Vulnerabilità WordPress (qui elenco plugin) fonte: NIST CVES


  1. CVE-2025-14442 -- 2025-12-12T12:15:46.377
    Awaiting Analysis
      The Secure Copy Content Protection and Content Locking Plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in a publicly accessible directory with predictable filenames in all versions up to, and including, 4.9.2.
      - This makes it possible for unauthenticated attackers to access sensitive user data including emails, IP addresses, usernames, roles, and location data by directly accessing the exported CSV file.


  2. CVE-2025-14159 -- 2025-12-12T12:15:46.220
    Awaiting Analysis
      The Secure Copy Content Protection and Content Locking Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2.
      - This is due to missing nonce validation on the 'ays_sccp_results_export_file' AJAX action.
      - This makes it possible for unauthenticated attackers to export sensitive Plugin data including email addresses, IP addresses, physical addresses, user IDs, and other user information via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
      - The exported data is stored in a publicly accessible file, allowing attackers to receive the sensitive information even though they are not authenticated.


  3. CVE-2025-14065 -- 2025-12-12T12:15:46.057
    Awaiting Analysis
      The Simple Bike Rental Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6.
      - This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve all booking records containing customers' personally identifiable information (PII), including names, email addresses, and phone numbers.


  4. CVE-2025-14030 -- 2025-12-12T12:15:45.897
    Awaiting Analysis
      The AI Feeds Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife_post_meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping.
      - This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


  5. CVE-2025-12965 -- 2025-12-12T12:15:45.740
    Awaiting Analysis
      The Magical Posts Display Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpac_title_tag' parameter in the Magical Posts Accordion widget in all versions up to, and including, 1.2.54 due to insufficient input sanitization and output escaping on user-supplied HTML tag names.
      - This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


  6. CVE-2025-12408 -- 2025-12-12T12:15:45.587
    Awaiting Analysis
      The Events Manager – Calendar, Bookings, Tickets, and more! Plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'get_location' action due to insufficient restrictions on which locations can be included.
      - This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft event locations that they should not have access to.


  7. CVE-2025-12407 -- 2025-12-12T12:15:44.577
    Awaiting Analysis
      The Events Manager – Calendar, Bookings, Tickets, and more! Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.2.2.
      - This is due to missing or incorrect nonce validation on the 'location_delete' action.
      - This makes it possible for unauthenticated attackers to delete locations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.


  8. CVE-2025-12841 -- 2025-12-12T11:15:51.250
    Awaiting Analysis
      The Bookit WordPress Plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the Plugins Stripe payment options.


  9. CVE-2025-12835 -- 2025-12-12T11:15:50.150
    Awaiting Analysis
      The WooMulti WordPress Plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server.


  10. CVE-2025-14074 -- 2025-12-12T10:15:48.703
    Awaiting Analysis
      The PDF for Contact Form 7 + Drag and Drop Template Builder Plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6.3.3.
      - This makes it possible for authenticated attackers, with Subscriber-level access and above, to duplicate arbitrary posts, including password protected or private ones.


  11. CVE-2025-13993 -- 2025-12-12T10:15:48.540
    Awaiting Analysis
      The MailerLite – Signup forms (official) Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_description' and 'success_message' parameters in versions up to, and including, 1.7.16 due to insufficient input sanitization and output escaping.
      - This makes it possible for authenticated attackers, with administrator access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


  12. CVE-2025-12348 -- 2025-12-12T10:15:48.343
    Awaiting Analysis
      The Icegram Express - email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10.
      - This is due to the Plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function.
      - This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage.


  13. CVE-2025-12960 -- 2025-12-12T09:15:49.627
    Awaiting Analysis
      The Simple CSV Table Plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in the `[csv]` shortcode.
      - This is due to insufficient path validation before concatenating user-supplied input to a base directory path.
      - This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.


  14. CVE-2025-4970 -- 2025-12-12T08:15:48.027
    Awaiting Analysis
      The BSK PDF Manager Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping.
      - This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
      - This only affects multi-site installations and installations where unfiltered_html has been disabled.


  15. CVE-2025-14169 -- 2025-12-12T08:15:47.830
    Awaiting Analysis
      The FunnelKit - Funnel Builder for WooCommerce Checkout Plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
      - This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.


  16. CVE-2025-14049 -- 2025-12-12T08:15:47.663
    Awaiting Analysis
      The VikRentItems Flexible Rental Management System Plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping.
      - This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.


  17. CVE-2025-13891 -- 2025-12-12T08:15:47.487
    Awaiting Analysis
      The Image Gallery – Photo Grid & Video Gallery Plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3.
      - This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory restrictions.
      - While the endpoint verifies user capabilities (Author+ with upload_files and edit_posts permissions), it fails to validate that user-supplied directory paths reside within safe directories.
      - This makes it possible for authenticated attackers, with Author-level access and above, to enumerate arbitrary directories on the server via the modula_list_folders endpoint.


  18. CVE-2025-11876 -- 2025-12-12T08:15:47.297
    Awaiting Analysis
      The Mailgun Subscriptions Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Plugin's 'mailgun_subscription_form' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes.
      - This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


  19. CVE-2025-10583 -- 2025-12-12T08:15:47.103
    Awaiting Analysis
      The WP Fastest Cache Plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action.
      - This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.


  20. CVE-2025-14356 -- 2025-12-12T07:15:44.733
    Awaiting Analysis
      The Ultra Addons for Contact Form 7 Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33.
      - This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate and get form submission PDF, when the "PDF Generator" and the "Database" addons are enabled (disabled by default).


  21. CVE-2025-14068 -- 2025-12-12T07:15:44.557
    Awaiting Analysis
      The WPNakama Plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 0.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
      - This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.


  22. CVE-2025-13660 -- 2025-12-12T07:15:44.373
    Awaiting Analysis
      The Guest Support Plugin for WordPress is vulnerable to User email Disclosure in versions up to, and including, 1.2.3.
      - This is due to the Plugin exposing a public AJAX endpoint that allows anyone to search for and retrieve user email addresses without any authentication or capability checks.
      - This makes it possible for unauthenticated attackers to enumerate user accounts and extract email addresses via the guest_support_handler=ajax endpoint with the request=get_users parameter.


  23. CVE-2025-12655 -- 2025-12-12T07:15:44.180
    Awaiting Analysis
      The Hippoo Mobile App for WooCommerce Plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1.
      - This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => '__return_true'`, which allows unauthenticated access.
      - This makes it possible for unauthenticated attackers to write arbitrary JSON content to the server's publicly accessible upload directory via the vulnerable endpoint.


  24. CVE-2025-12570 -- 2025-12-12T07:15:42.980
    Awaiting Analysis
      The Fancy Product Designer Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files.
      - This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.


  25. CVE-2025-10684 -- 2025-12-12T06:15:40.063
    Awaiting Analysis
      The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary .


  26. CVE-2025-14467 -- 2025-12-12T04:15:50.450
    Awaiting Analysis
      The WP Job Portal Plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.3.9.
      - This is due to the Plugin explicitly whitelisting the `