WordPress 5.1 contains 216 documented vulnerabilities, including 15 critical flaws that could compromise your website's security. If you're running this outdated version, your site is at serious risk from hackers exploiting known security gaps. This guide shows you exactly what vulnerabilities exist and how to protect your website immediately.
Over 18,472 websites are still running WordPress 5.1, making it a prime target for cybercriminals. The vulnerabilities range from SQL injection attacks to authentication bypasses that could grant attackers complete control of your site. Understanding these risks is the first step toward securing your WordPress installation.
WordPress 5.1 is an older version of WordPress, the platform that powers over 43% of all websites on the internet. Released in 2019, version 5.1 introduced improvements to editing functionality and site management tools. However, like all software, WordPress 5.1 has since been patched many times to fix security problems discovered by researchers and ethical hackers.
Think of WordPress versions like car models: newer versions get better safety features and fixes for discovered problems, while older models become increasingly vulnerable to new threats. WordPress 5.1 is now considered legacy software, meaning it's no longer actively maintained by the WordPress team. This means new security vulnerabilities discovered in plugins and the core system are no longer being patched for this version, leaving users exposed to known attacks.
216 CVEs found. The most critical are explained below.
The JoomSport plugin has a security flaw that allows attackers to send specially crafted requests to your website. These requests can trick the plugin into executing harmful code without needing to log in first.
Impact: Attackers could take control of your website, steal data, or install malware that affects all your visitors.
↗ View on NVDThe Limit Login Attempts plugin fails to properly validate user input in its security checks. Attackers can exploit this to directly access and manipulate your website's database.
Impact: Your customer data, passwords, and business information stored in the database could be stolen or deleted by attackers.
↗ View on NVDThe Abandoned Cart plugin uses weak encryption for abandoned cart recovery links. Attackers can forge these links to log in as any customer without knowing their password.
Impact: Attackers can access customer accounts, view their personal information, and make purchases using their account or payment methods.
↗ View on NVDThe UserPro plugin doesn't properly verify users logging in through Facebook. Attackers can trick the plugin into thinking they are any user on your site.
Impact: Attackers can impersonate any user, including administrators, and gain full control of your website.
↗ View on NVDThe UserPro plugin's password reset feature doesn't properly validate requests. Attackers can reset any user's password without permission.
Impact: Attackers can lock out legitimate users and take over accounts, including admin accounts with full website access.
↗ View on NVDThe Fluent Forms plugin has an API endpoint that doesn't check user permissions properly. Attackers can use this to gain administrative powers without being an admin.
Impact: Attackers could modify forms, access submissions containing customer data, or change website settings and content.
↗ View on NVDShowing first 10 of 210. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-11349 | CRITICAL | 9.8 | 2024-12-21 | The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's iden… |
| CVE-2024-11350 | CRITICAL | 9.8 | 2025-01-08 | The AdForest theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.1.6. This is due to the plugin not properly val… |
| CVE-2024-12857 | CRITICAL | 9.8 | 2025-01-22 | The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's iden… |
| CVE-2025-2470 | CRITICAL | 9.8 | 2025-04-25 | The Service Finder Bookings plugin for WordPress, used by the Service Finder - Directory and Job Board WordPress Theme, is vulnerable to privilege escalation in all versions up to… |
| CVE-2025-6715 | CRITICAL | 9.8 | 2025-08-13 | The LatePoint WordPress plugin before 5.1.94 is vulnerable to Local File Inclusion via the layout parameter. This makes it possible for attackers to include and execute PHP files… |
| CVE-2026-1492 | CRITICAL | 9.8 | 2026-03-03 | The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable … |
| CVE-2026-6510 | CRITICAL | 9.8 | 2026-05-14 | The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce v… |
| CVE-2026-5118 | CRITICAL | 9.8 | 2026-05-21 | The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'ro… |
