Wordpress
This hub aggregates every CVE we track for Wordpress, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.
376
CVEs tracked
29
Critical
79
High
1
In CISA KEV
Severity distribution
MEDIUM249HIGH79CRITICAL29LOW19
Monthly trend
0
0
0
1
0
0
0
0
0
1
0
0
1
0
2
0
0
0
0
0
1
0
0
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Wordpress.
- CVE-2026-3906WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API4.3
- CVE-2025-58674WordPress <= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability5.9
- CVE-2025-58246WordPress <= 6.8.2 - (Contributor+) Sensitive Data Exposure Vulnerability4.3
- CVE-2025-54352WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.3.7
- CVE-2025-31408WordPress Zoho Flow plugin <= 2.13.3 - Broken Access Control vulnerability4.3
- CVE-2022-4973WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function4.9
- CVE-2024-32111WordPress core < 6.5.5 - Auth. Arbitrary .html File Read (Windows Only) vulnerability5.0
- CVE-2024-31111WordPress Core < 6.5.5 - Cross Site Scripting (XSS) vulnerability6.5
- CVE-2024-6307WordPress Core < 6.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via HTML API6.4
- CVE-2024-3820wpDataTables - Tables & Table Charts (Premium) <= 6.3.1 - Unauthenticated SQL Injection10.0
- CVE-2024-4439WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This ...7.2
- CVE-2023-7046WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to Force HTTPS, SSL Score <= 7.0 - Sensitive Information Exposure via insufficiently protected files7.5
- CVE-2023-5692WordPress Core <= 6.4.3 - Sensitive Information Exposure via redirect_guess_404_permalink5.3
- CVE-2024-31211Remote Code Execution in `WP_HTML_Token`5.5
- CVE-2024-31210PHP file upload bypass via Plugin installer7.6
Product normalization is registry-driven with AI assist and human review. How it works