22 matches found
CVE-2026-3995 OPEN-BRAIN <= 0.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting
The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitizetextfield which strips HTML tags but does not...
CVE-2025-10357 Simple SEO < 2.0.32 - Contributor+ Stored XSS
The Simple SEO WordPress plugin before 2.0.32 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks...
EUVD-2025-25069
Malicious code in bioql PyPI...
CVE-2025-8281 WP Talroo <= 2.4 - Reflected XSS
The WP Talroo WordPress plugin through 2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin and unauthenticated users...
CVE-2025-5035
The Firelight Lightbox WordPress plugin before 2.3.16 does not sanitise and escape title attributes before outputting them in the page, which could allow users with a role as low as contributors to perform stored Cross-Site Scripting attacks...
CVE-2024-3199
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor...
CVE-2022-1094
The amr users WordPress plugin before 4.59.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...
CVE-2023-7228
The illi Link Party! WordPress plugin through 1.0 does not sanitise and escape some parameters, which could allow unauthenticated vistors to perform Cross-Site Scripting attacks...
PT-2025-7477
Name of the Vulnerable Software and Affected Versions The SMTP for SendGrid – YaySMTP plugin for WordPress versions up to, and including, 1.3.1 Description The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows unauthenticated...
CVE-2024-10091 ElementsKit Elementor addons <= 3.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison Widget
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Comparison Widget in all versions up to, and including, 3.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2024-10080
The WP Easy Post Types plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post meta in versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...
CVE-2024-7861 Misiek Paypal <= 1.1.20090324 - Stored XSS via CSRF
The Misiek Paypal WordPress plugin through 1.1.20090324 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
CVE-2024-6536
The Zephyr Project Manager WordPress plugin before 3.3.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors and admins to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...
PT-2024-18727 · WordPress · Eleforms – All In One Form Integration Including Db For Elementor
Name of the Vulnerable Software and Affected Versions: The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress versions up to, and including, 2.9.9.7 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and outp...
CVE-2023-5640
The Article Analytics WordPress plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection vulnerability...
CVE-2023-5243
The Login Screen Manager WordPress plugin through 3.5.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2023-4376
The Serial Codes Generator and Validator with WooCommerce Support WordPress plugin before 2.4.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...
PT-2023-16597 · WordPress · The Pickup | Delivery | Dine-In Date Time Wordpress Plugin
Name of the Vulnerable Software and Affected Versions: The Pickup | Delivery | Dine-in date time WordPress plugin versions 1.0.0 through 1.0.9 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capabili...
PT-2022-23109 · WordPress · The Image Hover Effects Css3 Wordpress Plugin
Name of the Vulnerable Software and Affected Versions: The Image Hover Effects Css3 WordPress plugin versions 4.5 and earlier Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed,...
CVE-2022-1089 Bulk Edit and Create User Profiles < 1.5.14 - Admin+ Stored Cross-Site Scripting
The Bulk Edit and Create User Profiles WordPress plugin before 1.5.14 does not sanitise and escape the Users Login, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...