PT-2026-34308

Name of the Vulnerable Software and Affected Versions Simple Random Posts Shortcode versions prior to 0.4 Description The Simple Random Posts Shortcode plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with contributor-level access or higher can inject...

WordPress plugin HTTP Headers 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application plugin. Versions of...

PT-2026-34305

Name of the Vulnerable Software and Affected Versions Buzz Comments versions prior to 0.9.5 Description Insufficient input sanitization and output escaping in the 'Custom Buzz Avatar' setting, specifically the buzz comments avatar image variable, allows authenticated attackers with...

Cross-site Scripting (XSS)

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the defineScriptVars function due to incomplete sanitization of closing tags within injected variables. A...

PT-2026-34045

Name of the Vulnerable Software and Affected Versions Bludit CMS versions prior to commit 6732dde Description A reflected cross-site scripting issue exists in the search plugin. This allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Malicious...

CVE-2026-4852

The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image Source' attachment field in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible...

CVE-2026-2505

The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'ztaxonomyimage' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates...

EUVD-2026-23929

GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFTReport::Create without HTML sanitization. Attackers can inject arbitrary JavaScript into the report title field when creating or editing a...

CVE-2026-23752 GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can...

CVE-2026-34429

Summary: CVE-2026-34429 affects Vvveb versions prior to 1.0.8.1. A stored XSS vulnerability exists in the media upload/rename flow when MIME-type validation is bypassed and files are renamed to executable extensions. Attackers who have media upload and rename permissions can prepend a GIF89a head...

WordPress plugin wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

PT-2026-33819

Cross Site Scripting vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the visname parameter of visitors-form.php. An authenticated attacker can inject arbitrary JavaScript that is later executed when the malicious input is viewed in...

WordPress plugin Image Source Control Lite – Show Image Credits and Captions 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

EUVD-2026-23681

The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2026-0868

The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

PT-2026-33616

The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

WordPress plugin EMC – Easily Embed Calendarly Scheduling Features 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is a...

CVE-2026-2986 Contextual Related Posts <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'other_attributes'

The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'otherattributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-6048

The Flipbox Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flipbox widget's button URL customattributes field in all versions up to, and including, 2.1.1 due to insufficient validation of custom attribute names. Specifically, the plugin uses eschtml ...

WordPress plugin Content Blocks (Custom Post Widget) 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...