| CVE-2026-6512 | CRITICAL | 9.1 | 2026-05-14 | The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a … |
| CVE-2019-9787 | HIGH | 8.8 | 2019-03-14 | WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF pro… |
| CVE-2019-12826 | HIGH | 8.8 | 2019-07-01 | A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code v… |
| CVE-2017-18607 | HIGH | 8.8 | 2019-09-10 | The avada theme before 5.1.5 for WordPress has CSRF. |
| CVE-2021-24149 | HIGH | 8.8 | 2021-03-18 | Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action whe… |
| CVE-2021-24178 | HIGH | 8.8 | 2021-05-06 | The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 suffered from Cross-Site Request Forgery issues, allowing an attacker to make… |
| CVE-2021-24179 | HIGH | 8.8 | 2021-05-06 | The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make … |
| CVE-2021-34645 | HIGH | 8.8 | 2021-08-19 | The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin… |
| CVE-2022-2594 | HIGH | 8.8 | 2022-08-22 | The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a defa… |
| CVE-2023-0080 | HIGH | 8.8 | 2023-02-13 | The Customer Reviews for WooCommerce WordPress plugin before 5.16.0 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to … |
| CVE-2023-1196 | HIGH | 8.8 | 2023-05-02 | The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of C… |
| CVE-2023-2440 | HIGH | 8.8 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing nonce validation in the 'admin_page', … |
| CVE-2023-2497 | HIGH | 8.8 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the '… |
| CVE-2023-6009 | HIGH | 8.8 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userpro_update_user_profile'… |
| CVE-2025-4317 | HIGH | 8.8 | 2025-05-13 | The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and includi… |
| CVE-2025-7052 | HIGH | 8.8 | 2025-09-30 | The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.94. This is due to missing nonce validation on the change_… |
| CVE-2026-6506 | HIGH | 8.8 | 2026-05-14 | The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function mi… |
| CVE-2020-11026 | HIGH | 8.7 | 2020-04-30 | In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an au… |
| CVE-2025-3529 | HIGH | 8.2 | 2025-04-23 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.2 via the 'file_url' parameter. T… |
| CVE-2025-7038 | HIGH | 8.2 | 2025-09-30 | The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call A… |
| CVE-2025-3952 | HIGH | 8.1 | 2025-05-01 | The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capabi… |
| CVE-2025-8417 | HIGH | 8.1 | 2025-09-11 | The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessabl… |
| CVE-2026-1779 | HIGH | 8.1 | 2026-02-26 | The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in … |
| CVE-2026-4347 | HIGH | 8.1 | 2026-04-02 | The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_fi… |
| CVE-2026-5436 | HIGH | 8.1 | 2026-04-08 | The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parame… |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2021-24146 | HIGH | 7.5 | 2021-03-18 | Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenti… |
| CVE-2021-24295 | HIGH | 7.5 | 2021-05-17 | It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4.… |
| CVE-2023-6113 | HIGH | 7.5 | 2024-01-01 | The WP STAGING WordPress Backup Plugin before 3.1.3 and WP STAGING Pro WordPress Backup Plugin before 5.1.3 do not prevent visitors from leaking key information about ongoing back… |
| CVE-2024-2782 | HIGH | 7.5 | 2024-05-18 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing … |
| CVE-2024-4157 | HIGH | 7.5 | 2024-05-22 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and inc… |
| CVE-2025-3530 | HIGH | 7.5 | 2025-04-23 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involv… |
| CVE-2025-13457 | HIGH | 7.5 | 2026-01-10 | The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to … |
| CVE-2026-3124 | HIGH | 7.5 | 2026-03-30 | The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to mi… |
| CVE-2026-6514 | HIGH | 7.5 | 2026-05-14 | The InfusedWoo Pro plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.1.2 via the popup_submit. This makes it possible for unauthent… |
| CVE-2023-6007 | HIGH | 7.3 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all ve… |
| CVE-2021-24131 | HIGH | 7.2 | 2021-03-18 | Unvalidated input in the Anti-Spam by CleanTalk WordPress plugin, versions before 5.149, lead to multiple authenticated SQL injection vulnerabilities, however, it requires high pr… |
| CVE-2021-24145 | HIGH | 7.2 | 2021-03-18 | Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by ad… |
