WordPress 5.1 is an older version of the world's most popular website platform, released in February 2019. If your website still runs this version, you're at significant risk: security researchers have identified 215 known vulnerabilities, including 15 critical flaws that could give attackers complete control of your site. These aren't theoretical threats—they're actively being exploited by cybercriminals targeting outdated WordPress installations.
The most dangerous vulnerabilities in WordPress 5.1 include authentication bypass flaws that let attackers log in without passwords, SQL injection attacks that expose your database, and privilege escalation exploits that give attackers admin access. With approximately 9,000 websites still running this vulnerable version, you may be at risk without even knowing it.
This guide will show you exactly how to identify if you're using WordPress 5.1, understand the specific threats you face, and take immediate action to protect your website and customer data.
WordPress is the software that powers over 43% of all websites on the internet. It's a content management system (CMS) that lets you build and manage websites without needing to write code. WordPress 5.1, released in February 2019, is an older version that many website owners continue using either because they're unaware of security updates or they haven't migrated their sites yet. It handles everything from blog posts to e-commerce stores, making it a high-value target for hackers.
Just like your operating system (Windows, Mac, or Linux) needs regular updates to stay secure, WordPress requires consistent updates to patch newly discovered vulnerabilities. WordPress 5.1 is now five years old, meaning it predates many security discoveries and has been left without critical protective patches. Running outdated software is like leaving your front door unlocked—it's an open invitation to cybercriminals who know exactly which locks are broken.
215 CVEs found. The most critical are explained below.
The JoomSport plugin has a flaw that allows attackers to inject malicious code through a hidden data parameter. This vulnerability can be exploited without needing to log in to your WordPress site.
Impact: Attackers could take control of your website, steal sensitive data, or install malware that affects your visitors.
↗ View on NVDThe Limit Login Attempts plugin fails to properly validate user input before using it in database queries. Attackers without login access can exploit this to manipulate your database directly.
Impact: Criminals could steal customer data, user credentials, or alter your website content and settings without authorization.
↗ View on NVDThe Abandoned Cart Lite plugin uses weak encryption on recovery links, allowing attackers to forge valid links without a real password. This lets them access customer accounts they don't own.
Impact: Customer accounts could be compromised, leading to fraud, stolen payment information, or loss of trust in your store.
↗ View on NVDThe UserPro plugin doesn't properly verify Facebook login details, allowing anyone to log in as any user without knowing their password. This completely bypasses your site's security.
Impact: Attackers can impersonate customers or administrators, access private information, and make unauthorized transactions or changes.
↗ View on NVDThe UserPro plugin's password reset function lacks proper security checks, allowing attackers to reset any user's password without proper verification.
Impact: Any account on your site, including admin accounts, could be taken over by attackers who can then control your entire website.
↗ View on NVDThe Fluent Forms plugin is missing a critical security check that allows regular users to access admin-only features through its API. Attackers can escalate their privileges without proper permissions.
Impact: Non-admin users or attackers could gain full administrative access to your website, allowing them to delete content, steal data, or lock you out.
↗ View on NVDShowing first 10 of 209. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-11349 | CRITICAL | 9.8 | 2024-12-21 | The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's iden… |
| CVE-2024-11350 | CRITICAL | 9.8 | 2025-01-08 | The AdForest theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.1.6. This is due to the plugin not properly val… |
| CVE-2024-12857 | CRITICAL | 9.8 | 2025-01-22 | The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's iden… |
| CVE-2025-2470 | CRITICAL | 9.8 | 2025-04-25 | The Service Finder Bookings plugin for WordPress, used by the Service Finder - Directory and Job Board WordPress Theme, is vulnerable to privilege escalation in all versions up to… |
