295 matches found
PT-2026-3223
The DK PDF – WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitrary...
CVE-2025-13062
The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON fil...
CVE-2025-13062
The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON fil...
PT-2026-1744
Name of the Vulnerable Software and Affected Versions ConvertForce Popup Builder plugin for WordPress versions up to and including 0.0.7 Description The ConvertForce Popup Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting. The issue stems from inadequate input sanitizatio...
CVE-2024-39877
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a docmd parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to...
CVE-2026-0627
The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes tags while allowing other XSS vectors such as event handlers onload,...
CVE-2025-14893 IndieWeb <= 4.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via 'Telephone' Parameter
The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and...
CVE-2025-14984 Gutenverse Form <= 2.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the uploadmimes filter without implementing any...
CVE-2025-14984
CVE-2025-14984 : Gutenverse Form for WordPress is vulnerable to Stored Cross-Site Scripting via SVG uploads in all versions up to and including 2.3.2. The issue arises because the plugin framework adds SVG to allowed MIME types without sanitizing contents, enabling authenticated attackers with Au...
PT-2026-1763
Name of the Vulnerable Software and Affected Versions Gutenverse Form plugin for WordPress versions prior to 2.3.3 Description The Gutenverse Form plugin for WordPress is susceptible to Stored Cross-Site Scripting through SVG file uploads. The plugin’s framework component allows SVG files through...
CVE-2025-15158
The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpsefileandextwebp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload...
CVE-2025-13418 Responsive Pricing Table <= 5.1.12 - Authenticated (Author+) Stored Cross-Site Scripting
The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'planicons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-lev...
CVE-2025-13418 Responsive Pricing Table <= 5.1.12 - Authenticated (Author+) Stored Cross-Site Scripting
The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'planicons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-lev...
CVE-2025-13418
CVE-2025-13418 affects the WordPress plugin Responsive Pricing Table (versions
CVE-2024-2619
The Elementor Header & Footer Builder for WordPress is vulnerable to HTML Injection in all versions up to, and including, 1.6.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject...
CVE-2025-12067 Table Field Add-on for ACF and SCF <= 1.3.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Table Cell Content
The Table Field Add-on for ACF and SCF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Cell Content in all versions up to, and including, 1.3.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-14120
CVE-2025-14120 affects the URL Image Importer WordPress plugin and enables a Stored XSS via SVG uploads. Exploitation requires authenticated access at Author level or higher, affecting versions up to 1.0.7. Remediation: upgrade to version 1.0.7 (patched).
CVE-2025-14153 Page Expire Popup/Redirection for WordPress <= 1.0 - Authenticated (Author+) SQL Injection via 'id' Shortcode Attribute
The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...
CVE-2025-14153 Page Expire Popup/Redirection for WordPress <= 1.0 - Authenticated (Author+) SQL Injection via 'id' Shortcode Attribute
The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...
CVE-2025-13693
CVE-2025-13693 affects the Image Photo Gallery Final Tiles Grid plugin (WordPress) up to version 3.6.8. It is a Stored Cross-Site Scripting vulnerability via the plugin’s ‘Custom scripts’ setting caused by insufficient input sanitization and output escaping. The issue requires an attacker to have...