CVE-2025-14887

CVE-2025-14887 affects the twinklesmtp – Email Service Provider For WordPress plugin for WordPress. It is a Stored XSS via the plugin's sender settings in all versions up to 1.03, exploitable by authenticated attackers with administrator-level permissions and above. The vulnerability affects mult...

PT-2026-1612

Name of the Vulnerable Software and Affected Versions The Email Customizer for WooCommerce versions up to and including 2.6.7 Description The Email Customizer for WooCommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting through email template content. Insufficient input...

PT-2026-1580

Name of the Vulnerable Software and Affected Versions Key Figures plugin for WordPress versions prior to 1.2 Description The Key Figures plugin for WordPress is susceptible to Stored Cross-Site Scripting through the kf field figure default color render function. Insufficient input sanitization an...

PT-2026-1598

Name of the Vulnerable Software and Affected Versions Page Keys versions prior to 1.3.4 Description The Page Keys plugin for WordPress is susceptible to Stored Cross-Site Scripting through the page key parameter. Insufficient input sanitization and output escaping allow authenticated attackers wi...

PT-2026-1570

Name of the Vulnerable Software and Affected Versions twinklesmtp – Email Service Provider For WordPress plugin versions up to and including 1.03 Description The twinklesmtp – Email Service Provider For WordPress plugin for WordPress is susceptible to Stored Cross-Site Scripting through the...

PT-2026-1571

Name of the Vulnerable Software and Affected Versions Simple User Meta Editor versions prior to 1.0.1 Description The Simple User Meta Editor plugin for WordPress has a flaw that allows an attacker to inject malicious web scripts into pages viewed by users. This is due to a lack of proper...

EUVD-2026-0836

The FlexTable WordPress plugin before 3.19.2 does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2025-14509

The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization...

CVE-2025-14509

The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization...

CVE-2025-14509 Lucky Wheel for WooCommerce – Spin a Sale <= 1.1.13 - Authenticated (Administrator+) PHP Code Injection via Conditional Tags

The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization...

EUVD-2025-205769

The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization...

PT-2025-53921

Name of the Vulnerable Software and Affected Versions Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress versions up to and including 1.1.13 Description The software contains a PHP Code Injection issue stemming from the use of eval to process user-provided input from the 'Conditional...

CVE-2025-14735

The "Amazon affiliate lite Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

EUVD-2025-204632

The "Amazon affiliate lite Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-14735

The "Amazon affiliate lite Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-14735 Amazon affiliate lite Plugin <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

The "Amazon affiliate lite Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-14735

The CVE-2025-14735 entry concerns the Amazon affiliate lite Plugin for WordPress with a Stored XSS in admin settings, affecting all versions up to 1.0.0. The vulnerability arises from insufficient input sanitization and output escaping, enabling authenticated attackers with administrator-level pe...

CVE-2025-14735 Amazon affiliate lite Plugin <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

The "Amazon affiliate lite Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2025-52545

Name of the Vulnerable Software and Affected Versions Amazon affiliate lite Plugin versions prior to 1.0.1 Description The “Amazon affiliate lite Plugin” for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow...

CVE-2025-14378

The Quick Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permission...