| CVE-2025-6715 | CRITICAL | 9.8 | 2025-08-13 | The LatePoint WordPress plugin before 5.1.94 is vulnerable to Local File Inclusion via the layout parameter. This makes it possible for attackers to include and execute PHP files… |
| CVE-2026-1492 | CRITICAL | 9.8 | 2026-03-03 | The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable … |
| CVE-2026-6510 | CRITICAL | 9.8 | 2026-05-14 | The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce v… |
| CVE-2026-5118 | CRITICAL | 9.8 | 2026-05-21 | The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'ro… |
| CVE-2026-6512 | CRITICAL | 9.1 | 2026-05-14 | The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a … |
| CVE-2019-9787 | HIGH | 8.8 | 2019-03-14 | WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF pro… |
| CVE-2019-12826 | HIGH | 8.8 | 2019-07-01 | A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code v… |
| CVE-2017-18607 | HIGH | 8.8 | 2019-09-10 | The avada theme before 5.1.5 for WordPress has CSRF. |
| CVE-2021-24149 | HIGH | 8.8 | 2021-03-18 | Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action whe… |
| CVE-2021-24178 | HIGH | 8.8 | 2021-05-06 | The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 suffered from Cross-Site Request Forgery issues, allowing an attacker to make… |
| CVE-2021-24179 | HIGH | 8.8 | 2021-05-06 | The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make … |
| CVE-2021-34645 | HIGH | 8.8 | 2021-08-19 | The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin… |
| CVE-2022-2594 | HIGH | 8.8 | 2022-08-22 | The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a defa… |
| CVE-2023-0080 | HIGH | 8.8 | 2023-02-13 | The Customer Reviews for WooCommerce WordPress plugin before 5.16.0 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to … |
| CVE-2023-1196 | HIGH | 8.8 | 2023-05-02 | The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of C… |
| CVE-2023-2440 | HIGH | 8.8 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing nonce validation in the 'admin_page', … |
| CVE-2023-2497 | HIGH | 8.8 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the '… |
| CVE-2023-6009 | HIGH | 8.8 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userpro_update_user_profile'… |
| CVE-2025-4317 | HIGH | 8.8 | 2025-05-13 | The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and includi… |
| CVE-2025-7052 | HIGH | 8.8 | 2025-09-30 | The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.94. This is due to missing nonce validation on the change_… |
| CVE-2026-6506 | HIGH | 8.8 | 2026-05-14 | The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function mi… |
| CVE-2020-11026 | HIGH | 8.7 | 2020-04-30 | In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an au… |
| CVE-2025-3529 | HIGH | 8.2 | 2025-04-23 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.2 via the 'file_url' parameter. T… |
| CVE-2025-7038 | HIGH | 8.2 | 2025-09-30 | The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call A… |
| CVE-2025-3952 | HIGH | 8.1 | 2025-05-01 | The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capabi… |
| CVE-2025-8417 | HIGH | 8.1 | 2025-09-11 | The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessabl… |
| CVE-2026-1779 | HIGH | 8.1 | 2026-02-26 | The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in … |
| CVE-2026-4347 | HIGH | 8.1 | 2026-04-02 | The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_fi… |
| CVE-2026-5436 | HIGH | 8.1 | 2026-04-08 | The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parame… |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2021-24146 | HIGH | 7.5 | 2021-03-18 | Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenti… |
| CVE-2021-24295 | HIGH | 7.5 | 2021-05-17 | It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4.… |
| CVE-2023-6113 | HIGH | 7.5 | 2024-01-01 | The WP STAGING WordPress Backup Plugin before 3.1.3 and WP STAGING Pro WordPress Backup Plugin before 5.1.3 do not prevent visitors from leaking key information about ongoing back… |
| CVE-2024-2782 | HIGH | 7.5 | 2024-05-18 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing … |
| CVE-2024-4157 | HIGH | 7.5 | 2024-05-22 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and inc… |
| CVE-2025-3530 | HIGH | 7.5 | 2025-04-23 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involv… |
| CVE-2025-13457 | HIGH | 7.5 | 2026-01-10 | The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to … |
| CVE-2026-3124 | HIGH | 7.5 | 2026-03-30 | The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to mi… |
| CVE-2026-6514 | HIGH | 7.5 | 2026-05-14 | The InfusedWoo Pro plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.1.2 via the popup_submit. This makes it possible for unauthent… |
