61 matches found
Improper Encoding or Escaping of Output
Overview launder is an A sanitize module for the people. Built for ApostropheCMS. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An attacker can execute arbitrary JavaScript by supplying a javascript: URL in an image...
GHSA-5F64-7VFC-RCX6 Apostrophe has stored XSS via javascript: URL in Image Widget Link
Summary A stored cross-site scripting vulnerability was identified in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the liv...
Improper Encoding or Escaping of Output
Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An attacker can execute arbitrary JavaScript by supplying a javascript: URL in an image widget's link URL field and having it rendered on the page. This affects...
Apostrophe has stored XSS via javascript: URL in Image Widget Link
Summary A stored cross-site scripting vulnerability was identified in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the liv...
Improper Encoding or Escaping of Output
Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...
NPM: Apostrophe has stored XSS via javascript: URL in Image Widget Link
NPM: Apostrophe has stored XSS via javascript: URL in Image Widget Link vulnerability discovered by ? in WordPress Npm apostrophe versions 4.29.0...
Improper Encoding or Escaping of Output
Overview sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An...
PT-2026-41153
Summary A stored cross-site scripting vulnerability was identified in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the liv...
CVE-2026-42643
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through = 4.4.11...
CVE-2026-42643
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through = 4.4.11...
CVE-2026-42643 WordPress Image Widget plugin <= 4.4.11 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through = 4.4.11...
CVE-2026-42643
The CVE concerns the StellarWP WordPress Image Widget (image-widget) plugin, affected up to version 4.4.11. Root cause: improper neutralization of input during web page generation, leading to a Stored Cross-Site Scripting (XSS) vulnerability. Impact, per the provided data, is an XSS condition wit...
CVE-2026-42643
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through = 4.4.11...
EUVD-2026-26214
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through = 4.4.11...
CVE-2026-42643 WordPress Image Widget plugin <= 4.4.11 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through = 4.4.11...
WordPress Plugin Image Widget 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
PT-2026-35902
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through = 4.4.11...
EUVD-2026-20129
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in the rendersvg...
CVE-2026-4655
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in the rendersvg...
CVE-2026-4655 Element Pack Addons for Elementor <= 8.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Image Widget
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in the rendersvg...