24 matches found
CVE-2026-8622
The CVE-2026-8622 entry concerns the WordPress plugin Image Sizes on Demand (versions affected: all up to and including 1.3). The vulnerability is a Reflected Cross-Site Scripting (XSS) via the PHP_SELF server variable caused by insufficient input sanitization and output escaping. It allows unaut...
EUVD-2026-38687
The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...
CVE-2026-8622 Image Sizes on Demand <= 1.3 - Reflected Cross-Site Scripting via PHP_SELF Server Variable
The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...
PT-2026-51682
Name of the Vulnerable Software and Affected Versions Image Sizes on Demand versions prior to 1.4 Description Insufficient input sanitization and output escaping in the PHP SELF server variable allow unauthenticated attackers to inject arbitrary web scripts. These scripts execute if a user is...
CVE-2026-5643 Cyber-III Student-Management-System Admin Add Endpoint notice.php cross site scripting
A vulnerability was identified in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This impacts an unknown function of the file /admin/Add%20notice/notice.php of the component Admin Add Endpoint. Such manipulation of the argument $SERVER'PHPSELF' leads to cross...
EUVD-2026-4923
The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $SERVER'PHPSELF' variable. This makes it possible for unauthenticated attackers to inject...
WordPress plugin JustClick registration: cross-site scripting vulnerability
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...
CVE-2025-13893
The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...
CVE-2025-14127
The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2025-14118
CVE-2025-14118 (Starred Review - WordPress) is a Reflected Cross-Site Scripting vulnerability in the Starred Review plugin for WordPress, affecting versions up to 1.4.2. The issue arises from insufficient input sanitization and output escaping around PHP_SELF, enabling unauthenticated attackers t...
CVE-2025-14127 Testimonial Master <= 0.2.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2025-14138
The WPLG Default Mail From plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2025-14137
The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
WordPress Complag plugin <= 1.0.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] vulnerability
Reflected Cross-Site Scripting via $SERVER'PHPSELF' vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Complag versions = 1.0.2...
EUVD-2025-202976
The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the $SERVER'PHPSELF' variable in the plugin's settings page. This mak...
EUVD-2025-203008
The Complag plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
CVE-2025-13988
The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the $SERVER'PHPSELF' variable in the plugin's settings page. This mak...
CVE-2025-13988
CVE-2025-13988 refers to the WordPress plugin 评论小秘书 (Comments Secretary). It is a Reflected Cross‑Site Scripting vulnerability via the $_SERVER['PHP_SELF'] variable in all versions up to and including 1.3.2, caused by insufficient input sanitization and output escaping on the plugin’s settings pa...
PT-2025-50855
The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $ SERVER'PHP SELF' variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
PT-2025-50856
The WPLG Default Mail From plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $ SERVER'PHP SELF' variable in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...