| CVE-2023-6007 | HIGH | 7.3 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all ve… |
| CVE-2021-24131 | HIGH | 7.2 | 2021-03-18 | Unvalidated input in the Anti-Spam by CleanTalk WordPress plugin, versions before 5.149, lead to multiple authenticated SQL injection vulnerabilities, however, it requires high pr… |
| CVE-2021-24145 | HIGH | 7.2 | 2021-03-18 | Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by ad… |
| CVE-2021-24248 | HIGH | 7.2 | 2021-05-06 | The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 did not properly check for imported files, forbidding certain extension via a… |
| CVE-2022-3302 | HIGH | 7.2 | 2022-10-25 | The Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.185.1 does not validate ids before using them in a SQL statement, which could lead to SQL injection … |
| CVE-2019-25152 | HIGH | 7.2 | 2023-06-22 | The Abandoned Cart Lite for WooCommerce and Abandoned Cart Pro for WooCommerce plugins for WordPress are vulnerable to Stored Cross-Site Scripting via multiple parameters in versi… |
| CVE-2024-2020 | HIGH | 7.2 | 2024-03-13 | The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to i… |
| CVE-2024-3600 | HIGH | 7.2 | 2024-04-19 | The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start A… |
| CVE-2024-4870 | HIGH | 7.2 | 2024-06-04 | The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the … |
| CVE-2022-1206 | HIGH | 7.2 | 2024-08-20 | The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrota… |
| CVE-2025-14675 | HIGH | 7.2 | 2026-03-07 | The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and i… |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2022-41791 | MEDIUM | 6.8 | 2022-11-17 | Auth. (subscriber+) CSV Injection vulnerability in ProfileGrid plugin <= 5.1.6 on WordPress. |
| CVE-2021-24249 | MEDIUM | 6.5 | 2021-05-06 | The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to mak… |
| CVE-2022-1610 | MEDIUM | 6.5 | 2022-06-20 | The Seamless Donations WordPress plugin before 5.1.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change the… |
| CVE-2022-1829 | MEDIUM | 6.5 | 2022-06-20 | The Inline Google Maps WordPress plugin through 5.11 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change the… |
| CVE-2023-0890 | MEDIUM | 6.5 | 2023-03-20 | The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be displayed via some shortcodes are already public and can be a… |
| CVE-2023-0911 | MEDIUM | 6.5 | 2023-03-20 | The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not validate the user meta to be retrieved via the user shortcode, allowing any authentic… |
| CVE-2023-2446 | MEDIUM | 6.5 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to sensitive information disclosure via the 'userpro' shortcode in versions up to, and including 5.1.1. This is due to insufficient … |
| CVE-2023-2448 | MEDIUM | 6.5 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'userpro_shortcode_template' function in versions up to, and… |
| CVE-2024-1285 | MEDIUM | 6.5 | 2024-03-05 | The Page Builder Sandwich – Front End WordPress Page Builder Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on th… |
| CVE-2024-1381 | MEDIUM | 6.5 | 2024-03-05 | The Page Builder Sandwich – Front End WordPress Page Builder Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.… |
| CVE-2024-9657 | MEDIUM | 6.5 | 2024-11-05 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-12421 | MEDIUM | 6.5 | 2024-12-13 | The The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.16.7.1. Th… |
| CVE-2025-0954 | MEDIUM | 6.5 | 2025-03-05 | The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions… |
| CVE-2024-13557 | MEDIUM | 6.5 | 2025-03-29 | The Shortcodes by United Themes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.1.6. This is due to the software allowi… |
| CVE-2025-3874 | MEDIUM | 6.5 | 2025-05-01 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization … |
| CVE-2025-9260 | MEDIUM | 6.5 | 2025-09-03 | The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 v… |
| CVE-2026-1865 | MEDIUM | 6.5 | 2026-04-08 | The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vu… |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2023-6225 | MEDIUM | 6.4 | 2023-11-28 | The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's su_meta shortcode combined with post meta data in… |
| CVE-2023-2439 | MEDIUM | 6.4 | 2024-01-31 | The UserPro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userpro' shortcode in versions up to, and including, 5.1.5 due to insufficient input sanitiz… |
| CVE-2024-1073 | MEDIUM | 6.4 | 2024-02-02 | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'filter_array' parameter in all versions up to, and including, 5.1.3 due to insuff… |