| CVE-2021-24248 | HIGH | 7.2 | 2021-05-06 | The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 did not properly check for imported files, forbidding certain extension via a… |
| CVE-2022-3302 | HIGH | 7.2 | 2022-10-25 | The Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.185.1 does not validate ids before using them in a SQL statement, which could lead to SQL injection … |
| CVE-2019-25152 | HIGH | 7.2 | 2023-06-22 | The Abandoned Cart Lite for WooCommerce and Abandoned Cart Pro for WooCommerce plugins for WordPress are vulnerable to Stored Cross-Site Scripting via multiple parameters in versi… |
| CVE-2024-2020 | HIGH | 7.2 | 2024-03-13 | The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to i… |
| CVE-2024-3600 | HIGH | 7.2 | 2024-04-19 | The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start A… |
| CVE-2024-4870 | HIGH | 7.2 | 2024-06-04 | The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the … |
| CVE-2022-1206 | HIGH | 7.2 | 2024-08-20 | The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrota… |
| CVE-2025-14675 | HIGH | 7.2 | 2026-03-07 | The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and i… |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2022-41791 | MEDIUM | 6.8 | 2022-11-17 | Auth. (subscriber+) CSV Injection vulnerability in ProfileGrid plugin <= 5.1.6 on WordPress. |
| CVE-2021-24249 | MEDIUM | 6.5 | 2021-05-06 | The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to mak… |
| CVE-2022-1610 | MEDIUM | 6.5 | 2022-06-20 | The Seamless Donations WordPress plugin before 5.1.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change the… |
| CVE-2022-1829 | MEDIUM | 6.5 | 2022-06-20 | The Inline Google Maps WordPress plugin through 5.11 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change the… |
| CVE-2023-0890 | MEDIUM | 6.5 | 2023-03-20 | The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be displayed via some shortcodes are already public and can be a… |
| CVE-2023-0911 | MEDIUM | 6.5 | 2023-03-20 | The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not validate the user meta to be retrieved via the user shortcode, allowing any authentic… |
| CVE-2023-2446 | MEDIUM | 6.5 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to sensitive information disclosure via the 'userpro' shortcode in versions up to, and including 5.1.1. This is due to insufficient … |
| CVE-2023-2448 | MEDIUM | 6.5 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'userpro_shortcode_template' function in versions up to, and… |
| CVE-2024-1285 | MEDIUM | 6.5 | 2024-03-05 | The Page Builder Sandwich – Front End WordPress Page Builder Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on th… |
| CVE-2024-1381 | MEDIUM | 6.5 | 2024-03-05 | The Page Builder Sandwich – Front End WordPress Page Builder Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.… |
| CVE-2024-9657 | MEDIUM | 6.5 | 2024-11-05 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-12421 | MEDIUM | 6.5 | 2024-12-13 | The The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.16.7.1. Th… |
| CVE-2025-0954 | MEDIUM | 6.5 | 2025-03-05 | The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions… |
| CVE-2024-13557 | MEDIUM | 6.5 | 2025-03-29 | The Shortcodes by United Themes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.1.6. This is due to the software allowi… |
| CVE-2025-3874 | MEDIUM | 6.5 | 2025-05-01 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization … |
| CVE-2025-9260 | MEDIUM | 6.5 | 2025-09-03 | The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 v… |
| CVE-2026-1865 | MEDIUM | 6.5 | 2026-04-08 | The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vu… |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2023-6225 | MEDIUM | 6.4 | 2023-11-28 | The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's su_meta shortcode combined with post meta data in… |
| CVE-2023-2439 | MEDIUM | 6.4 | 2024-01-31 | The UserPro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userpro' shortcode in versions up to, and including, 5.1.5 due to insufficient input sanitiz… |
| CVE-2024-1073 | MEDIUM | 6.4 | 2024-02-02 | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'filter_array' parameter in all versions up to, and including, 5.1.3 due to insuff… |
| CVE-2024-4386 | MEDIUM | 6.4 | 2024-05-14 | The Gallery Block (Meow Gallery) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data_atts’ parameter in versions up to, and including, 5.1.3 due to in… |
| CVE-2024-2772 | MEDIUM | 6.4 | 2024-05-18 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in al… |
| CVE-2024-4709 | MEDIUM | 6.4 | 2024-05-18 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subject’ param… |
