CVE-2026-35031

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint POST /Videos/itemId/Subtitles, where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. Th...

CVE-2026-4169

A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function Fxmlexportusers of the file admin/code/tcexmlusers.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are stil...

CVE-2026-3352

The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the updatewpmemoryconstants method. This is due to insufficient input validation on the wpmemorylimit and wpmaxmemorylimit settings before writing them to wp-config.php...

CVE-2026-24743 InvoicePlane has a Stored Cross-Site Scripting (XSS) issue

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg file...

CVE-2026-24746 InvoicePlane has a Stored Cross-Site Scripting (XSS) issue

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not validate user input at th...

CVE-2026-1399

The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

WMI Event Subscription Process Persistence

This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter that triggers the payload when the specified process is started. Additionally a custom command can be specified to run once the trigger is activated using the advanced option...

WordPress Quiz Maker plugin < 6.7.0.89 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Bakir Tuči in WordPress Plugin Quiz Maker versions 6.7.0.89...

CVE-2025-14888 Simple User Meta Editor <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via User Meta Value Field

The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

WordPress Email Customizer for WooCommerce | Drag and Drop Email Templates Builder plugin <= 2.6.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Email Template Content vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Email Template Content vulnerability discovered by fallenofalbaz in WordPress Plugin Email Customizer for WooCommerce versions = 2.6.7...

WordPress FlexTable Google Sheets Connector plugin < 3.19.2 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Nguyễn Phước Thiện in WordPress Plugin FlexTable versions 3.19.2...

WordPress Cooked plugin <= 1.11.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by ch1mk in WordPress Plugin Cooked versions = 1.11.3...

WordPress Locatoraid Store Locator plugin <= 3.9.67 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Zeeshan Haider in WordPress Plugin Locatoraid Store Locator versions = 3.9.67...

WordPress Gift Hunt plugin <= 2.0.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by LIM MINHYOEK in WordPress Plugin Gift Hunt versions = 2.0.2...

EUVD-2025-203231

The Quick Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permission...

WordPress TWW Protein Calculator plugin <= 1.0.24 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Header' Setting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'Header' Setting vulnerability discovered by ChamlaVic in WordPress Plugin TWW Protein Calculator versions = 1.0.24...

WordPress Trail Manager plugin <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by ChamlaVic in WordPress Plugin Trail Manager versions = 1.0.0...

CVE-2025-12483

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'query' parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

WordPress Academy LMS plugin <= 3.3.8 - Authenticated (Administrator+) PHP Object Injection via 'import_all_courses' vulnerability

Authenticated Administrator+ PHP Object Injection via 'importallcourses' vulnerability discovered by Michelle Porter - Wordfence in WordPress Plugin Academy LMS versions = 3.3.8...

WordPress HTML Forms plugin <= 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin HTML Forms versions = 1.5.5...