CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

9905 matches found

CVE-2026-54393 MISP Overmind theme stored XSS via unvalidated homepage setting

A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal, bypassing the normal setSetting validation logic, including validatehomepage, which requires homepage...

5.1CVSS

Exploits0References1

Nuclei•added yesterday•24 views

Membership Database <= 1.0 - Cross-Site Scripting

Membership Database before 1.0 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker t...

6.1CVSS6.9AI score0.12454EPSS

Exploits2References3

Nuclei•added yesterday•44 views

wpForo Forum <= 2.1.8 - Cross-Site Scripting

The wpForo Forum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpforodebug’ function in versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

6.1CVSS7.3AI score0.15248EPSS

Exploits1References4

RedhatCVE•added 3 days ago•5 views

CVE-2026-8977

The WP GDPR Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ninjagdprajaxactions' AJAX action in versions up to, and including, 1.0.0. This is due to missing capability and nonce checks on the handleAjaxCalls function, combined with insufficient input...

6.4CVSS5.5AI score0.00032EPSS

Exploits0References1

RedhatCVE•added 3 days ago•3 views

CVE-2026-8895

The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blog-card' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on the shortcode's 'href' and 'type' attributes, which are...

6.4CVSS5.7AI score0.00029EPSS

Exploits0References1

NVD•added 3 days ago•8 views

CVE-2025-8444

The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. Th...

6.4CVSS0.00029EPSS

Exploits0References2

NVD•added 4 days ago•8 views

CVE-2026-10024

The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00029EPSS

Exploits0References3

CVE•added 4 days ago•9 views

CVE-2026-8977

The WP GDPR Cookie Consent plugin for WordPress (versions up to and including 1.0.0) is vulnerable to Stored Cross-Site Scripting via the ninja_gdpr_ajax_actions AJAX action. The root cause is multi-fold: missing capability and nonce checks in handleAjaxCalls(), insufficient input sanitization of...

6.4CVSS5.7AI score0.00032EPSS

Exploits0References5

CVE•added 4 days ago•8 views

CVE-2026-8841

CVE-2026-8841 affects the WordPress plugin Extra Settings for RocketChat (versions ≤ 0.1). The vulnerability is a Stored Cross-Site Scripting via the rocketchat shortcode’s title attribute caused by insufficient input sanitization/output escaping in the rxstg_shortcode() function, which directly ...

6.4CVSS5.7AI score0.00029EPSS

Exploits0References3

NVD•added 4 days ago•13 views

CVE-2026-10862

The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Accordion body field in all versions up to, and including, 2.3.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and...

6.4CVSS0.00029EPSS

Exploits0References2

EUVD•added 4 days ago•7 views

EUVD-2026-35290

6.4CVSS5.7AI score0.00029EPSS

Exploits0References2

Positive Technologies•added 4 days ago•5 views

PT-2026-47676

Name of the Vulnerable Software and Affected Versions Global Body Mass Index Calculator versions prior to 1.3 Description The Global Body Mass Index Calculator plugin for WordPress contains a Stored Cross-Site Scripting issue. The GBMI Calc Widget::widget function fails to properly sanitize input...

6.4CVSS5.6AI score0.00032EPSS

Exploits0References7

EUVD•added 2026/06/06 2:28 a.m.•8 views

EUVD-2026-34945

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL Parameters in iframe Mode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

6.1CVSS5.7AI score0.00108EPSS

Exploits0References8

Cvelist•added 2026/06/06 2:28 a.m.•39 views

CVE-2026-9280 Ad Inserter <= 2.8.15 - Reflected Cross-Site Scripting via URL Parameters in iframe Mode

6.1CVSS0.00108EPSS

Exploits0References8

EUVD•added 2026/06/06 12:31 a.m.•8 views

EUVD-2026-34925

The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

6.4CVSS5.7AI score0.00036EPSS

Exploits0References6

NVD•added 2026/06/06 12:16 a.m.•9 views

CVE-2026-8900

6.4CVSS0.00036EPSS

Exploits0References5

Positive Technologies•added 2026/06/06 12:0 a.m.•10 views

PT-2026-47122

Name of the Vulnerable Software and Affected Versions All-In-One Security AIOS – Security and Firewall plugin for WordPress versions prior to 5.4.8 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization in the get rest route function and missing output escaping in t...

7.2CVSS5.7AI score0.00165EPSS

Exploits0References12

ATTACKERKB•added 2026/06/05 11:28 p.m.•5 views

CVE-2026-8900

6.4CVSS5.7AI score0.00036EPSS

Exploits0References6

RedhatCVE•added 2026/06/05 7:42 p.m.•6 views

CVE-2025-14732

The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS5.7AI score0.00012EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:40 p.m.•7 views

CVE-2026-25901

Lack of output escaping leads to a XSS vector in the multilingual associations component...

6.9CVSS5.4AI score0.00005EPSS

Exploits0References1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by