PT-2026-8037

Name of the Vulnerable Software and Affected Versions PixelYourSite – Your smart PIXEL TAG & API Manager plugin for WordPress versions through 11.2.0 Description The PixelYourSite – Your smart PIXEL TAG & API Manager plugin for WordPress is susceptible to Stored Cross-Site Scripting. Insufficient...

CVE-2025-70297

A stored cross-site scripting XSS vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser...

CVE-2025-65480

An issue was discovered in Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts in the Report Templates which are executed when certain script conditions are fulfilled, leading to Remote Code Execution...

CVE-2019-25312

InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. Attackers can submit comments with JavaScript payloads that execute in other users' browsers, potentially stealing cookies and session...

CVE-2019-25316 GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the event title parameter. Attackers can exploit the CreateEvent.php endpoint by sending crafted POST requests with XSS payloads to execute arbitrary...

CVE-2019-25311

thesystem version 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple server data input fields. Attackers can submit crafted script payloads in operatingsystem, systemowner, systemusername, systempassword,...

CVE-2019-25312

CVE-2019-25312 affects InoERP 0.7.2, introducing a persistent cross-site scripting (XSS) vulnerability in the comment section. The issue allows unauthenticated attackers to submit comments containing JavaScript payloads that execute in other users’ browsers, with potential cookie and session info...

CVE-2026-1885

The Slideshow Wp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sswpid' attribute of the 'sswp-slide' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2025-13648

An attacker with access to the web application ZeusWeb of the provider Microcom in this case, registration is required who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Name’ and “Surname” parameters within the ‘My Account’ section at the...

CVE-2026-1827

CVE-2026-1827 — The IDE Micro code-editor WordPress plugin (flask-micro) versions ≤ 1.0.0 is vulnerable to Stored Cross-Site Scripting via the codeflask shortcode, due to insufficient input sanitization and output escaping on the shortcode attributes (notably the title attribute). Impact: authent...

CVE-2026-1826 OpenPOS Lite <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The OpenPOS Lite – Point of Sale for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter of the orderqrcode shortcode in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible fo...

CVE-2026-1853

CVE-2026-1853 : The BuddyHolis ListSearch plugin for WordPress is vulnerable to a Stored Cross-Site Scripting (SXSS) via the plugin’s shortcodes. In versions up to and including 1.1, insufficient input sanitization and output escaping on user-supplied attributes enables an attacker with at least ...

CVE-2026-1821 Microtango <= 0.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Microtango plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'restkey' parameter of the mtreservation shortcode in all versions up to, and including, 0.9.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2026-24323

The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality a...

CVE-2026-1893 Orbisius Random Name Generator <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute

The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnlabel' parameter in the 'orbisiusrandomnamegenerator' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it...

CVE-2026-1231

The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the js Global Settings parameter in all versions up to, and including, 2.10.0.5 due to missing capability checks on saveglobalsettings function and insufficient...

CVE-2025-65480

An issue was discovered in Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts in the Report Templates which are executed when certain script conditions are fulfilled, leading to Remote Code Execution...

Mealie 安全漏洞

Mealie is a self-hosted recipe manager and meal planner developed by Hayden in the United States. Version 3.3.1 of Mealie contains a security vulnerability. This vulnerability stems from the use of storage-oriented cross-site scripting in the recipe asset upload and media service components. It m...

CVE-2025-65480

Pacom Unison Client 5.13.1 contains a vulnerability where authenticated users can inject malicious scripts into Report Templates that are executed when certain script conditions are fulfilled, leading to Remote Code Execution. This is the stated impact; no exploit details are provided in the avai...

Pacom Unison Client 安全漏洞

Pacom Unison Client is an intelligent security management system developed by the Pacom company in the United States. Version 5.13.1 of Pacom Unison Client contains a security vulnerability. This vulnerability allows authenticated users to inject malicious scripts into report templates, potential...