36 matches found
CVE-2026-8351 RTMKit <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Heading Widget 'Background Text' Parameter
The RTMKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget's 'Background Text' parameter in versions up to, and including, 2.0.7 This is due to insufficient output escaping on the 'backgroundtextheading' setting in the render function, which...
CVE-2026-8351
The RTMKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget's 'Background Text' parameter in versions up to, and including, 2.0.7 This is due to insufficient output escaping on the 'backgroundtextheading' setting in the render function, which...
CVE-2026-8351
CVE-2026-8351 concerns the RTMKit plugin for WordPress, vulnerable up to version 2.0.7. The flaw is a Stored Cross-Site Scripting in the Advanced Heading widget via the 'Background Text' parameter. The render() function concatenates the value directly into an HTML attribute without applying esc_a...
WordPress Ultimate Addons for Beaver Builder - Lite plugin <= 1.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Heading Widget vulnerability
WordPress Ultimate Addons for Beaver Builder - Lite plugin = 1.5.7 - Authenticated Contributor+ Stored Cross-Site Scripting via Heading Widget vulnerability discovered by Francesco Carlucci in WordPress Plugin Ultimate Addons for Beaver Builder – Lite versions = 1.5.7...
WordPress Shortcodes and extra features for Phlox theme plugin <= 2.17.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading Widget vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Modern Heading Widget vulnerability discovered by Abu Hurayra HurayraIIT in WordPress Plugin Shortcodes and extra features for Phlox theme versions = 2.17.13...
CVE-2024-2143
The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Heading widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2024-3064
The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heading' widgets in all versions up to, and including, 1.4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This mak...
CVE-2024-9673
Piotnet Addons For Elementor (WordPress) up to version 2.4.31 contains a Stored XSS vulnerability in the Heading widget due to insufficient input sanitization. Exploitation requires authenticated users with contributor-level access or higher, enabling injection of scripts in pages that render for...
PT-2025-3733 · WordPress · Piotnet Addons For Elementor
Name of the Vulnerable Software and Affected Versions: Piotnet Addons For Elementor plugin for WordPress versions up to, and including, 2.4.31 Description: The issue is related to Stored Cross-Site Scripting via the plugin's Heading widget due to insufficient input sanitization and output escapin...
CVE-2024-8486
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in the Modern Heading and Icon Picker widgets all versions up to, and including, 2.16.3 due to insufficient input sanitization and output escaping. This make...
PT-2024-39052 · WordPress · Phlox
Name of the Vulnerable Software and Affected Versions: Shortcodes and extra features for Phlox theme plugin for WordPress versions up to, and including, 2.16.3 Description: The issue is related to Stored Cross-Site Scripting via the url parameter in the Modern Heading and Icon Picker widgets. Thi...
CVE-2024-5502
The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Accordion, Dual Heading, and Vertical Timeline widgets in all versions up to, and including, 2.4.30 due to insufficient input sanitization and output escaping on user supplied...
WordPress Happy Addons for Elementor plugin <= 3.11.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gradient Heading Widget vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Gradient Heading Widget vulnerability discovered by wesley wcraft in WordPress Plugin Happy Addons for Elementor versions = 3.11.1...
CVE-2024-5790 Happy Addons for Elementor <= 3.11.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gradient Heading Widget
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Gradient Heading widget in all versions up to, and including, 3.11.1 due to insufficient input sanitization and output escaping. This makes it possible for...
PT-2024-37156 · WordPress · Happy Addons For Elementor
Name of the Vulnerable Software and Affected Versions: Happy Addons for Elementor plugin for WordPress versions up to, and including, 3.11.1 Description: The issue is related to Stored Cross-Site Scripting via the url attribute within the plugin's Gradient Heading widget due to insufficient input...
CVE-2024-5451
The The7 — Website and eCommerce Builder for WordPress theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the plugin's Icon and Heading widgets in all versions up to, and including, 11.13.0 due to insufficient input sanitization and output escaping on...
CVE-2024-4208
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the typer effect in the advanced heading widget in all versions up to, and including, 3.2.37 due to insufficient input sanitization and output escaping on user...
CVE-2024-3831
The Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Heading widget in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
WordPress Enter Addons plugin <= 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Heading widget vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Heading widget vulnerability discovered by Sebastião Gavião Sebastgav in WordPress Plugin Enter Addons versions = 2.1.5...
PT-2024-27938 · WordPress · Enter Addons – Ultimate Template Builder For Elementor
Name of the Vulnerable Software and Affected Versions: Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress versions up to, and including, 2.1.5 Description: The issue is related to Stored Cross-Site Scripting via the Heading widget due to insufficient input sanitization an...