| CVE-2024-4386 | MEDIUM | 6.4 | 2024-05-14 | The Gallery Block (Meow Gallery) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data_atts’ parameter in versions up to, and including, 5.1.3 due to in… |
| CVE-2024-2772 | MEDIUM | 6.4 | 2024-05-18 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in al… |
| CVE-2024-4709 | MEDIUM | 6.4 | 2024-05-18 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subject’ param… |
| CVE-2024-10310 | MEDIUM | 6.4 | 2024-11-02 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-11228 | MEDIUM | 6.4 | 2024-11-23 | The 워드프레스 결제 심플페이 – 우커머스 결제 플러그인 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's pafw_instant_payment shortcode in all versions up to, and inclu… |
| CVE-2024-9058 | MEDIUM | 6.4 | 2024-12-03 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-12697 | MEDIUM | 6.4 | 2024-12-21 | The real.Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.1 due to insufficient input sanitization and output escapi… |
| CVE-2024-12851 | MEDIUM | 6.4 | 2025-01-08 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via… |
| CVE-2024-13464 | MEDIUM | 6.4 | 2025-02-18 | The Library Bookshelves plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bookshelf' shortcode in all versions up to, and including, 5.10 due to … |
| CVE-2025-1457 | MEDIUM | 6.4 | 2025-04-19 | The Element Pack Addons for Elementor – Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Wrapper Li… |
| CVE-2025-1458 | MEDIUM | 6.4 | 2025-04-26 | The Element Pack Addons for Elementor – Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget… |
| CVE-2025-3890 | MEDIUM | 6.4 | 2025-05-01 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_cart_button' shortcode in all versions up to, and includi… |
| CVE-2025-5292 | MEDIUM | 6.4 | 2025-05-31 | The Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder plugin for WordPress is vulnerable to Stored Cross-Site… |
| CVE-2025-6941 | MEDIUM | 6.4 | 2025-09-30 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'latepoint_reso… |
| CVE-2025-12090 | MEDIUM | 6.4 | 2025-11-01 | The Employee Spotlight – Team Member Showcase & Meet the Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Social URLs in all versions up to, and i… |
| CVE-2025-13418 | MEDIUM | 6.4 | 2026-01-07 | The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'plan_icons' parameter in all versions up to, and including, 5.1.12 due to i… |
| CVE-2025-15058 | MEDIUM | 6.4 | 2026-01-07 | The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in all versions up to, and including, 5.1.12 due … |
| CVE-2025-13535 | MEDIUM | 6.4 | 2026-04-01 | The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities in all versions up to, and includin… |
| CVE-2026-4300 | MEDIUM | 6.4 | 2026-04-08 | The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading Label' setting in all versions up to, and including, 5.1.3. The plugin uses a c… |
| CVE-2023-6008 | MEDIUM | 6.3 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on multi… |
| CVE-2014-4932 | MEDIUM | 6.1 | 2018-08-28 | Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the val par… |
| CVE-2019-11869 | MEDIUM | 6.1 | 2019-05-09 | The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only veri… |
| CVE-2019-14949 | MEDIUM | 6.1 | 2019-08-12 | The wp-database-backup plugin before 5.1.2 for WordPress has XSS. |
| CVE-2012-6716 | MEDIUM | 6.1 | 2019-08-22 | The events-manager plugin before 5.1.7 for WordPress has XSS via JSON call links. |
| CVE-2015-9378 | MEDIUM | 6.1 | 2019-08-28 | iThemes Builder Theme Market before 5.1.27 for WordPress has XSS via add_query_arg() and remove_query_arg(). |
| CVE-2017-18606 | MEDIUM | 6.1 | 2019-09-10 | The avada theme before 5.1.5 for WordPress has stored XSS. |
| CVE-2019-17515 | MEDIUM | 6.1 | 2019-11-13 | The CleanTalk cleantalk-spam-protect plugin before 5.127.4 for WordPress is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML an… |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2021-24973 | MEDIUM | 6.1 | 2022-01-03 | The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parameter of the glsr_action AJAX action (available to unauthenticated and any authen… |
| CVE-2022-28221 | MEDIUM | 6.1 | 2022-04-19 | The CleanTalk AntiSpam plugin <= 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter in`/lib/Cleantalk/ApbctWP/FindSpam/L… |
| CVE-2022-28222 | MEDIUM | 6.1 | 2022-04-19 | The CleanTalk AntiSpam plugin <= 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter in`/lib/Cleantalk/ApbctWP/FindSpam/L… |
| CVE-2022-1933 | MEDIUM | 6.1 | 2022-07-17 | The CDI WordPress plugin before 5.1.9 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and a… |
| CVE-2022-41136 | MEDIUM | 6.1 | 2022-11-08 | Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in Vladimir Anokhin's Shortcodes Ultimate plugin <= 5.12.0 on WordPress. |
