1123163 matches found
CVE-2026-4078
The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice in all versions up to and including 1.8.2. This is due to insufficient input sanitization and output escaping in the...
CVE-2026-4429
The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'markername' and 'filecolorlist' shortcode attribute of the osmmapv3 shortcode in all versions up to and including 6.1.15. This is due to insufficient input sanitization and output escaping. This mak...
CVE-2026-4852
The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image Source' attachment field in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible...
CVE-2026-4353
The CI HUB Connector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the cihubmetadata shortcode in all versions up to, and including, 1.2.106 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...
CVE-2026-4025
The PrivateContent Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' shortcode attribute in the pc-login-form shortcode in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on the 'align' attribute...
CVE-2026-4125
The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the...
CVE-2026-4142
The Sentence To SEO keywords, description and tags plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via...
CVE-2026-4655
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in the rendersvg...
CVE-2026-4074
The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Th...
CVE-2026-4919
IBM Guardium Data Protection 12.1 is vulnerable to cross-site scripting. This vulnerability allows an administrative user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...
CVE-2026-4394
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field input.4 in all versions up to, and including, 2.9.30. This is due to the getvalueentrydetail method in the GFFieldCreditCard class outputting the card type value...
CVE-2026-4293
The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser...
CVE-2026-4080
The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'addtocart' shortcode in all versions up to and including 1.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the ectpaddtocart function...
CVE-2026-4341
The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'followustext' setting of the Mount widget in all versions up to, and including, 4.1.10. This is due to insufficient input sanitization and output escaping. Specifically, the...
CVE-2026-4479
The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2026-4303
The WP Visitor Statistics Real Time Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wsmshowDayStatsGraph' shortcode in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This...
CVE-2026-4785
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttoncaption' parameter in the latepointresources shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the...
CVE-2026-4336
The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling htmlentitydecode on postcontent during rendering in the setdisplayvariables function View.FAQ.class.php, line...
CVE-2026-4420
Bludit is vulnerable to Stored Cross-Site Scripting XSS in its page creating functionality. An authenticated attacker with page creation privileges such as Author, Editor, or Administrator can embed a malicious JavaScript payload in the tags field of a newly created article. This payload will be...
CVE-2026-4059
The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentorquickviewbutton shortcode's buttontext attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode...