1119345 matches found
EUVD-2026-44902
The SysBasics Customize My Account for WooCommerce – Live My Account Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rowtype' parameter in all versions up to, and including, 4.4.14 due to insufficient input sanitization and output escaping. This makes it...
CVE-2026-15324
The CVE-2026-15324 entry concerns the SysBasics Customize My Account for WooCommerce – Live My Account Customizer WordPress plugin. Affected component: the plugin’s handling of the row_type parameter (and variants noted as row type). Root cause: insufficient input sanitization and output escaping...
EUVD-2026-44899
The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access...
CVE-2026-15021
The wpForo Forum plugin for WordPress is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the 'location' Profile Field across all versions up to 3.1.1. The issue stems from insufficient input sanitization and output escaping; sanitize_text_field() at input does not encode double q...
EUVD-2026-44894
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'pricewrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2026-13755
The Tickera – Sell Tickets & Manage Events WordPress plugin (up to version 3.6.0.0) is affected by a Stored Cross‑Site Scripting vulnerability via the price_wrapper shortcode attribute. The root cause is insufficient input sanitization and output escaping, allowing authenticated attackers with co...
EUVD-2026-44886
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fields' parameter in versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...
EUVD-2026-44881
The FunnelKit WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted pag...
CVE-2026-12869
CVE-2026-12869 affects the Header Footer Builder for Elementor WordPress plugin prior to 1.2.1. The dashboard template-import action does not require an administrative capability, allowing a Contributor to import a template containing an Elementor HTML widget configured to display site-wide. This...
CVE-2026-12978
The FunnelKit WordPress plugin is vulnerable before version 3.15.0.6 to a Reflected XSS in a page-builder AJAX action when Divi builder is active. The issue arises from insufficient escaping of a user-supplied parameter reflected into the HTML response, enabling unauthenticated attackers to targe...
CVE-2026-11371
The BetterDocs WordPress plugin (versions before 4.5.5) is vulnerable to unauthenticated stored XSS via the AI Doc Summarizer prompt injection. An unauthenticated user can store a malicious payload during generation that is later output and executed in the browser of any visitor who views the aff...
EUVD-2026-44865
The RPB Chessboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content in all versions up to, and including, 8.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...
EUVD-2026-44863
The Product Feed Manager For WooCommerce – Sell on 200+ Online Marketplaces plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 's' Search Parameter in all versions up to, and including, 7.6.1 due to insufficient input sanitization and output escaping. This makes it possible...
CVE-2026-15306
CVE-2026-15306 affects the WordPress plugin Product Feed Manager For WooCommerce (
CVE-2026-15652
The CVE-2026-15652 affects the WordPress plugin Easy Accordion – AI-Powered FAQ & Accordion Blocks. It allows Stored Cross-Site Scripting via the 'align' Block Attribute in all versions up to 3.1.6 due to insufficient input sanitization and output escaping. Exploitation requires authenticated acc...
EUVD-2026-44861
The Easy Accordion – AI-Powered FAQ & Accordion Blocks, Product FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'align' Block Attribute in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2026-14987
CVE-2026-14987 affects GiveWP (WordPress) up to version 4.16.3. The issue is a stored XSS via the twitter_message field in the Sequoia Template Settings, caused by insufficient input sanitization and output escaping. An authenticated attacker with give worker-level access (or higher) can inject a...
EUVD-2026-44859
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'twittermessage' Sequoia Template Setting in all versions up to, and including, 4.16.3 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2026-13005
The CVE concerns the MxChat – AI Chatbot & Content Generation for WordPress plugin for WordPress. Affected: all versions up to 3.2.10. Vulnerability: Stored Cross-Site Scripting via the intro_message admin setting due to insufficient input sanitization and output escaping. Privileged context: aut...
RLSA-2026:39868 Important: nodejs:24 security, bug fix, and enhancement update
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input CVE-2026-42338 undici: undici: Denial of Service due to...