CVE-2026-2840 Email Encoder – Protect Email Addresses and Phone Numbers <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via eeb_mailto Shortcode

The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eebmailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for...

WordPress Product Pricing Table by WooBeWoo plugin <= 1.1.0 - Cross-Site Request Forgery to Stored XSS and Pricing Table Deletion vulnerability

Cross-Site Request Forgery to Stored XSS and Pricing Table Deletion vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Product Pricing Table by WooBeWoo versions = 1.1.0...

CVE-2025-13364

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'putwpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on...

CVE-2026-3875

The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocsfeedbackform' shortcode in all versions up to, and including, 4.3.8. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible...

CVE-2026-3551 Custom New User Notification <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting

The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on multiple settings fields including 'User Mail...

CVE-2026-3551

The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on multiple settings fields including 'User Mail...

wger has Stored XSS via Unescaped License Attribution Fields

Stored XSS via Unescaped License Attribution Fields Summary The AbstractLicenseModel.attributionlink property in wger/utils/models.py constructs HTML strings by directly interpolating user-controlled fields licenseauthor, licensetitle, licenseobjecturl, licenseauthorurl, licensederivativesourceur...

PT-2026-33246

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su box' shortcode in all versions up to, and including, 7.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2026-20059 Cisco Unity Connection Reflected Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate...

WordPress Quick Interest Slider plugin <= 3.1.5 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Chawabhon Netisingha JNX03 in WordPress Plugin Quick Interest Slider versions = 3.1.5...

CVE-2026-3659 WP Circliful <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the circliful shortcode and via multiple shortcode attributes of the circlifuldirect shortcode in all versions up to and including 1.2. This is due to insufficient input...

PT-2026-33026

The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the pc shortcode in all versions up to, and including, 0.1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute. Specifically, in the ...

CVE-2026-4914

Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required...

CVE-2026-4388

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field Text Box input type in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization sanitizetextfield strips tags but not quotes and...

CVE-2025-65134

CVE-2025-65134 affects manikandan580 School-management-system 1.0. A reflected XSS in /studentms/admin/contact-us.php via the email POST parameter is reported. The CVSS 3.1 base metrics show Network attack vector, Low complexity, No privileges, user interaction required, with Confidentiality and ...

WordPress plugin Surbma | Booking.com Shortcode 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

CVE-2026-40112 PraisonAI has Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The sanitizehtml function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml...

CVE-2026-2509

CVE-2026-2509: The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 2.0.8. The root cause is an incomplete event handler blocklist in the pagelayer_xss_content filtering function, which blocks common event handlers but n...

CVE-2026-39693

CVE-2026-39693 affects the WordPress plugin FSM Custom Featured Image Caption by fesomia, with a DOM-Based XSS due to improper neutralization of input during web page generation. Affected versions are up to and including 1.25.1 . Red Hat/NVD/CVE records also confirm the issue and indicate the imp...

CVE-2026-35399

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup filename. This could lead to unauthorized execution of malicious code in the victim's browser, compromising session data or executing...