1119350 matches found
CVE-2026-15324
The CVE-2026-15324 entry concerns the SysBasics Customize My Account for WooCommerce – Live My Account Customizer WordPress plugin. Affected component: the plugin’s handling of the row_type parameter (and variants noted as row type). Root cause: insufficient input sanitization and output escaping...
EUVD-2026-44902
The SysBasics Customize My Account for WooCommerce – Live My Account Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rowtype' parameter in all versions up to, and including, 4.4.14 due to insufficient input sanitization and output escaping. This makes it...
CVE-2026-15021
The wpForo Forum plugin for WordPress is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the 'location' Profile Field across all versions up to 3.1.1. The issue stems from insufficient input sanitization and output escaping; sanitize_text_field() at input does not encode double q...
EUVD-2026-44899
The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access...
CVE-2026-13755
The Tickera – Sell Tickets & Manage Events WordPress plugin (up to version 3.6.0.0) is affected by a Stored Cross‑Site Scripting vulnerability via the price_wrapper shortcode attribute. The root cause is insufficient input sanitization and output escaping, allowing authenticated attackers with co...
CVE-2026-13755 Tickera <= 3.6.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'price_wrapper' Shortcode Attribute
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'pricewrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
EUVD-2026-44894
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'pricewrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
EUVD-2026-44886
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fields' parameter in versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...
CVE-2026-15099 WP Delicious <= 1.10.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'steps' Block Attribute
The Delicious Recipes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'steps' block attribute in versions up to, and including, 1.10.2. This is due to insufficient input sanitization and output escaping in the wrapdirectiontext function, which interpolates the...
CVE-2026-12869
CVE-2026-12869 affects the Header Footer Builder for Elementor WordPress plugin prior to 1.2.1. The dashboard template-import action does not require an administrative capability, allowing a Contributor to import a template containing an Elementor HTML widget configured to display site-wide. This...
CVE-2026-12869 Header Footer Builder for Elementor < 1.2.1 - Contributor+ Stored XSS via Template Import
The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action it allows any editposts user, so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide,...
CVE-2026-12978
The FunnelKit WordPress plugin is vulnerable before version 3.15.0.6 to a Reflected XSS in a page-builder AJAX action when Divi builder is active. The issue arises from insufficient escaping of a user-supplied parameter reflected into the HTML response, enabling unauthenticated attackers to targe...
EUVD-2026-44881
The FunnelKit WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted pag...
CVE-2026-11371 BetterDocs < 4.5.5 - Unauthenticated Stored XSS via AI Doc Summarizer Prompt Injection
The BetterDocs WordPress plugin before 4.5.5 does not sanitise an AI-generated documentation summary before storing and outputting it, and the feature that generates it is exposed to unauthenticated users, allowing them to store a malicious payload via prompt injection that executes in the browse...
CVE-2026-11371
The BetterDocs WordPress plugin (versions before 4.5.5) is vulnerable to unauthenticated stored XSS via the AI Doc Summarizer prompt injection. An unauthenticated user can store a malicious payload during generation that is later output and executed in the browser of any visitor who views the aff...
EUVD-2026-44865
The RPB Chessboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content in all versions up to, and including, 8.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...
CVE-2026-15306
CVE-2026-15306 affects the WordPress plugin Product Feed Manager For WooCommerce (
EUVD-2026-44863
The Product Feed Manager For WooCommerce – Sell on 200+ Online Marketplaces plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 's' Search Parameter in all versions up to, and including, 7.6.1 due to insufficient input sanitization and output escaping. This makes it possible...
CVE-2026-15652
The CVE-2026-15652 affects the WordPress plugin Easy Accordion – AI-Powered FAQ & Accordion Blocks. It allows Stored Cross-Site Scripting via the 'align' Block Attribute in all versions up to 3.1.6 due to insufficient input sanitization and output escaping. Exploitation requires authenticated acc...
EUVD-2026-44861
The Easy Accordion – AI-Powered FAQ & Accordion Blocks, Product FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'align' Block Attribute in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for...