CVE-2026-7475 Sky Addons <= 3.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Script

The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sky-custom-scripts custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with capabilitytype = 'post' and showinrest = true, combined with...

EUVD-2026-22860

The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config with the permissioncallback set to returntrue...

CVE-2026-3643

The Accessibly WordPress plugin (versions ≤ 3.0.3) is vulnerable to an unauthenticated Stored XSS via REST API endpoints /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config. These endpoints have permission_callback set to __return_true, so no auth checks occur. updateWidgetOptions()...

MAL-2025-142708 Malicious code in frontend-meissa-scripts-charon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b7993005ccd89c0204660a1eabf207f62018f8177e86a80e44ab904f81bd861 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-60957

The Document Pro Elementor – Documentation & Knowledge Base plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.9. This is due to the plugin exposing sensitive Algolia API keys through the frontend JavaScript code via wplocalizescript without prope...

Silverstripe Asset Admin Module 跨站脚本漏洞

Silverstripe Asset Admin Module is an open source asset management module from Silverstripe. A cross-site scripting vulnerability exists in Silverstripe Asset Admin Module, which stems from the fact that HTML is not sanitized until the shortcode is replaced, allowing execution of script loads in...

Malicious code in frontend-script (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2f9e6d4113fca5af755999c2fa0282e6416cce729a59c28f9f5a4293e5c0d930 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

PT-2022-3505 · Elementor · Elementor Website Builder

Name of the Vulnerable Software and Affected Versions: Elementor Website Builder plugin versions prior to 3.5.6 Description: The issue is related to insufficient protection of the webpage structure, allowing a remote attacker to perform cross-site scripting. This is a DOM-based Reflected Cross-Si...