Lucene search
K

24608 matches found

Nuclei
Nuclei
added yesterday21 views

WordPress Email Newsletter - Reflected XSS

WordPress Email Newsletter plugin through 1.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to cra...

5.4CVSS7AI score0.00682EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday14 views

Bulk Me Now! Plugin <= 2.0 - Cross-Site Scripting

Bulk Me Now! WordPress plugin = 2.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...

7.1CVSS7AI score0.00528EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday36 views

WP Triggers Lite - Cross-Site Scripting

WP Triggers Lite WordPress plugin v2.5.3 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...

7.1CVSS7AI score0.0055EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday42 views

WordPress WPQA <5.4 - Cross-Site Scripting

WordPress WPQA plugin prior to 5.4 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape a parameter on its reset password form. id: CVE-2022-1597 info: name: WordPress WPQA 5.4 - Cross-Site Scripting author: veshraj severity: medium description: | WordPress WPQ...

6.1CVSS6.4AI score0.0291EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday90 views

WordPress MF Gig Calendar <=1.1 - Cross-Site Scripting

WordPress MF Gig Calendar plugin 1.1 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize or escape the id GET parameter before outputting back in the admin dashboard when editing an event. id: CVE-2021-24510 info: name: WordPress MF Gig Calendar =1.2 which...

6.1CVSS6.4AI score0.02721EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday132 views

WordPress Jannah Theme <5.4.5 - Cross-Site Scripting

WordPress Jannah theme before 5.4.5 contains a reflected cross-site scripting vulnerability. It does not properly sanitize the 'query' POST parameter in its tieajaxsearch AJAX action. id: CVE-2021-24407 info: name: WordPress Jannah Theme 5.4.5 - Cross-Site Scripting author: pikpikcu severity:...

6.1CVSS6.4AI score0.02697EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday66 views

ChurchCRM v4.5.3 - Cross-Site Scripting

A stored Cross-site scripting XSS vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. id: CVE-2023-31548 info: name: ChurchCRM v4.5.3 - Cross-Site Scripting author: Harsh severity: medium...

5.4CVSS6.4AI score0.01248EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday77 views

wpForo Forum <= 2.1.8 - Cross-Site Scripting

The wpForo Forum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpforodebug’ function in versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

6.1CVSS6.9AI score0.00845EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday43 views

WordPress Copyright Proof <=4.16 - Cross-Site-Scripting

WordPress Copyright Proof plugin 4.16 and prior contains a cross-site scripting vulnerability. It does not sanitize and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users when a specific setting is enabled. id: CVE-2022-1906...

6.1CVSS6.4AI score0.00955EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday82 views

osTicket < 1.12.1 - Cross-Site Scripting

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the...

6.1CVSS6.7AI score0.11687EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday46 views

LoLLMS WebUI - Subfolder Prediction via Path Traversal

A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'addreferencetolocalmode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. id: CVE-2024-4841 info: name: LoLLMS WebUI - Subfolder Prediction via Path...

4CVSS6.1AI score0.00674EPSS
Exploits1
Nuclei
Nuclei
added yesterday50 views

Membership Database <= 1.0 - Cross-Site Scripting

Membership Database before 1.0 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker t...

6.1CVSS6.8AI score0.0085EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday77 views

GamiPress <= 2.8.9 - SQL Injection

GamiPress WordPress plugin version 2.8.9 and below suffers from an SQL injection vulnerability due to insufficient sanitization of user input, allowing attackers to execute arbitrary SQL commands. id: CVE-2024-13496 info: name: GamiPress = 2.8.9 - SQL Injection author: ritikchaddha severity: high...

7.5CVSS7.3AI score0.0215EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday97 views

GLPI < 10.0.17 - Pre-Auth SQL Injection

A pre-authentication SQL injection vulnerability exists in the Inventory feature of GLPI. The vulnerability is caused by insufficient sanitization of user input in the handleAgent function when processing XML requests. The issue occurs because SimpleXMLElement objects can bypass the...

9.8CVSS6.5AI score0.86067EPSS
Exploits5References3
Cvelist
Cvelist
added 2 days ago24 views

CVE-2026-15429 Privilege Escalation via Improper Input Sanitization in TP-Link Archer VX1800v

A privilege escalation vulnerability exists in the HTTP authentication component in Archer VX1800v v1. Improper handling of user-controlled input may allow newline characters to be injected into internally constructed configuration data. An authenticated user with sufficient privileges may be abl...

5.1CVSS0.00394EPSS
Exploits0References2
CVE
CVE
added 2 days ago4 views

CVE-2026-15427

The CVE-2026-15427 involves an OS command injection in the TR-069/CWMP management interface of TP-Link Archer VX1800v (v1). The root cause is insufficient input validation and sanitization of parameters, allowing crafted input to be executed as system-level commands. Exploitation requires TR-069 ...

8.6CVSS6.2AI score0.005EPSS
Exploits0References2
NVD
NVD
added 2 days ago7 views

CVE-2026-11390

The News Kit Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Site Logo Title and Single Author Box Widgets in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00252EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-60103

Name of the Vulnerable Software and Affected Versions Anyquery affected versions not specified Description When operated in server mode, the software lacks input sanitization and access control for its built-in SQLite virtual table modules, such as csv reader and log reader. Unauthenticated...

7.5CVSS6.1AI score
Exploits0References5
CVE
CVE
added 3 days ago7 views

CVE-2026-4765

The CVE-2026-4765 issue affects Tallos Chat (RD Station Conversas) and is triggered in the initialization step via the ‘name’ parameter, where improper sanitization allows stored XSS. The vulnerability can execute arbitrary JavaScript in the context of the application, and is amplified because it...

5.1CVSS6.3AI score0.00272EPSS
Exploits0References1
NVD
NVD
added 5 days ago9 views

CVE-2026-1382

The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS0.00193EPSS
Exploits0References4
Rows per page
Query Builder