CVE-2026-5109 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Product Option

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted...

CVE-2026-5109

The Gravity Forms WordPress plugin (versions up to and including 2.10.0) is vulnerable to Stored Cross-Site Scripting via the Product Option field. The root cause is insufficient validation and output escaping: the state validation accepts wp_kses()-sanitized values that match legitimate options ...

CVE-2026-5109 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Product Option

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted...

CVE-2026-5109

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted...

OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution

The product custom option file upload in OpenMage LTS uses an incomplete blocklist "forbiddenextensions = php,exe" to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as ".phtml", ".phar", ".php3", ".php4", ".php5",...

Cross-Site Scripting in express-cart

All versions of harp are vulnerable to Cross-Site Scripting. In the admin page it is possible to inject arbitrary JavaScript as a new product option, allowing attackers to execute arbitrary code. This is limited to the admin page and does not affect other pages. Recommendation No fix is currently...

Cross-Site Scripting

Overview All versions of harp are vulnerable to Cross-Site Scripting. In the admin page it is possible to inject arbitrary JavaScript as a new product option, allowing attackers to execute arbitrary code. This is limited to the admin page and does not affect other pages. Recommendation No fix is...

Joomla! Component J2Store &lt; 3.3.7 - SQL Injection

Exploit Title: J2Store Plugin for Joomla! 3.3.6 - SQL Injection Date: 19/02/2019 Author: Andrei Conache Twitter: @andreiconache Contact: andrei.conacheatprotonmail.com Software Link: https://www.j2store.org Version: 3.x-3.3.6 Tested on: Linux CVE: CVE-2019-9184 1. Description: J2Store is the most...

CVE-2019-9184

SQL injection vulnerability in the J2Store plugin 3.x before 3.3.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the productoption parameter...

Sql injection

SQL injection vulnerability in the J2Store plugin 3.x before 3.3.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the productoption parameter...

Cross-Site Scripting (XSS)

express-cart is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a victim's browser via the product option field in a request for a new product...

openMairie openPlanning Multiple File Inclusion Vulnerabilities

This host is running openMairie openPlanning and is prone to multiple file inclusion vulnerabilities. OpenVAS Vulnerability Test $Id: gbopenmairieopenplanningmultfileinclvuln.nasl 5323 2017-02-17 08:49:23Z teissa $ openMairie openPlanning Multiple File Inclusion Vulnerabilities Authors: Madhuri D...