CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

1183642 matches found

CVE-2026-12399

The Gutenverse WordPress plugin (Blocks, Page Builder & Site Editor) is affected by a Stored Cross-Site Scripting vulnerability up to version 3.8.0. The issue arises from insufficient input sanitization and output escaping in admin settings, allowing authenticated users with editor-level permissi...

4.4CVSS5.9AI score0.00246EPSS

Exploits0References12

EUVD•added yesterday•6 views

EUVD-2026-39959

The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

4.4CVSS5.9AI score0.00246EPSS

Exploits0References12

CVE•added yesterday•7 views

CVE-2026-11597

The CVE concerns the WordPress plugin “Surbma | Infusionsoft Shortcode” for versions up to 2.0.1. It enables Stored Cross-Site Scripting via the infusionsoft-form shortcode by unsafely handling user-supplied account and id attributes in surbma_infusionsoft_shortcode_shortcode(), which are concate...

6.4CVSS5.9AI score0.00193EPSS

Exploits0References5

EUVD•added yesterday•6 views

EUVD-2026-39956

The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and 'id' shortcode...

6.4CVSS5.9AI score0.00193EPSS

Exploits0References5

EUVD•added yesterday•7 views

EUVD-2026-39955

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panelsdata Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS6AI score0.00241EPSS

Exploits0References10

CVE•added yesterday•10 views

CVE-2026-13295

The CVE-2026-13295 entry concerns the Page Builder by SiteOrigin WordPress plugin. A stored XSS vulnerability affects all versions up to 2.34.3, caused by insufficient input sanitization and output escaping of the panels_data parameter. Authenticated users with Contributor-level access and above ...

6.4CVSS6AI score0.00241EPSS

Exploits0References10

CVE•added yesterday•8 views

CVE-2026-11783

The CVE concerns the Dokan: AI Powered WooCommerce Multivendor Marketplace Solution for WordPress. A Stored XSS flaw exists in all versions up to 5.0.4 due to insufficient input sanitization and output escaping of the Product SKU, enabling an authenticated attacker with custom-level access or hig...

6.4CVSS5.8AI score0.0022EPSS

Exploits0References8

EUVD•added yesterday•8 views

EUVD-2026-39950

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Product SKU in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping. This mak...

6.4CVSS5.8AI score0.0022EPSS

Exploits0References8

CVE•added yesterday•12 views

CVE-2026-9677

The CVE-2026-9677 entry concerns the Shariff for WordPress plugin (up to v1.0.11). The vulnerability arises because the shariff_infourl setting is not sanitized or escaped before being output in frontend HTML via the generateshariff() function. This can enable Stored Cross-Site Scripting by high-...

5.8AI score0.00153EPSS

Exploits0References1

EUVD•added yesterday•6 views

EUVD-2026-39947

The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariffinfourl setting before outputting it in the frontend HTML via the generateshariff function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting...

5.8AI score0.00153EPSS

Exploits0References1

CVE•added yesterday•10 views

CVE-2026-13245

The CVE-2026-13245 entry concerns the WordPress plugin MaxButtons – Create buttons, vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to 9.8.5. The root cause is insufficient input sanitization and output escaping, enabling unauthenticated attackers to injec...

6.1CVSS5.9AI score0.00211EPSS

Exploits0References4

EUVD•added yesterday•7 views

EUVD-2026-39944

The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to, and including, 9.8.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS5.9AI score0.00211EPSS

Exploits0References4

Nuclei•added yesterday•154 views

PKP Open Journal Systems 2.4.8-3.3 - Cross-Site Scripting

PKP Open Journal Systems 2.4.8 to 3.3 contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary code via the X-Forwarded-Host Header. id: CVE-2022-24181 info: name: PKP Open Journal Systems 2.4.8-3.3 - Cross-Site Scripting author: lucasljm2001,ekrause severit...

6.1CVSS6.5AI score0.0608EPSS

Exploits3References5

Nuclei•added yesterday•31 views

ServiceNow - Cross-Site Scripting

ServiceNow through San Diego Patch 4b and Patch 6 contains a cross-site scripting vulnerability in the logout functionality, which can enable an unauthenticated remote attacker to execute arbitrary JavaScript. id: CVE-2022-38463 info: name: ServiceNow - Cross-Site Scripting author: amanrawat...

6.1CVSS6.5AI score0.02258EPSS

Exploits0References5

Nuclei•added yesterday•7 views

Heimdall Application Dashboard < 2.7.3 - Reflected XSS

LinuxServer.io Heimdall 2.7.3 contains a stored XSS caused by improper sanitization of the "q" parameter, letting remote attackers execute scripts, exploit requires crafted input. id: CVE-2025-54597 info: name: Heimdall Application Dashboard 2.7.3 - Reflected XSS author: 0xAkoko severity: medium...

7.2CVSS5.9AI score0.00565EPSS

Exploits0References3

Nuclei•added yesterday•5 views

WordPress Competition Form Plugin <= 2.0 - Cross-Site Scripting

Competition Form WordPress plugin = 2.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires victim to visit a...

7.1CVSS7.2AI score0.00566EPSS

Exploits1References2

Nuclei•added yesterday•16 views

Spotweb <= 1.5.1 - Cross Site Scripting

Cross-site scripting XSS vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the mail parameter. id: CVE-2021-40972 info: name: Spotweb = 1.5.1 - Cross Site Scripting author: theamanrawat severity: medi...

6.1CVSS6.6AI score0.02214EPSS

Exploits1References4

Nuclei•added yesterday•30 views

WordPress JSmol2WP <=1.07 - Cross-Site Scripting

WordPress JSmol2WP version 1.07 and earlier is vulnerable to cross-site scripting and allows remote attackers to inject arbitrary web script or HTML via the jsmol.php data parameter. id: CVE-2018-20462 info: name: WordPress JSmol2WP =1.07 - Cross-Site Scripting author: daffainfo severity: medium...

7.5CVSS6.8AI score0.13078EPSS

Exploits4References5

Nuclei•added yesterday•27 views

SugarCRM 3.5.1 - Cross-Site Scripting

SugarCRM 3.5.1 is vulnerable to cross-site scripting via phprint.php and a parameter name in the query string aka a $key variable. id: CVE-2018-5715 info: name: SugarCRM 3.5.1 - Cross-Site Scripting author: edoardottt severity: medium description: SugarCRM 3.5.1 is vulnerable to cross-site...

6.1CVSS6.2AI score0.06914EPSS

Exploits5References5

Nuclei•added yesterday•25 views

DomainMOD 4.11.01 - Cross-Site Scripting

DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the /assets/add/ssl-provider.php ssl-provider-name and ssl-provider's-url parameters. id: CVE-2018-20009 info: name: DomainMOD 4.11.01 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD...

4.8CVSS5.9AI score0.04428EPSS

Exploits6References5

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by