| CVE-2024-10310 | MEDIUM | 6.4 | 2024-11-02 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-11228 | MEDIUM | 6.4 | 2024-11-23 | The 워드프레스 결제 심플페이 – 우커머스 결제 플러그인 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's pafw_instant_payment shortcode in all versions up to, and inclu… |
| CVE-2024-9058 | MEDIUM | 6.4 | 2024-12-03 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-12697 | MEDIUM | 6.4 | 2024-12-21 | The real.Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.1 due to insufficient input sanitization and output escapi… |
| CVE-2024-12851 | MEDIUM | 6.4 | 2025-01-08 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via… |
| CVE-2024-13464 | MEDIUM | 6.4 | 2025-02-18 | The Library Bookshelves plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bookshelf' shortcode in all versions up to, and including, 5.10 due to … |
| CVE-2025-1457 | MEDIUM | 6.4 | 2025-04-19 | The Element Pack Addons for Elementor – Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Wrapper Li… |
| CVE-2025-1458 | MEDIUM | 6.4 | 2025-04-26 | The Element Pack Addons for Elementor – Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget… |
| CVE-2025-3890 | MEDIUM | 6.4 | 2025-05-01 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_cart_button' shortcode in all versions up to, and includi… |
| CVE-2025-5292 | MEDIUM | 6.4 | 2025-05-31 | The Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder plugin for WordPress is vulnerable to Stored Cross-Site… |
| CVE-2025-6941 | MEDIUM | 6.4 | 2025-09-30 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'latepoint_reso… |
| CVE-2025-12090 | MEDIUM | 6.4 | 2025-11-01 | The Employee Spotlight – Team Member Showcase & Meet the Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Social URLs in all versions up to, and i… |
| CVE-2025-13418 | MEDIUM | 6.4 | 2026-01-07 | The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'plan_icons' parameter in all versions up to, and including, 5.1.12 due to i… |
| CVE-2025-15058 | MEDIUM | 6.4 | 2026-01-07 | The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in all versions up to, and including, 5.1.12 due … |
| CVE-2025-13535 | MEDIUM | 6.4 | 2026-04-01 | The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities in all versions up to, and includin… |
| CVE-2026-4300 | MEDIUM | 6.4 | 2026-04-08 | The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading Label' setting in all versions up to, and including, 5.1.3. The plugin uses a c… |
| CVE-2023-6008 | MEDIUM | 6.3 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on multi… |
| CVE-2014-4932 | MEDIUM | 6.1 | 2018-08-28 | Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the val par… |
| CVE-2019-11869 | MEDIUM | 6.1 | 2019-05-09 | The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only veri… |
| CVE-2019-14949 | MEDIUM | 6.1 | 2019-08-12 | The wp-database-backup plugin before 5.1.2 for WordPress has XSS. |
| CVE-2012-6716 | MEDIUM | 6.1 | 2019-08-22 | The events-manager plugin before 5.1.7 for WordPress has XSS via JSON call links. |
| CVE-2015-9378 | MEDIUM | 6.1 | 2019-08-28 | iThemes Builder Theme Market before 5.1.27 for WordPress has XSS via add_query_arg() and remove_query_arg(). |
| CVE-2017-18606 | MEDIUM | 6.1 | 2019-09-10 | The avada theme before 5.1.5 for WordPress has stored XSS. |
| CVE-2019-17515 | MEDIUM | 6.1 | 2019-11-13 | The CleanTalk cleantalk-spam-protect plugin before 5.127.4 for WordPress is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML an… |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2021-24973 | MEDIUM | 6.1 | 2022-01-03 | The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parameter of the glsr_action AJAX action (available to unauthenticated and any authen… |
| CVE-2022-28221 | MEDIUM | 6.1 | 2022-04-19 | The CleanTalk AntiSpam plugin <= 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter in`/lib/Cleantalk/ApbctWP/FindSpam/L… |
| CVE-2022-28222 | MEDIUM | 6.1 | 2022-04-19 | The CleanTalk AntiSpam plugin <= 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter in`/lib/Cleantalk/ApbctWP/FindSpam/L… |
| CVE-2022-1933 | MEDIUM | 6.1 | 2022-07-17 | The CDI WordPress plugin before 5.1.9 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and a… |
| CVE-2022-41136 | MEDIUM | 6.1 | 2022-11-08 | Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in Vladimir Anokhin's Shortcodes Ultimate plugin <= 5.12.0 on WordPress. |
| CVE-2022-3578 | MEDIUM | 6.1 | 2022-11-14 | The ProfileGrid WordPress plugin before 5.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting |
