CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/06/05 7:37 p.m.•9 views

CVE-2026-3362

The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient input sanitization no sanitize callback on registersetting and missing output escaping no escattr ...

4.4CVSS5.7AI score0.00373EPSS

RedhatCVE•added 2026/06/05 7:28 p.m.•8 views

CVE-2026-4479

The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

4.4CVSS5.6AI score0.00157EPSS

Cvelist•added 2026/06/02 7:48 a.m.•40 views

CVE-2025-5085 wp-nano-ad <= 1.31 - Authenticated (Administrator+) Stored Cross-Site Scripting via blogrole_link Parameter

The WP Nano AD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘blogrolelink’ parameter in all versions up to, and including, 1.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

5.5CVSS0.00207EPSS

CVE•added 2026/06/02 7:48 a.m.•15 views

CVE-2025-5085

CVE-2025-5085 affects the WP Nano AD WordPress plugin (versions up to 1.31). It enables Stored Cross-Site Scripting via the blogrole_link parameter due to insufficient input sanitization/escaping. Impact: authenticated attackers with administrator rights can inject scripts that run for users on i...

5.5CVSS6AI score0.00207EPSS

Cvelist•added 2026/05/27 9:27 a.m.•28 views

CVE-2026-3348 MinhNhut Link Gateway <= 3.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting via Plugin Settings

4.4CVSS0.00237EPSS

Exploits0References3

Vulnrichment•added 2026/05/27 9:27 a.m.•7 views

CVE-2026-2288 myLinksDump <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'link_title' Parameter

The myLinksDump plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linktitle' parameter in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access...

4.8CVSS6AI score0.0023EPSS

EUVD•added 2026/05/27 9:27 a.m.•11 views

EUVD-2026-32176

4.8CVSS6AI score0.0023EPSS

CVE•added 2026/05/27 9:27 a.m.•12 views

CVE-2026-2280

CVE-2026-2280 affects the WordPress plugin rexCrawler, all versions up to and including 1.0.15. The vulnerability is a Stored Cross-Site Scripting (XSS) flaw in admin/settings that arises from insufficient input sanitization and output escaping. Exploitation requires authenticated access at admin...

4.8CVSS6AI score0.0023EPSS

Cvelist•added 2026/05/13 4:26 a.m.•62 views

CVE-2025-9989 Broadstreet <= 1.53.1 - Authenticated (Admin+) Stored Cross-Site Scripting

The Broadstreet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.53.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions an...

4.4CVSS0.0019EPSS

Exploits0References2

EUVD•added 2026/05/12 12:32 p.m.•32 views

EUVD-2026-29443

The FastBots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.4CVSS6AI score0.00195EPSS

Exploits0References6

EUVD•added 2026/04/22 9:31 p.m.•1 views

EUVD-2026-22776

The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS5.9AI score0.00221EPSS

Exploits0References3

EUVD•added 2026/04/22 9:31 a.m.•2 views

EUVD-2026-24638

The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Exceptions' setting in all versions up to, and including, 0.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS5.8AI score0.0029EPSS

NVD•added 2026/04/22 9:16 a.m.•3 views

CVE-2026-3362

4.4CVSS0.00373EPSS

Exploits0References9

ATTACKERKB•added 2026/04/22 7:45 a.m.•3 views

CVE-2026-1379

The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions a...

4.4CVSS5.8AI score0.0029EPSS

Positive Technologies•added 2026/04/22 12:0 a.m.•2 views

PT-2026-34269

Name of the Vulnerable Software and Affected Versions Real Estate Pro versions prior to 1.1.0 Description The Real Estate Pro plugin for WordPress contains a Stored Cross-Site Scripting issue within the admin settings. This occurs because of insufficient input sanitization and output escaping,...

5.5CVSS5.9AI score0.00241EPSS

Positive Technologies•added 2026/04/22 12:0 a.m.•2 views

PT-2026-34273

Name of the Vulnerable Software and Affected Versions Private WP suite versions prior to 0.4.2 Description The Private WP suite plugin for WordPress contains a Stored Cross-Site Scripting issue within the 'Exceptions' setting. This occurs because of insufficient input sanitization and output...

4.4CVSS5.9AI score0.0029EPSS

Exploits0References6

RedhatCVE•added 2026/04/16 7:22 p.m.•3 views

CVE-2026-2396

4.4CVSS5.9AI score0.00221EPSS