189 matches found
PT-2025-15055 · WordPress · Zoomsounds
Name of the Vulnerable Software and Affected Versions: ZoomSounds plugin for WordPress versions up to, and including, 6.91 Description: The issue is related to Stored Cross-Site Scripting via shortcodes due to insufficient input sanitization and output escaping on user-supplied attributes. This...
CVE-2024-13898 Simple Banner <= 3.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
The Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output...
CVE-2025-2635
The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of removequeryarg function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary...
CBL Mariner 2.0 Security Update: vitess (CVE-2024-53257)
The version of vitess installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-53257 advisory. - Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env...
WordPress plugin WP Extra Fields 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...
Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)
Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments. For instance, ?text= would trigger XSS here. js const text = createResource = return new...
CVE-2025-27109 Lack of Escaping of HTML in JSX Fragments allows for Cross-site Scripting in solid-js
solid-js is a declarative, efficient, and flexible JavaScript library for building user interfaces. In affected versions Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments. This issue has...
PT-2025-6433 · WordPress · Woocommerce Brands Plugin
Name of the Vulnerable Software and Affected Versions: Woocommerce Brands Plugin versions up to, and including, 1.3.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's product brand shortcode due to insufficient input sanitization and output escaping on user-suppli...
CVE-2024-6753
The Social Auto Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mapTypes’ parameter in the 'wpwautopostermapwordpressposttype' AJAX function in all versions up to, and including, 5.3.14 due to insufficient input sanitization and output escaping. This makes it...
CVE-2024-4869
The WP Cookie Consent for GDPR, CCPA & ePrivacy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Client-IP’ header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...
CVE-2024-13347 Essential WP Real Estate <= 1.1.3 - Reflected XSS
The Essential WP Real Estate WordPress plugin through 1.1.3 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting...
CVE-2024-12400
The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting...
10CentMail <= 2.1.50 - Reflected Cross-Site Scripting
Description The 10CentMail plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.1.50 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...
WordPress plugin GTPayment Donations 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plug-in. A security vulnerability...
CVE-2024-12338 Website Toolbox Community <= 2.0.1 - Reflected Cross-Site Scripting via websitetoolbox_username
The Website Toolbox Community plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘websitetoolboxusername’ parameter in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacker...
CVE-2024-10872 Getwid – Gutenberg Blocks <= 2.0.12 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template-post-custom-field block in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...
PT-2024-16624 · Pdfcrowd · Save As Pdf Plugin
Name of the Vulnerable Software and Affected Versions: Save as PDF Plugin by Pdfcrowd versions up to, and including, 4.2.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'save as pdf pdfcrowd' shortcode due to insufficient input sanitization and output escaping ...
CVE-2024-8740
The GetResponse Forms by Optin Cat plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 2.5.6. This makes it possible for unauthenticated attackers to inject arbitrary web...
PT-2024-39740 · WordPress · Locatoraid Store Locator
Name of the Vulnerable Software and Affected Versions: Locatoraid Store Locator plugin for WordPress versions up to, and including, 3.9.47 Description: The issue is related to Reflected Cross-Site Scripting via $ POST keys due to insufficient input sanitization and output escaping. This allows...
CVE-2024-8803 Bulk NoIndex & NoFollow Toolkit <= 2.15 - Reflected Cross-Site Scripting
The Bulk NoIndex & NoFollow Toolkit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of removequeryarg without appropriate escaping on the URL in all versions up to, and including, 2.15. This makes it possible for unauthenticated attackers to inject arbitrary we...