99 matches found
CVE-2024-13400
The Kona Gallery Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "Kona: Instagram for Gutenberg" Block, specifically in the "align" attribute, in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possib...
CVE-2024-11645
The float block WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2023-44261
Cross-Site Request Forgery CSRF vulnerability in Dinesh Karki Block Plugin Update plugin = 3.3 versions...
CVE-2023-45646
Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Henryholtgeerts PDF Block plugin = 1.1.0 versions...
CVE-2021-43557
The uri-block plugin in Apache APISIX before 2.10.2 uses $requesturi without verification. The $requesturi is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains...
CVE-2021-24633
The Countdown Block WordPress plugin before 1.1.2 does not have authorisation in the ebwriteblockcss AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users...
CVE-2019-15536
The Acclaim block plugin before 2019-06-26 for Moodle allows SQL Injection via deleterecords...
CVE-2025-3782
The Cision Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...
CVE-2025-3782
The Cision Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...
CVE-2025-3782 Cision Block <= 4.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
The Cision Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...
CVE-2025-3782
The CVE-2025-3782 vulnerability affects the Cision Block WordPress plugin (all versions up to 4.3.0) and is a Stored Cross-Site Scripting flaw caused by insufficient input sanitization and output escaping on the id parameter. Exploitation requires authentication at Contributor level or higher and...
CVE-2025-3782 Cision Block <= 4.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
The Cision Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...
PT-2025-17373 · WordPress · Sb Chart Block Plugin
Name of the Vulnerable Software and Affected Versions: SB Chart block plugin for WordPress versions up to, and including, 1.2.6 Description: The issue is related to Stored Cross-Site Scripting via the className parameter due to insufficient input sanitization and output escaping. This allows...
CVE-2025-26871
Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Essential Blocks for Gutenberg: from n/a through 4.8.3...
WordPress Timeline Block plugin <= 1.1.1 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by Logan Cote Patchstack Alliance in WordPress Plugin Timeline Block versions = 1.1.1...
WordPress HTML5 Video Player – mp4 Video Player Plugin and Block plugin <= 2.5.35 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via heading Parameter vulnerability
Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting via heading Parameter vulnerability discovered by Webbernaut in WordPress Plugin Flash & HTML5 Video versions = 2.5.35...
WordPress Button Block plugin <= 1.1.9 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by Khalid Yusuf Patchstack Alliance in WordPress Plugin Button Block versions = 1.1.9...
CVE-2024-11645
The float block WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-11645
CVE-2024-11645 affects the WordPress plugin float block, version 1.7 and earlier, due to insufficient sanitisation/escaping of certain settings. This could allow high-privilege users (e.g., admins) to perform Stored XSS, including in multisite setups, with unfiltered_html disabled. Connected docu...
CVE-2024-11645 Float Block <= 1.7 - Admin+ Stored XSS via Widget
The float block WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...