CVE-2026-2231

The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web script...

CVE-2025-12473

CVE-2025-12473 refers to the RTMKit WordPress plugin (rometheme-for-elementor) with a Reflected Cross‑Site Scripting flaw via the themebuilder parameter in all versions up to 1.6.8. Documents confirm the vulnerability allows unauthenticated attackers to inject arbitrary scripts on pages executed ...

CVE-2026-1320 Secure Copy Content Protection and Content Locking <= 4.9.8 - Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header

The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' HTTP header in all versions up to, and including, 4.9.8 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-11885

CVE-2025-11885 : WordPress EchBay Admin Security plugin suffers a Reflected XSS via the _ebnonce parameter in versions up to 1.3.0 due to insufficient input sanitization and output escaping. Unauthenticated attackers could entice a user to perform an action (e.g., click a link) and have arbitrary...

CVE-2025-8064 Bible SuperSearch <= 6.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via selector_height Parameter

The Bible SuperSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘selectorheight’ parameter in all versions up to, and including, 6.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-7661

The Partnerský systém Martinus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'martinus' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-10784

The Unlimited Elements For Elementor Free Widgets, Addons, Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Tile Gallery' widget in all versions up to, and including, 1.5.126 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-13396

The Frictionless plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'frictionlessform' shortcodes in all versions up to, and including, 0.0.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-13505

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ayssections5questions8title’ parameter in all versions up to, and including, 5.1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-13392

The Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisperreviews' shortcode in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping on user supplied...

PT-2024-39646 · WordPress · Wp Builder

Name of the Vulnerable Software and Affected Versions: WP Builder plugin for WordPress versions up to, and including, 3.0.7 Description: The issue is related to Stored Cross-Site Scripting via SVG File uploads due to insufficient input sanitization and output escaping. This allows authenticated...

WordPress plugin Themify Shortcodes 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation, a blogging platform developed in PHP. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plug-in. A security vulnerability exists in the WordPress plugi...

CVE-2023-3051 Page Builder by AZEXO <= 1.27.133 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Page Builder by AZEXO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'azhpost' shortcode in versions up to, and including, 1.27.133 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web...

WordPress plugin Fast Flow 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin. cross-site scripting vulnerability exists in versions of WordPress Fast Flow plugin prior to 1.2.12, which...