validates a nonce, but that same nonce is publicly available to all site visitors via the quiz_maker_ajax_public localized script data. This makes it possible for unauthenticated attackers to extract sensitive data including quiz answers for any quiz question. | ||||
| CVE-2024-2931 | 1 Wpfront | 1 Wpfront User Role Editor | 2026-04-08 | 4.3 Medium |
| The WPFront User Role Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.1.11184 via the wpfront_user_role_editor_assign_roles_user_autocomplete AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract retrieve a list of all user email addresses who are registered on the site. | ||||
| CVE-2025-7654 | 2026-04-08 | 8.8 High | ||
| Multiple FunnelKit plugins are vulnerable to Sensitive Information Exposure via the wf_get_cookie shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including authentication cookies of other site users, which may make privilege escalation possible. Please note both FunnelKit – Funnel Builder for WooCommerce Checkout AND FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce are affected by this. | ||||
| CVE-2024-2541 | 2 Popup Builder, Sygnoos | 2 Popup Builder, Popup Builder | 2026-04-08 | 5.3 Medium |
| The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. This data may include the first name, last name, e-mail address, and potentially other personally identifiable information of subscribers. | ||||
| CVE-2024-11106 | 1 Wpchill | 1 Simple Restrict | 2026-04-08 | 5.3 Medium |
| The Simple Restrict plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.7 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. | ||||
| CVE-2024-2106 | 1 Stylemixthemes | 1 Masterstudy Lms | 2026-04-08 | 5.3 Medium |
| The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 3.2.10. This can allow unauthenticated attackers to extract sensitive data including all registered user's username and email addresses which can be used to help perform future attacks. | ||||
| CVE-2024-1477 | 2 Mukeshpanchal, Wordpress | 2 Easy Maintenance Mode, Wordpress | 2026-04-08 | 5.3 Medium |
| The Easy Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2 via the REST API. This makes it possible for authenticated attackers to obtain post and page content via REST API thus bypassign the protection provided by the plugin. | ||||
| CVE-2024-6569 | 1 Campaignmonitor | 1 Campaign Monitor | 2026-04-08 | 5.3 Medium |
| The Campaign Monitor for WordPress plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.8.15. This is due the plugin not properly restricting direct access to /forms/views/admin/create.php and display_errors being enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | ||||
| CVE-2024-8978 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2026-04-08 | 5.7 Medium |
| The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'init_content_register_user_email_controls' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including usernames and passwords of any users who register via the Login | Register Form widget, as long as that user opens the email notification for successful registration. | ||||
| CVE-2026-2295 | 2 Wordpress, Wpzoom | 2 Wordpress, Wpzoom Addons For Elementor – Starter Templates & Widgets | 2026-04-08 | 5.3 Medium |
| The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_post_grid_load_more' function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attackers to retrieve protected (draft, future, pending) post titles and excerpts that should not be accessible to unauthenticated users. | ||||
| CVE-2024-13568 | 1 Wpmanageninja | 1 Fluent Support | 2026-04-08 | 7.5 High |
| The Fluent Support – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the 'fluent-support' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/fluent-support directory which can contain file attachments included in support tickets. | ||||
| CVE-2024-11292 | 1 Wordpress | 1 Wp Private Content Plus Plugin | 2026-04-08 | 5.3 Medium |
| The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.1 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. | ||||
| CVE-2024-10321 | 1 Themesgrove | 1 All-in-one Addons For Elementor | 2026-04-08 | 4.3 Medium |
| The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 in elements/advanced-tab/template/view.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. | ||||
| CVE-2024-0910 | 2 Restrict, Tickera | 2 Restrict For Elementor, Restrict For Elementor | 2026-04-08 | 5.3 Medium |
| The Restrict for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.7 due to improper restrictions on hidden data that make it accessible through the REST API. This makes it possible for unauthenticated attackers to extract potentially sensitive data from post content. | ||||
| CVE-2024-0616 | 1 Wpchill | 1 Passster | 2026-04-08 | 5.3 Medium |
| The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.6.2 via API. This makes it possible for unauthenticated attackers to obtain post titles, slugs, IDs, content and other metadata including passwords of password-protected posts and pages. | ||||
| CVE-2023-6922 | 1 Acurax | 1 Under Construction \/ Maintenance Mode | 2026-04-08 | 4.3 Medium |
| The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.6 via the 'acx_csma_subscribe_ajax' function. This can allow authenticated attackers to extract sensitive data such as names and email addresses of subscribed visitors. | ||||
| CVE-2024-6573 | 1 Getlevelten | 1 Intelligence | 2026-04-08 | 5.3 Medium |
| The Intelligence plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.0. This is due the plugin not preventing direct access to the /vendor/levelten/intel/realtime/index.php file and display_errors being enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | ||||
| CVE-2023-6266 | 1 Backupbliss | 1 Backup Migration | 2026-04-08 | 7.5 High |
| The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to download back-up files which can contain sensitive information such as user passwords, PII, database credentials, and much more. | ||||
| CVE-2025-2331 | 1 Givewp | 1 Givewp | 2026-04-08 | 5.3 Medium |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts. | ||||