| CVE-2022-3578 | MEDIUM | 6.1 | 2022-11-14 | The ProfileGrid WordPress plugin before 5.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting |
| CVE-2023-2568 | MEDIUM | 6.1 | 2023-06-12 | The Photo Gallery by Ays WordPress plugin before 5.1.7 does not escape some parameters before outputting it back in attributes, leading to Reflected Cross-Site Scripting which cou… |
| CVE-2023-2447 | MEDIUM | 6.1 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on the '… |
| CVE-2023-2438 | MEDIUM | 6.1 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the '… |
| CVE-2023-6956 | MEDIUM | 6.1 | 2024-06-06 | The EasyAzon – Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘easyazon-cloaking-locale’ parameter in all versions… |
| CVE-2024-6339 | MEDIUM | 6.1 | 2024-08-21 | The Phlox PRO theme for WordPress is vulnerable to Reflected Cross-Site Scripting via search parameters in all versions up to, and including, 5.16.4 due to insufficient input sani… |
| CVE-2024-11032 | MEDIUM | 6.1 | 2024-11-26 | The Parsi Date plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, … |
| CVE-2026-26370 | MEDIUM | 6.1 | 2026-02-20 | WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in… |
| CVE-2026-6203 | MEDIUM | 6.1 | 2026-04-13 | The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-suppli… |
| CVE-2026-3355 | MEDIUM | 6.1 | 2026-04-16 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘crsearch’ parameter in all versions up to, and including, 5.101.… |
| CVE-2025-4187 | MEDIUM | 5.9 | 2025-06-14 | The UserPro - Community and User Profile WordPress Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 5.1.10 via the userpro_fb… |
| CVE-2025-58674 | MEDIUM | 5.9 | 2025-09-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the iss… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2025-11467 | MEDIUM | 5.8 | 2025-12-11 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all ver… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2024-13505 | MEDIUM | 5.5 | 2025-01-26 | The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ays_sections[5][questions][8][title]’ parameter in all versions up to, and including, 5… |
| CVE-2025-6815 | MEDIUM | 5.5 | 2025-09-30 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘service[name]’ parameter in all vers… |
| CVE-2020-9459 | MEDIUM | 5.4 | 2020-02-28 | Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webnus Modern Events Calendar Lite plugin through 5.1.6 for WordPress allows remote authenticated users (with min… |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2020-15038 | MEDIUM | 5.4 | 2020-06-24 | The SeedProd coming-soon plugin before 5.1.1 for WordPress allows XSS. |
| CVE-2021-24147 | MEDIUM | 5.4 | 2021-03-18 | Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) w… |
| CVE-2021-24250 | MEDIUM | 5.4 | 2021-05-06 | The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from lack of sanitisation in the label of the Form Fields, leading t… |
| CVE-2021-24603 | MEDIUM | 5.4 | 2021-09-06 | The Site Reviews WordPress plugin before 5.13.1 does not sanitise some of its Review Details when adding a review as an admin, which could allow them to perform Cross-Site Scripti… |
| CVE-2021-24525 | MEDIUM | 5.4 | 2021-09-20 | The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its … |
| CVE-2021-36850 | MEDIUM | 5.4 | 2021-10-04 | Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer – Auto & Manual Rename plugin (versions <= 5.1.9). Affected parameters "post_title", "filename", "l… |
| CVE-2022-38086 | MEDIUM | 5.4 | 2022-10-11 | Cross-Site Request Forgery (CSRF) vulnerability in Shortcodes Ultimate plugin <= 5.12.0 at WordPress leading to plugin preset settings change. |
| CVE-2023-0364 | MEDIUM | 5.4 | 2023-03-20 | The real.Kit WordPress plugin before 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, w… |
| CVE-2023-0369 | MEDIUM | 5.4 | 2023-03-20 | The GoToWP WordPress plugin through 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, wh… |
| CVE-2023-0079 | MEDIUM | 5.4 | 2024-01-16 | The Customer Reviews for WooCommerce WordPress plugin before 5.17.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where … |
| CVE-2024-1333 | MEDIUM | 5.4 | 2024-03-18 | The Responsive Pricing Table WordPress plugin before 5.1.11 does not validate and escape some of its Pricing Table options before outputting them back in a page/post where the rel… |
| CVE-2024-9868 | MEDIUM | 5.4 | 2024-11-02 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-9867 | MEDIUM | 5.4 | 2024-11-05 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-10493 | MEDIUM | 5.4 | 2024-11-28 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) WordPress plugin before 5.10.3 does not validate and escape some of its… |
