Lucene search
+L

41 matches found

Vulnrichment
Vulnrichment
added 2026/03/11 9:25 a.m.3 views

CVE-2026-3492 Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the createfromtemplate AJAX endpoint allowing any authenticated user to create forms, insufficie...

6.4CVSS5.9AI score0.00203EPSS
Exploits0References2
CVE
CVE
added 2026/03/11 9:25 a.m.19 views

CVE-2026-3492

The Gravity Forms WordPress plugin (all versions up to 2.9.28.1) is vulnerable to Stored XSS due to a trio of issues: (1) missing authorization on the create_from_template AJAX endpoint allowing any authenticated user to create forms, (2) insufficient input sanitization where sanitize_text_field(...

6.4CVSS5.9AI score0.00203EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/11 9:25 a.m.30 views

CVE-2026-3492 Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the createfromtemplate AJAX endpoint allowing any authenticated user to create forms, insufficie...

6.4CVSS0.00203EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/11 12:0 a.m.7 views

PT-2026-24658

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the create from template AJAX endpoint allowing any authenticated user to create forms,...

6.4CVSS5.9AI score0.00203EPSS
Exploits0References5
NVD
NVD
added 2026/02/06 8:15 a.m.12 views

CVE-2026-1279

The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formtitle' parameter in the searchemployeedirectory shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.00235EPSS
Exploits0References5
EUVD
EUVD
added 2026/02/06 7:24 a.m.6 views

EUVD-2026-5610

The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formtitle' parameter in the searchemployeedirectory shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS5.6AI score0.00235EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/02/06 7:24 a.m.4 views

CVE-2026-1279 Employee Directory <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_title' Shortcode Attribute

The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formtitle' parameter in the searchemployeedirectory shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS5.6AI score0.00235EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/02/06 12:39 a.m.8 views

WordPress Employee Directory plugin <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_title' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'formtitle' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin Employee Directory versions = 1.2.1...

6.4CVSS5.3AI score0.00235EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/06 12:0 a.m.13 views

PT-2026-6686

Name of the Vulnerable Software and Affected Versions Employee Directory plugin for WordPress versions up to and including 1.2.1 Description The Employee Directory plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escapin...

6.4CVSS5.7AI score0.00235EPSS
Exploits0References10
EUVD
EUVD
added 2025/10/07 12:30 a.m.16 views

EUVD-2021-11656

Malware in sbrugna...

4.8CVSS5.2AI score0.00598EPSS
Exploits2References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2025-25900

Malicious code in bioql PyPI...

9.8CVSS6.3AI score0.00574EPSS
Exploits1References4
Cvelist
Cvelist
added 2025/08/27 12:0 a.m.13 views

CVE-2025-52122

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection SSTI vulnerability, resulting in arbitrary code injection for all users that have access to editing a form submission title...

0.00574EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2025/08/27 12:0 a.m.8 views

PT-2025-34870 · Craft Cms · Craft Cms +1

Name of the Vulnerable Software and Affected Versions: Freeform versions 5.0.0 through 5.10.16 Description: The Freeform plugin for CraftCMS contains a Server-side template injection SSTI vulnerability. This allows for arbitrary code injection for users with permission to edit a form submission...

9.8CVSS7.2AI score0.00574EPSS
Exploits1References7
RedhatCVE
RedhatCVE
added 2025/05/22 9:3 p.m.14 views

CVE-2021-24744

The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...

4.8CVSS6AI score0.00598EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/05/22 9:3 p.m.5 views

CVE-2021-24513

The Form Builder | Create Responsive Contact Forms WordPress plugin before 1.9.8.4 does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfilteredhtml capability is disallowed...

5.4CVSS6AI score0.00624EPSS
Exploits2References1
CNNVD
CNNVD
added 2024/03/21 12:0 a.m.3 views

Survey Creator Library 跨站脚本漏洞

Survey Creator Library is SurveyJS open source a GUI-based no-code form generator library . A cross-site scripting vulnerability exists in Survey Creator Library v.1.9.132 and earlier versions that could allow an attacker to execute arbitrary code and obtain sensitive information via the title...

6.1CVSS6.3AI score0.00508EPSS
Exploits2References3
OSV
OSV
added 2021/10/25 2:15 p.m.5 views

CVE-2021-24744

The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...

4.8CVSS5.8AI score0.00598EPSS
Exploits2References1
OSV
OSV
added 2021/10/18 2:15 p.m.5 views

CVE-2021-24516

The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfilteredhtml is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue...

4.8CVSS5.8AI score0.00618EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/09/15 12:0 a.m.572 views

PlanSo Forms <= 2.6.3 - Authenticated Stored Cross-Site Scripting

The plugin does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfilteredhtml is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue. Timeline July 12th, 2021 - Vendor...

4.8CVSS0.4AI score0.00618EPSS
Exploits2
OSV
OSV
added 2021/09/06 11:15 a.m.2 views

CVE-2021-24513

The Form Builder | Create Responsive Contact Forms WordPress plugin before 1.9.8.4 does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfilteredhtml capability is disallowed...

5.4CVSS5.8AI score0.00624EPSS
Exploits2References1
Rows per page
Query Builder