CVE-2026-6405 Anomify AI <= 0.3.6 - Cross-Site Request Forgery

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF leading to Stored Cross-Site Scripting XSS in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output...

WordPress plugin LatePoint 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2024-2772

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in all versions up to, and including, 5.1.13 due to insufficient input sanitization and output escaping. This makes it...

WordPress plugin ELEX WordPress HelpDesk & Customer Ticketing System 跨站脚本漏洞

WordPress and WordPress plugin are products of the WordPress Foundation, a blogging platform developed in PHP. WordPress is a blogging platform developed using the PHP language, which provides the ability to host a personal blog site on a PHP and MySQL based server.WordPress plugin is an...

CVE-2025-13537 Live Composer – Free WordPress Website Builder <= 2.0.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities via DOM manipulation in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user-supplied attributes. Th...

PT-2025-48221

The Shouty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the shouty shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

EUVD-2025-198387

The HotelRunner Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hotelrunner' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

EUVD-2021-11598

Malware in sbrugna...

EUVD-2023-59170

Malicious code in bioql PyPI...

EUVD-2024-47883

Malicious code in bioql PyPI...

PT-2025-28330 · WordPress · Foobox

Name of the Vulnerable Software and Affected Versions: The Lightbox & Modal Popup WordPress Plugin – FooBox plugin for WordPress versions up to, and including, 2.7.34 Description: The issue is related to Stored Cross-Site Scripting via image alternative texts due to insufficient input sanitizatio...

PT-2025-26914 · WordPress · E.Nigma Buttons

Name of the Vulnerable Software and Affected Versions: e.nigma buttons plugin for WordPress versions up to, and including, 1.1.3 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'button' shortcode due to insufficient input sanitization and output escaping on...

PT-2025-26916 · WordPress · Timezonecalculator

Name of the Vulnerable Software and Affected Versions: TimeZoneCalculator plugin for WordPress versions up to, and including, 3.37 Description: The issue is related to Stored Cross-Site Scripting in the TimeZoneCalculator plugin for WordPress. This is due to insufficient input sanitization and...

PT-2025-25475 · WordPress · Streamweasels Kick Integration

Name of the Vulnerable Software and Affected Versions: StreamWeasels Kick Integration plugin for WordPress versions up to, and including, 1.1.3 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated...

CVE-2025-4670

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's eddreceipt shortcode in all versions up to, and including, 3.3.8.1 due to insufficient input sanitization and output escaping on user...

CVE-2024-13427

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is affected by CVE-2024-13427: a Stored Cross-Site Scripting vulnerability in the Button widget. Root cause: insufficient input sanitization and output escaping on user-supplied attributes. Affected versions: all up ...

CVE-2024-9444

The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-lev...

CVE-2024-7629

The Responsive video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's video settings function in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

CVE-2024-1534

The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-10872

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template-post-custom-field block in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...