| CVE-2024-10980 | MEDIUM | 5.4 | 2024-11-29 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) WordPress plugin before 5.10.3 does not validate and escape some of i… |
| CVE-2026-4056 | MEDIUM | 5.4 | 2026-03-24 | The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API e… |
| CVE-2026-4401 | MEDIUM | 5.4 | 2026-04-08 | The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.… |
| CVE-2021-39327 | MEDIUM | 5.3 | 2021-09-17 | The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which… |
| CVE-2022-4346 | MEDIUM | 5.3 | 2023-01-23 | The All-In-One Security (AIOS) WordPress plugin before 5.1.3 leaked settings of the plugin publicly, including the used email address. |
| CVE-2023-5845 | MEDIUM | 5.3 | 2023-11-27 | The Simple Social Media Share Buttons WordPress plugin before 5.1.1 leaks password-protected post content to unauthenticated visitors in some meta tags |
| CVE-2024-0701 | MEDIUM | 5.3 | 2024-02-05 | The UserPro plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 5.1.6. This is due to the use of client-side restrictions to enforc… |
| CVE-2024-3601 | MEDIUM | 5.3 | 2024-05-02 | The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_poll_create_author funct… |
| CVE-2024-6557 | MEDIUM | 5.3 | 2024-07-16 | The SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher plugin for WordPress is vulnerable to Full Path… |
| CVE-2024-13457 | MEDIUM | 5.3 | 2025-01-30 | The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id paramete… |
| CVE-2025-1402 | MEDIUM | 5.3 | 2025-02-21 | The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all ve… |
| CVE-2025-3889 | MEDIUM | 5.3 | 2025-05-01 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'process_payment_data… |
| CVE-2025-3769 | MEDIUM | 5.3 | 2025-05-14 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.… |
| CVE-2025-10008 | MEDIUM | 5.3 | 2025-10-30 | The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' funct… |
| CVE-2025-12892 | MEDIUM | 5.3 | 2025-11-13 | The Survey Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versio… |
| CVE-2025-12891 | MEDIUM | 5.3 | 2025-11-13 | The Survey Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ays_survey_show_results' AJAX endpoint in all versions… |
| CVE-2025-12876 | MEDIUM | 5.3 | 2025-12-05 | The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJA… |
| CVE-2026-0939 | MEDIUM | 5.3 | 2026-01-16 | The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and incl… |
| CVE-2026-0942 | MEDIUM | 5.3 | 2026-01-16 | The Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the… |
| CVE-2026-1219 | MEDIUM | 5.3 | 2026-02-19 | The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_… |
| CVE-2026-2356 | MEDIUM | 5.3 | 2026-02-26 | The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions … |
| CVE-2026-3460 | MEDIUM | 5.3 | 2026-03-21 | The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callb… |
| CVE-2026-2696 | MEDIUM | 5.3 | 2026-04-01 | The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. The… |
| CVE-2026-4664 | MEDIUM | 5.3 | 2026-04-10 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_p… |
| CVE-2026-6145 | MEDIUM | 5.3 | 2026-05-14 | The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_pr… |
| CVE-2026-6206 | MEDIUM | 5.3 | 2026-05-14 | The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to… |
| CVE-2026-7651 | MEDIUM | 5.3 | 2026-05-28 | The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vu… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2025-11128 | MEDIUM | 5.0 | 2025-10-23 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions … |
| CVE-2026-1249 | MEDIUM | 5.0 | 2026-02-14 | The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyric… |
| CVE-2023-0156 | MEDIUM | 4.9 | 2023-04-10 | The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to display in it's settings pages, allowing an authorized user (admin+) to view the cont… |
| CVE-2023-3814 | MEDIUM | 4.9 | 2023-09-04 | The Advanced File Manager WordPress plugin before 5.1.1 does not adequately authorize its usage on multisite installations, allowing site admin users to list and read arbitrary fi… |
| CVE-2023-6957 | MEDIUM | 4.9 | 2024-03-13 | The Fluent Forms plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.9 due to insuffic… |
| CVE-2024-6703 | MEDIUM | 4.9 | 2024-07-27 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ a… |
| CVE-2024-9528 | MEDIUM | 4.9 | 2024-10-05 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form label fields i… |
| CVE-2021-24622 | MEDIUM | 4.8 | 2021-10-18 | The Customer Service Software & Support Ticket System WordPress plugin before 5.10.4 does not sanitize or escape form fields before outputting it in the List, which could allow hi… |