| CVE-2023-2568 | MEDIUM | 6.1 | 2023-06-12 | The Photo Gallery by Ays WordPress plugin before 5.1.7 does not escape some parameters before outputting it back in attributes, leading to Reflected Cross-Site Scripting which cou… |
| CVE-2023-2447 | MEDIUM | 6.1 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on the '… |
| CVE-2023-2438 | MEDIUM | 6.1 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the '… |
| CVE-2023-6956 | MEDIUM | 6.1 | 2024-06-06 | The EasyAzon – Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘easyazon-cloaking-locale’ parameter in all versions… |
| CVE-2024-6339 | MEDIUM | 6.1 | 2024-08-21 | The Phlox PRO theme for WordPress is vulnerable to Reflected Cross-Site Scripting via search parameters in all versions up to, and including, 5.16.4 due to insufficient input sani… |
| CVE-2024-11032 | MEDIUM | 6.1 | 2024-11-26 | The Parsi Date plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, … |
| CVE-2026-26370 | MEDIUM | 6.1 | 2026-02-20 | WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in… |
| CVE-2026-6203 | MEDIUM | 6.1 | 2026-04-13 | The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-suppli… |
| CVE-2026-3355 | MEDIUM | 6.1 | 2026-04-16 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘crsearch’ parameter in all versions up to, and including, 5.101.… |
| CVE-2025-4187 | MEDIUM | 5.9 | 2025-06-14 | The UserPro - Community and User Profile WordPress Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 5.1.10 via the userpro_fb… |
| CVE-2025-58674 | MEDIUM | 5.9 | 2025-09-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the iss… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2025-11467 | MEDIUM | 5.8 | 2025-12-11 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all ver… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2024-13505 | MEDIUM | 5.5 | 2025-01-26 | The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ays_sections[5][questions][8][title]’ parameter in all versions up to, and including, 5… |
| CVE-2025-6815 | MEDIUM | 5.5 | 2025-09-30 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘service[name]’ parameter in all vers… |
| CVE-2020-9459 | MEDIUM | 5.4 | 2020-02-28 | Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webnus Modern Events Calendar Lite plugin through 5.1.6 for WordPress allows remote authenticated users (with min… |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2020-15038 | MEDIUM | 5.4 | 2020-06-24 | The SeedProd coming-soon plugin before 5.1.1 for WordPress allows XSS. |
| CVE-2021-24147 | MEDIUM | 5.4 | 2021-03-18 | Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) w… |
| CVE-2021-24250 | MEDIUM | 5.4 | 2021-05-06 | The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from lack of sanitisation in the label of the Form Fields, leading t… |
| CVE-2021-24603 | MEDIUM | 5.4 | 2021-09-06 | The Site Reviews WordPress plugin before 5.13.1 does not sanitise some of its Review Details when adding a review as an admin, which could allow them to perform Cross-Site Scripti… |
| CVE-2021-24525 | MEDIUM | 5.4 | 2021-09-20 | The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its … |
| CVE-2021-36850 | MEDIUM | 5.4 | 2021-10-04 | Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer – Auto & Manual Rename plugin (versions <= 5.1.9). Affected parameters "post_title", "filename", "l… |
| CVE-2022-38086 | MEDIUM | 5.4 | 2022-10-11 | Cross-Site Request Forgery (CSRF) vulnerability in Shortcodes Ultimate plugin <= 5.12.0 at WordPress leading to plugin preset settings change. |
| CVE-2023-0364 | MEDIUM | 5.4 | 2023-03-20 | The real.Kit WordPress plugin before 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, w… |
| CVE-2023-0369 | MEDIUM | 5.4 | 2023-03-20 | The GoToWP WordPress plugin through 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, wh… |
| CVE-2023-0079 | MEDIUM | 5.4 | 2024-01-16 | The Customer Reviews for WooCommerce WordPress plugin before 5.17.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where … |
| CVE-2024-1333 | MEDIUM | 5.4 | 2024-03-18 | The Responsive Pricing Table WordPress plugin before 5.1.11 does not validate and escape some of its Pricing Table options before outputting them back in a page/post where the rel… |
| CVE-2024-9868 | MEDIUM | 5.4 | 2024-11-02 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-9867 | MEDIUM | 5.4 | 2024-11-05 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-10493 | MEDIUM | 5.4 | 2024-11-28 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) WordPress plugin before 5.10.3 does not validate and escape some of its… |
| CVE-2024-10980 | MEDIUM | 5.4 | 2024-11-29 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) WordPress plugin before 5.10.3 does not validate and escape some of i… |
