Lucene search
K

50 matches found

ATTACKERKB
ATTACKERKB
added 2026/06/23 6:0 a.m.5 views

CVE-2026-8378

The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability...

5.4CVSS5.9AI score0.00133EPSS
Exploits0References1
NVD
NVD
added 2026/06/22 10:16 a.m.13 views

CVE-2026-12862

Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file...

5.1CVSS0.00226EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 6:0 a.m.30 views

CVE-2026-6858 Transbank Webpay < 1.14.0 - Unauthenticated Stored XSS

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator...

0.00164EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/09 9:28 a.m.8 views

CVE-2026-4058 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.2 - Missing Authorization to Authenticated (Subscriber+) Subscription Pack Cancellation

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the usersubscriptioncancel function in all versions up to, and including, 4.3.2. Thi...

4.3CVSS5.5AI score0.00153EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:24 p.m.11 views

CVE-2026-8884

The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00217EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 12:34 p.m.10 views

CVE-2026-45551

Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any userid via index.php?r=core/saveSetting. A separate client-side sink in the email module...

5.1CVSS5.9AI score0.0023EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/05/27 5:31 a.m.35 views

CVE-2026-8884 Instant-Quote.co Quotation Page <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00217EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/18 12:0 a.m.13 views

WordPress plugin Ajax Load More 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

7.1CVSS5.7AI score0.00184EPSS
Exploits0References1
OSV
OSV
added 2026/04/01 10:6 p.m.6 views

GHSA-R33W-C82V-X5V7 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Blogs Posts Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS - Stored Cross-Site Scripting via Unsanitized Blog Post Content in Blog Management Categories Description The application fails to properly sanitize user-controlled input wh...

9.1CVSS6.2AI score0.00269EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/03/26 3:6 p.m.4 views

CVE-2026-22902

A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later...

8.4CVSS6.1AI score0.00455EPSS
Exploits0References1
CVE
CVE
added 2026/03/06 6:0 a.m.22 views

CVE-2026-1128

The CVE describes a CSRF vulnerability in the WP eCommerce WordPress plugin up to version 3.15.1, where no CSRF check is performed when deleting coupons. Root cause: absence of CSRF protection in the coupon deletion flow. Affected software: WordPress plugin WP eCommerce (versions ≤ 3.15.1). Impac...

4.3CVSS5.9AI score0.00098EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/02 2:39 p.m.5 views

CVE-2025-52482 Chamilo: Stored XSS in glossary function via /main/glossary/index.php trigger in /main/tracking/course_log_resources.php

Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. This issue has been patched in version 1.11.30...

8.3CVSS5.9AI score0.00373EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/01/20 8:48 p.m.11 views

CVE-2026-21663

HackerOne community member Patrick Lang 7yr has reported a reflected XSS vulnerability in the banner-acl.php script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser a...

6.1CVSS0.00163EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/01/19 12:0 a.m.11 views

PT-2026-3517

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with...

5.4CVSS5.5AI score0.00188EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/01/13 12:0 a.m.5 views

e107 跨站脚本漏洞

e107 is an open source, free and PHP and MySQL based Content Management System CMS from the E107 team. The system supports a variety of plug-ins and appearance themes, and can be used as a personal blog, discussion community, archive repository and so on. A cross-site scripting vulnerability exis...

4.8CVSS5.7AI score0.00353EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/01/10 12:0 a.m.4 views

PT-2026-31885

Name of the Vulnerable Software and Affected Versions parisneo/lollms versions prior to 2.2.0 Description A Stored Cross-Site Scripting XSS vulnerability exists in the social feature of parisneo/lollms. The vulnerability is located in the create post function within backend/routers/social/ init...

9.6CVSS7.3AI score0.00405EPSS
Exploits1References14
Positive Technologies
Positive Technologies
added 2026/01/05 12:0 a.m.5 views

PT-2026-1314

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.420.7 Description Coolify is a self-hostable tool for managing servers, applications, and databases. A stored cross-site scripting XSS issue exists in the project creation workflow. An authenticated user wi...

9.4CVSS5.4AI score0.00474EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2025/12/30 7:23 p.m.5 views

CVE-2025-69210 FacturaScripts vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting XSS vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These...

5.1CVSS5.8AI score0.00981EPSS
Exploits2References3
Positive Technologies
Positive Technologies
added 2025/12/30 12:0 a.m.5 views

PT-2025-53847

Name of the Vulnerable Software and Affected Versions Advance WP Query Search Filter WordPress plugin versions through 1.0.10 Description The software does not properly sanitize and escape a parameter before displaying it, potentially leading to a Reflected Cross-Site Scripting issue. This could ...

6.1CVSS5.8AI score0.00149EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/12/18 12:0 a.m.5 views

PT-2025-52215

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof add subscr" function due to missing validation on a user controlled key. This makes it possible for...

4.3CVSS5.8AI score0.003EPSS
Exploits0References4
Rows per page
Query Builder