| CVE-2022-1568 | MEDIUM | 4.8 | 2022-05-30 | The Team Members WordPress plugin before 5.1.1 does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting atta… |
| CVE-2023-0157 | MEDIUM | 4.8 | 2023-04-10 | The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (a… |
| CVE-2023-4810 | MEDIUM | 4.8 | 2023-11-06 | The Responsive Pricing Table WordPress plugin before 5.1.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Store… |
| CVE-2024-3921 | MEDIUM | 4.8 | 2024-05-29 | The Gianism WordPress plugin through 5.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scr… |
| CVE-2025-1485 | MEDIUM | 4.8 | 2025-06-02 | The Real Cookie Banner: GDPR & ePrivacy Cookie Consent WordPress plugin before 5.1.6, real-cookie-banner-pro WordPress plugin before 5.1.6 does not sanitise and escape some of its… |
| CVE-2021-36895 | MEDIUM | 4.7 | 2022-04-26 | Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload. |
| CVE-2024-0618 | MEDIUM | 4.4 | 2024-01-27 | The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported form tit… |
| CVE-2024-6518 | MEDIUM | 4.4 | 2024-07-27 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via input fields in all… |
| CVE-2024-6520 | MEDIUM | 4.4 | 2024-07-27 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom error messag… |
| CVE-2024-6521 | MEDIUM | 4.4 | 2024-07-27 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via dropdown fields in … |
| CVE-2014-4664 | MEDIUM | 4.3 | 2014-11-06 | Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the whoisva… |
| CVE-2014-9174 | MEDIUM | 4.3 | 2014-12-02 | Cross-site scripting (XSS) vulnerability in the Google Analytics by Yoast (google-analytics-for-wordpress) plugin before 5.1.3 for WordPress allows remote attackers to inject arbi… |
| CVE-2021-24251 | MEDIUM | 4.3 | 2021-05-06 | The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to mak… |
| CVE-2020-36699 | MEDIUM | 4.3 | 2023-06-07 | The Quick Page/Post Redirect Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the qppr_save_quick_redirect_ajax and qppr_delete_quick… |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2023-6226 | MEDIUM | 4.3 | 2023-11-28 | The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta … |
| CVE-2024-37218 | MEDIUM | 4.3 | 2024-11-01 | Missing Authorization vulnerability in WordPress Page Builder Sandwich Team Page Builder Sandwich – Front-End Page Builder allows Exploiting Incorrectly Configured Access Control … |
| CVE-2024-12329 | MEDIUM | 4.3 | 2024-12-12 | The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, an… |
| CVE-2024-11852 | MEDIUM | 4.3 | 2024-12-22 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) plugin for WordPress is vulnerable to unauthorized access of data due… |
| CVE-2024-12855 | MEDIUM | 4.3 | 2025-01-08 | The AdForest theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions like 'sb_remove_ad' in all versions u… |
| CVE-2024-13415 | MEDIUM | 4.3 | 2025-01-31 | The Food Menu – Restaurant Menu & Online Ordering for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() fun… |
| CVE-2025-3284 | MEDIUM | 4.3 | 2025-04-19 | The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to,… |
| CVE-2025-4339 | MEDIUM | 4.3 | 2025-05-13 | The TheGem theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxApi() function in all versions up to, and including,… |
| CVE-2025-58246 | MEDIUM | 4.3 | 2025-09-23 | Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is… |
| CVE-2025-13403 | MEDIUM | 4.3 | 2025-12-13 | The Employee Spotlight – Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization valida… |
| CVE-2026-3601 | MEDIUM | 4.3 | 2026-05-05 | The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function … |
| CVE-2024-5053 | MEDIUM | 4.2 | 2024-09-01 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an ins… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 5.1 exposes your website to 215 known security vulnerabilities, with 15 critical flaws that could result in complete compromise of your site, theft of customer data, or malware infections. The good news is that upgrading to a current version is straightforward and takes less than an hour. Every day you delay puts your business, your customers' information, and your reputation at risk.
Don't leave your website vulnerable to the hackers actively exploiting these flaws right now. Use SiteRecipe.com's security scanning tools to identify all vulnerabilities on your site, get step-by-step upgrade guidance tailored to your specific setup, and monitor your WordPress security continuously. Our platform makes it easy to stay protected so you can focus on growing your business instead of worrying about cyber attacks. Start your free security scan today at SiteRecipe.com.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.