Export limit exceeded: 23483 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10101 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10101 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1205 | 2 Israelb1, Wemanage | 2 Management App For Woocommerce, Wemanage | 2026-04-08 | 8.8 High |
| The Management App for WooCommerce – Order notifications, Order management, Lead management, Uptime Monitoring plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the nouvello_upload_csv_file function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-11635 | 1 Iptanus | 1 Wordpress File Upload | 2026-04-08 | 9.8 Critical |
| The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server. | ||||
| CVE-2024-10629 | 1 Devfarm | 1 Wp Gpx Maps | 2026-04-08 | 8.8 High |
| The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-6925 | 1 Unitecms | 1 Unlimited Addons For Wpbakery Page Builder | 2026-04-08 | 7.2 High |
| The Unlimited Addons for WPBakery Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'importZipFile' function in versions up to, and including, 1.0.42. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin (the default is editor role, but access can also be granted to contributor role), to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-6316 | 1 Mw Wp Form Project | 1 Mw Wp Form | 2026-04-08 | 9.8 Critical |
| The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the '_single_file_upload' function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-6220 | 1 Piotnet | 1 Piotnet Forms | 2026-04-08 | 8.1 High |
| The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'piotnetforms_ajax_form_builder' function in versions up to, and including, 1.0.28. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-4142 | 1 Smackcoders | 1 Wp Ultimate Csv Importer | 2026-04-08 | 8 High |
| The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means remote code execution is still possible for site administrators, use the plugin with caution. | ||||
| CVE-2023-4141 | 1 Smackcoders | 1 Wp Ultimate Csv Importer | 2026-04-08 | 8 High |
| The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution. | ||||
| CVE-2023-3342 | 1 Wpeverest | 1 User Registration | 2026-04-08 | 9.9 Critical |
| The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the 'ur_upload_profile_pic' function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1. | ||||
| CVE-2022-4950 | 2 Coolplugins, Cryptocurrency Payment \& Donation Box Plugins | 10 Cool Timeline, Cryptocurrency Widgets, Cryptocurrency Widgets For Elementor and 7 more | 2026-04-08 | 8.8 High |
| Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber. | ||||
| CVE-2022-4949 | 2 Adsanityplugin, Xen | 2 Adsanity, Xen | 2026-04-08 | 8.8 High |
| The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload' function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers with Contributor+ level privileges to upload arbitrary files on the affected sites server which makes remote code execution possible. | ||||
| CVE-2022-3384 | 1 Ultimatemember | 1 Ultimate Member | 2026-04-08 | 7.2 High |
| The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). This is restricted to non-parameter PHP functions like phpinfo(); since user supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the server. | ||||
| CVE-2022-3383 | 1 Ultimatemember | 1 Ultimate Member | 2026-04-08 | 7.2 High |
| The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server. | ||||
| CVE-2022-2441 | 1 Orangelab | 1 Imagemagick Engine | 2026-04-08 | 8.8 High |
| The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they can trick a site administrator into performing an action such as clicking on a link. This makes it possible for an attacker to create and or modify files hosted on the server which can easily grant attackers backdoor access to the affected server. | ||||
| CVE-2022-0888 | 1 Ninjaforms | 1 Ninja Forms File Uploads | 2026-04-08 | 9.8 Critical |
| The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0 | ||||
| CVE-2021-4382 | 1 Recently Project | 1 Recently | 2026-04-08 | 8.8 High |
| The Recently plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the fetch_external_image() function in versions up to, and including, 3.0.4. This makes it possible for authenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2021-4368 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2026-04-08 | 9.9 Critical |
| The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This is due to lacking capability checks and a security nonce, all on the wpfm_save_settings AJAX action. This makes it possible for subscriber-level attackers to edit the plugin settings, such as the allowed upload file types. This can lead to remote code execution through other vulnerabilities. | ||||
| CVE-2016-15033 | 1 Delete All Comments Project | 1 Delete All Comments | 2026-04-08 | 9.8 Critical |
| The Delete All Comments plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the via the delete-all-comments.php file in versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2025-9113 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 9.8 Critical |
| The Doccure Core plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' function in all versions up to, and including, 1.5.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-8420 | 2 Emarketdesign, Wordpress | 2 Request A Quote, Wordpress | 2026-04-08 | 8.1 High |
| Multiple plugins for WordPress by emarket-design with the 'emd-form-builder-lite' package are vulnerable to Remote Code Execution in various versions via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called | ||||