| CVE-2026-4056 | MEDIUM | 5.4 | 2026-03-24 | The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API e… |
| CVE-2026-4401 | MEDIUM | 5.4 | 2026-04-08 | The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.… |
| CVE-2021-39327 | MEDIUM | 5.3 | 2021-09-17 | The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which… |
| CVE-2022-4346 | MEDIUM | 5.3 | 2023-01-23 | The All-In-One Security (AIOS) WordPress plugin before 5.1.3 leaked settings of the plugin publicly, including the used email address. |
| CVE-2023-5845 | MEDIUM | 5.3 | 2023-11-27 | The Simple Social Media Share Buttons WordPress plugin before 5.1.1 leaks password-protected post content to unauthenticated visitors in some meta tags |
| CVE-2024-0701 | MEDIUM | 5.3 | 2024-02-05 | The UserPro plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 5.1.6. This is due to the use of client-side restrictions to enforc… |
| CVE-2024-3601 | MEDIUM | 5.3 | 2024-05-02 | The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_poll_create_author funct… |
| CVE-2024-6557 | MEDIUM | 5.3 | 2024-07-16 | The SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher plugin for WordPress is vulnerable to Full Path… |
| CVE-2024-13457 | MEDIUM | 5.3 | 2025-01-30 | The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id paramete… |
| CVE-2025-1402 | MEDIUM | 5.3 | 2025-02-21 | The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all ve… |
| CVE-2025-3889 | MEDIUM | 5.3 | 2025-05-01 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'process_payment_data… |
| CVE-2025-3769 | MEDIUM | 5.3 | 2025-05-14 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.… |
| CVE-2025-10008 | MEDIUM | 5.3 | 2025-10-30 | The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' funct… |
| CVE-2025-12892 | MEDIUM | 5.3 | 2025-11-13 | The Survey Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versio… |
| CVE-2025-12891 | MEDIUM | 5.3 | 2025-11-13 | The Survey Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ays_survey_show_results' AJAX endpoint in all versions… |
| CVE-2025-12876 | MEDIUM | 5.3 | 2025-12-05 | The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJA… |
| CVE-2026-0939 | MEDIUM | 5.3 | 2026-01-16 | The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and incl… |
| CVE-2026-0942 | MEDIUM | 5.3 | 2026-01-16 | The Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the… |
| CVE-2026-1219 | MEDIUM | 5.3 | 2026-02-19 | The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_… |
| CVE-2026-2356 | MEDIUM | 5.3 | 2026-02-26 | The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions … |
| CVE-2026-3460 | MEDIUM | 5.3 | 2026-03-21 | The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callb… |
| CVE-2026-2696 | MEDIUM | 5.3 | 2026-04-01 | The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. The… |
| CVE-2026-4664 | MEDIUM | 5.3 | 2026-04-10 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_p… |
| CVE-2026-6145 | MEDIUM | 5.3 | 2026-05-14 | The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_pr… |
| CVE-2026-6206 | MEDIUM | 5.3 | 2026-05-14 | The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to… |
| CVE-2026-7651 | MEDIUM | 5.3 | 2026-05-28 | The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vu… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2025-11128 | MEDIUM | 5.0 | 2025-10-23 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions … |
| CVE-2026-1249 | MEDIUM | 5.0 | 2026-02-14 | The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyric… |
| CVE-2023-0156 | MEDIUM | 4.9 | 2023-04-10 | The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to display in it's settings pages, allowing an authorized user (admin+) to view the cont… |
| CVE-2023-3814 | MEDIUM | 4.9 | 2023-09-04 | The Advanced File Manager WordPress plugin before 5.1.1 does not adequately authorize its usage on multisite installations, allowing site admin users to list and read arbitrary fi… |
| CVE-2023-6957 | MEDIUM | 4.9 | 2024-03-13 | The Fluent Forms plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.9 due to insuffic… |
| CVE-2024-6703 | MEDIUM | 4.9 | 2024-07-27 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ a… |
| CVE-2024-9528 | MEDIUM | 4.9 | 2024-10-05 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form label fields i… |
| CVE-2021-24622 | MEDIUM | 4.8 | 2021-10-18 | The Customer Service Software & Support Ticket System WordPress plugin before 5.10.4 does not sanitize or escape form fields before outputting it in the List, which could allow hi… |
