3443 matches found
CVE-2025-1062
The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.95.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example i...
CVE-2025-1523
The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-14057 Multi-column Tag Map <= 17.0.39 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'mctm_css_conditional' Parameter
The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
CVE-2025-13974 Email Customizer for WooCommerce | Drag and Drop Email Templates Builder <= 2.6.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Email Template Content
The Email Customizer for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-13974
CVE-2025-13974 : The Email Customizer for WooCommerce (WordPress) is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to 2.6.7 due to insufficient input sanitization and output escaping. The flaw allows an authenticated attacker with administrator-level acce...
CVE-2025-13974 Email Customizer for WooCommerce | Drag and Drop Email Templates Builder <= 2.6.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Email Template Content
The Email Customizer for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2024-2218
The LuckyWP Table of Contents WordPress plugin through 2.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-2310
The WP Google Review Slider WordPress plugin before 13.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-2220
The Button contact VR WordPress plugin through 4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-2907
The AGCA WordPress plugin before 7.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-2657
The Font Farsi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2025-15000 Page Keys <= 1.3.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'page_key' Parameter
The Page Keys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pagekey’ parameter in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, ...
CVE-2025-15000
CVE-2025-15000 (Page Keys for WordPress) is a stored XSS in the Page Key parameter affecting Page Keys plugin versions
CVE-2025-14792
CVE-2025-14792: Key Figures (WordPress) plugin vulnerable to Stored XSS via kf_field_figure_default_color_render in all versions up to 1.1; affects multisite and sites with unfiltered_html disabled. Exploitation requires authenticated admin-level access; payloads execute when users visit the inje...
CVE-2025-14792 Key Figures <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_default_color_render
The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kffieldfiguredefaultcolorrender function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-14792 Key Figures <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_default_color_render
The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kffieldfiguredefaultcolorrender function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-14888 Simple User Meta Editor <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via User Meta Value Field
The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-14888
CVE-2025-14888 : Simple User Meta Editor (WordPress) is vulnerable to stored XSS via the User Meta Value field in all versions up to 1.0.0, due to insufficient input sanitization and output escaping. This affects multisite setups and installations where unfiltered_html is disabled, enabling an au...
CVE-2025-14888 Simple User Meta Editor <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via User Meta Value Field
The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-14887 twinklesmtp – Email Service Provider For WordPress <= 1.03 - Authenticated (Administrator+) Stored Cross-Site Scripting via Sender Settings
The twinklesmtp – Email Service Provider For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's sender settings in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...