CVE-2026-1903

The Ravelry Designs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'layout' attribute of the 'sbravelrydesigns' shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes...

CVE-2026-1939

The Percent to Infograph plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the percenttograph shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1844

The PixelYourSite PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pyslandingpage' parameter in all versions up to, and including, 12.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for...

PT-2026-8242

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. Attackers can send POST requests to interfaces vlan edit.php with script payloads in the tag, descr, or vlanif parameter...

PT-2026-8240

OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive GDriveEmail, GDrive GDriveFolderID, GDrive GDriveBackupCount, Nextcloud url, Nextcloud user, Nextcloud...

CVE-2026-1512

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Info Box widget in all versions up to, and including, 6.5.9 due to insufficient input sanitization and output escaping on user supplied...

CVE-2026-1096

The Best-wp-google-map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'latitude' and 'longitudinal' parameters of the 'googlemapview' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible f...

CVE-2026-1915

The Simple Plyr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'poster' parameter in the 'plyr' shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-0753 Super Simple Contact Form <= 1.6.2 - Reflected Cross-Site Scripting via 'sscf_name' Parameter

The Super Simple Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sscfname' parameter in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2026-1795

The CVE-2026-1795 entry concerns the WordPress plugin Address Bar Ads (≤ 1.0.0). The root cause is insufficient input sanitization and output escaping in the URL Path, enabling a Reflected Cross-Site Scripting (XSS) vulnerability. Affected: Address Bar Ads plugin for WordPress (all versions up to...

CVE-2026-1901 QuestionPro Surveys <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The QuestionPro Surveys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'questionpro' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1796

The StyleBidet plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in page...

PT-2026-8079

The Ravelry Designs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'layout' attribute of the 'sb ravelry designs' shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes...

PT-2026-8085

The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing javascript:...

WordPress plugin Ravelry Designs Widget 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

PT-2026-8069

The Super Simple Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sscf name' parameter in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

Improper Encoding Or Escaping Of Output

HtmlSanitizer is vulnerable to Improper Encoding or Escaping of Output. The vulnerability is due to improper sanitization of content inside the allowed tag, which allows an attacker to inject malicious scripts that can execute when the shadowrootmode attribute is set...

CVE-2026-1721

CVE-2026-1721 is a reflected XSS in AI Playground’s OAuth callback handler. The root cause is direct interpolation of the error_description query parameter into an inline script tag in site/ai-playground/src/server.ts, enabling arbitrary JavaScript execution in a victim’s session. Reported impact...

CVE-2025-70092

A cross-site scripting XSS vulnerability in the Item Kits function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Name parameter...

PT-2026-8038

Name of the Vulnerable Software and Affected Versions PixelYourSite PRO plugin for WordPress versions prior to 12.4.0.3 Description The PixelYourSite PRO plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping related ...