| CVE-2022-1568 | MEDIUM | 4.8 | 2022-05-30 | The Team Members WordPress plugin before 5.1.1 does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting atta… |
| CVE-2023-0157 | MEDIUM | 4.8 | 2023-04-10 | The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (a… |
| CVE-2023-4810 | MEDIUM | 4.8 | 2023-11-06 | The Responsive Pricing Table WordPress plugin before 5.1.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Store… |
| CVE-2024-3921 | MEDIUM | 4.8 | 2024-05-29 | The Gianism WordPress plugin through 5.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scr… |
| CVE-2025-1485 | MEDIUM | 4.8 | 2025-06-02 | The Real Cookie Banner: GDPR & ePrivacy Cookie Consent WordPress plugin before 5.1.6, real-cookie-banner-pro WordPress plugin before 5.1.6 does not sanitise and escape some of its… |
| CVE-2021-36895 | MEDIUM | 4.7 | 2022-04-26 | Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload. |
| CVE-2024-0618 | MEDIUM | 4.4 | 2024-01-27 | The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported form tit… |
| CVE-2024-6518 | MEDIUM | 4.4 | 2024-07-27 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via input fields in all… |
| CVE-2024-6520 | MEDIUM | 4.4 | 2024-07-27 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom error messag… |
| CVE-2024-6521 | MEDIUM | 4.4 | 2024-07-27 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via dropdown fields in … |
| CVE-2014-4664 | MEDIUM | 4.3 | 2014-11-06 | Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the whoisva… |
| CVE-2014-9174 | MEDIUM | 4.3 | 2014-12-02 | Cross-site scripting (XSS) vulnerability in the Google Analytics by Yoast (google-analytics-for-wordpress) plugin before 5.1.3 for WordPress allows remote attackers to inject arbi… |
| CVE-2021-24251 | MEDIUM | 4.3 | 2021-05-06 | The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to mak… |
| CVE-2020-36699 | MEDIUM | 4.3 | 2023-06-07 | The Quick Page/Post Redirect Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the qppr_save_quick_redirect_ajax and qppr_delete_quick… |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2023-6226 | MEDIUM | 4.3 | 2023-11-28 | The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta … |
| CVE-2024-37218 | MEDIUM | 4.3 | 2024-11-01 | Missing Authorization vulnerability in WordPress Page Builder Sandwich Team Page Builder Sandwich – Front-End Page Builder allows Exploiting Incorrectly Configured Access Control … |
| CVE-2024-12329 | MEDIUM | 4.3 | 2024-12-12 | The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, an… |
| CVE-2024-11852 | MEDIUM | 4.3 | 2024-12-22 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) plugin for WordPress is vulnerable to unauthorized access of data due… |
| CVE-2024-12855 | MEDIUM | 4.3 | 2025-01-08 | The AdForest theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions like 'sb_remove_ad' in all versions u… |
| CVE-2024-13415 | MEDIUM | 4.3 | 2025-01-31 | The Food Menu – Restaurant Menu & Online Ordering for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() fun… |
| CVE-2025-3284 | MEDIUM | 4.3 | 2025-04-19 | The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to,… |
| CVE-2025-4339 | MEDIUM | 4.3 | 2025-05-13 | The TheGem theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxApi() function in all versions up to, and including,… |
| CVE-2025-58246 | MEDIUM | 4.3 | 2025-09-23 | Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is… |
| CVE-2025-13403 | MEDIUM | 4.3 | 2025-12-13 | The Employee Spotlight – Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization valida… |
| CVE-2026-3601 | MEDIUM | 4.3 | 2026-05-05 | The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function … |
| CVE-2026-8976 | MEDIUM | 4.3 | 2026-06-06 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, … |
| CVE-2024-5053 | MEDIUM | 4.2 | 2024-09-01 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an ins… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 5.1 is no longer safe for production websites. With 216 known vulnerabilities—including 15 critical flaws that could lead to complete site compromise—upgrading is not optional but essential. The good news is that updating takes just minutes and immediately closes the vast majority of these security holes.
Don't leave your website vulnerable to attacks. Use SiteRecipe.com to scan your WordPress installation for security vulnerabilities, outdated plugins, and misconfigurations. Our security experts can identify exactly which CVEs affect your site and provide step-by-step guidance to fix them. Start your free security audit today and protect your business from cyber threats.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.