CVE-2024-13900 Head, Footer and Post Injections <= 3.3.0 - Authenticated (Administrator+) PHP Code Injection in Multisite Environments

The Head, Footer and Post Injections plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject PHP Code in multisite environments...

CVE-2024-13314

The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-13314

CVE-2024-13314 affects the WordPress plugin “Carousel, Slider, Gallery by WP Carousel” (pre-2.7.4). The issue is insufficient sanitization/escaping of settings, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed. Public details show mitigation by up...

CVE-2024-13314 Carousel, Slider, Gallery by WP Carousel < 2.7.4 - Admin+ Stored XSS

The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

WordPress plugin Head, Footer and Post Injections 代码注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A code injection vulnerability exists in th...

PT-2025-7369 · WordPress · Ajax Search Lite

Name of the Vulnerable Software and Affected Versions: Ajax Search Lite WordPress plugin version 4.12.4 and earlier Description: The issue concerns the Ajax Search Lite WordPress plugin, which does not properly sanitize and escape some of its settings. This could allow high-privilege users, such ...

PT-2025-7404 · WordPress · Head

Name of the Vulnerable Software and Affected Versions: Head, Footer and Post Injections plugin for WordPress versions up to, and including, 3.3.0 Description: The issue allows authenticated attackers with Administrator-level access and above to inject PHP code in multisite environments...

WordPress Head, Footer and Post Injections plugin <= 3.3.0 - Authenticated (Administrator+) PHP Code Injection in Multisite Environments vulnerability

Authenticated Administrator+ PHP Code Injection in Multisite Environments vulnerability discovered by Francesco Carlucci in WordPress Plugin Head, Footer and Post Injections versions = 3.3.0...

PT-2025-7396 · WordPress · Cookie Notice Bar

Name of the Vulnerable Software and Affected Versions: Cookie Notice Bar plugin for WordPress version 1.3.0 and earlier Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with...

PT-2025-7386 · WordPress · Ultimate Classified Listings

Name of the Vulnerable Software and Affected Versions: Ultimate Classified Listings plugin for WordPress versions up to, and including, 1.4 Description: The issue is related to Stored Cross-Site Scripting via the Title parameter due to insufficient input sanitization and output escaping. This...

CVE-2024-12173

The Master Slider WordPress plugin before 3.10.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-13848

The Reaction Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permission...

PT-2025-6616 · WordPress · Reaction Buttons

Name of the Vulnerable Software and Affected Versions: Reaction Buttons plugin for WordPress versions up to, and including, 2.1.6 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticat...

CVE-2024-13208

The Maps Plugin using Google Maps for WordPress WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-13306 WP Google Map < 1.9.4 - Admin+ Stored XSS

The Maps Plugin using Google Maps for WordPress WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-13208 WP Google Map < 1.9.4 - Admin+ Stored XSS

The Maps Plugin using Google Maps for WordPress WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-7052

The Forminator Forms WordPress plugin before 1.38.3 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-13493

The Sensly Online Presence WordPress plugin through 0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-13493 Sensly Online Presence <= 0.6 - Admin+ Stored XSS

The Sensly Online Presence WordPress plugin through 0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-0692

The Simple Video Management System WordPress plugin through 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...