15597 matches found
WordPress Core <6.5.2 - Cross-Site Scripting
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. id: CVE-2024-4439 info: name: WordPress Core 6.5.2 - Cross-Site Scripting author: nqdung2002 severity: hi...
CVE-2026-7640
The WP Customer Area plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the customer-area-protected-content shortcode in all versions up to, and including, 8.3.5. This is due to insufficient input sanitization and output escaping on the shortcode...
CVE-2026-11390
The News Kit Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Site Logo Title and Single Author Box Widgets in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2026-7640
The WP Customer Area WordPress plugin is vulnerable to Stored Cross-Site Scripting via the type attribute of the customer-area-protected-content shortcode in all versions up to 8.3.5, due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access...
EUVD-2026-43611
The News Kit Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Site Logo Title and Single Author Box Widgets in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2026-12536
The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-12385
CVE-2026-12385 affects the Smart Slider 3 WordPress plugin up to version 3.5.1.37. The issue is a Sensitive Information Exposure via the keyword parameter, enabling authenticated attackers with contributor-level access and above to extract titles and full content excerpts from private, draft, pen...
CVE-2026-12385 Smart Slider 3 <= 3.5.1.37 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via WP_Query Parameter Injection via 'keyword' Parameter
The Smart Slider 3 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.1.37 via the 'keyword' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles and full content...
CVE-2026-1359
The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolvesetOpt function in all versions up to, and including, 5.0.5. This makes it possible for authenticated attackers, with Contributor-leve...
EUVD-2026-43166
The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolvesetOpt function in all versions up to, and including, 5.0.5. This makes it possible for authenticated attackers, with Contributor-leve...
CVE-2026-1359 Genolve – AI image AI video generation <= 5.0.5 - Authenticated (Contributor+) Incorrect Authorization to Privilege Escalation via theopt
The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolvesetOpt function in all versions up to, and including, 5.0.5. This makes it possible for authenticated attackers, with Contributor-leve...
CVE-2026-15155
The CVE-2026-15155 entry concerns the WordPress plugin Essential Addons for Elementor (
EUVD-2026-43154
The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-6784 Code Engine <= 0.3.5 - Authenticated (Contributor+) Remote Code Execution
The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting access to the code injecting functionality of the plugin. This makes it possible for authenticated...
CVE-2025-6784
CVE-2025-6784 affects the WordPress Code Engine plugin (versions up to 0.3.5). It allows Remote Code Execution via the 'code-engine' shortcode because access to the plugin’s code-injecting functionality is not restricted. Authenticated users with Contributor-level access and above can execute cod...
CVE-2026-15097
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'heightslider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-13116
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generatedocumentshortcode due to missing validation on a user controlled key. This makes it possible for authenticated...
CVE-2026-15096
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Map Module 'bwidthmap' Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...
CVE-2025-13968
The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the starboard-suite-lightbox shortcode in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it...
EUVD-2025-210454
The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the starboard-suite-lightbox shortcode in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it...