41 matches found
CVE-2026-3492 Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the createfromtemplate AJAX endpoint allowing any authenticated user to create forms, insufficie...
CVE-2026-3492
The Gravity Forms WordPress plugin (all versions up to 2.9.28.1) is vulnerable to Stored XSS due to a trio of issues: (1) missing authorization on the create_from_template AJAX endpoint allowing any authenticated user to create forms, (2) insufficient input sanitization where sanitize_text_field(...
CVE-2026-3492 Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the createfromtemplate AJAX endpoint allowing any authenticated user to create forms, insufficie...
PT-2026-24658
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the create from template AJAX endpoint allowing any authenticated user to create forms,...
CVE-2026-1279
The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formtitle' parameter in the searchemployeedirectory shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for...
EUVD-2026-5610
The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formtitle' parameter in the searchemployeedirectory shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2026-1279 Employee Directory <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_title' Shortcode Attribute
The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formtitle' parameter in the searchemployeedirectory shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for...
WordPress Employee Directory plugin <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_title' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'formtitle' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin Employee Directory versions = 1.2.1...
PT-2026-6686
Name of the Vulnerable Software and Affected Versions Employee Directory plugin for WordPress versions up to and including 1.2.1 Description The Employee Directory plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escapin...
EUVD-2021-11656
Malware in sbrugna...
EUVD-2025-25900
Malicious code in bioql PyPI...
CVE-2025-52122
Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection SSTI vulnerability, resulting in arbitrary code injection for all users that have access to editing a form submission title...
PT-2025-34870 · Craft Cms · Craft Cms +1
Name of the Vulnerable Software and Affected Versions: Freeform versions 5.0.0 through 5.10.16 Description: The Freeform plugin for CraftCMS contains a Server-side template injection SSTI vulnerability. This allows for arbitrary code injection for users with permission to edit a form submission...
CVE-2021-24744
The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...
CVE-2021-24513
The Form Builder | Create Responsive Contact Forms WordPress plugin before 1.9.8.4 does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfilteredhtml capability is disallowed...
Survey Creator Library 跨站脚本漏洞
Survey Creator Library is SurveyJS open source a GUI-based no-code form generator library . A cross-site scripting vulnerability exists in Survey Creator Library v.1.9.132 and earlier versions that could allow an attacker to execute arbitrary code and obtain sensitive information via the title...
CVE-2021-24744
The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...
CVE-2021-24516
The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfilteredhtml is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue...
PlanSo Forms <= 2.6.3 - Authenticated Stored Cross-Site Scripting
The plugin does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfilteredhtml is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue. Timeline July 12th, 2021 - Vendor...
CVE-2021-24513
The Form Builder | Create Responsive Contact Forms WordPress plugin before 1.9.8.4 does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfilteredhtml capability is disallowed...