CVE-2026-2374 Login No Captcha reCAPTCHA <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting via PHP_SELF

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $SERVER'PHPSELF' superglobal in all versions up to, and including, 1.8.0. This is due to the authenticate function storing the unsanitized output of basename$SERVER'PHPSELF' in the...

CVE-2026-8627

The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in versions up to and including 1.0. This is due to the correctpricespage function echoing $SERVER'PHPSELF' into a form's action attribute without any input sanitization or...

WordPress plugin Correct Prices 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. Versions...

PT-2026-42084

Name of the Vulnerable Software and Affected Versions Correct Prices versions prior to 1.1 Description The Correct Prices plugin for WordPress is subject to Reflected Cross-Site Scripting, a flaw where an application includes untrusted data in a web page without proper validation, allowing an...

CVE-2026-5644 Cyber-III Student-Management-System batch-notice.php cross site scripting

A security flaw has been discovered in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Affected is an unknown function of the file /admin/Add%20notice/batch-notice.php. Performing a manipulation of the argument $SERVER'PHPSELF' results in cross site scripting...

WordPress Vzaar Media Management plugin <= 1.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] vulnerability

Reflected Cross-Site Scripting via $SERVER'PHPSELF' vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Vzaar Media Management versions = 1.2...

CVE-2025-13701 Shabat Keeper <= 0.4.4 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

CVE-2025-14130

The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitra...

PT-2026-1720

Name of the Vulnerable Software and Affected Versions MG AdvancedOptions versions prior to 1.3 Description The MG AdvancedOptions plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to inadequate input sanitization and output escaping. This allows unauthenticated attackers t...

PT-2026-1721

Name of the Vulnerable Software and Affected Versions Lesson Plan Book versions prior to 1.4 Description The Lesson Plan Book plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to inadequate input sanitization and output escaping. This allows unauthenticated attackers to...

CVE-2025-14131 WP Widget Changer <= 1.2.5 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The WP Widget Changer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-14131

CVE-2025-14131 refers to the WP Widget Changer plugin for WordPress, with a Reflected Cross-Site Scripting vulnerability via $_SERVER['PHP_SELF'] in all versions up to 1.2.5 due to insufficient input sanitization and output escaping. The Wordfence Intelligence report confirms the issue and lists ...

CVE-2025-14130

CVE-2025-14130 affects the WordPress Post Like Dislike plugin (

CVE-2025-14130 Post Like Dislike <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitra...

CVE-2025-14127 Testimonial Master <= 0.2.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-14128 Stumble! for WordPress <= 1.1.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Stumble! for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-14127

CVE-2025-14127 concerns the Testimonial Master WordPress plugin. The Wordfence report confirms a reflected Cross‑Site Scripting flaw caused by insufficient input sanitization and output escaping in versions up to 0.2.1, exploitable via the PHP_SELF variable. The vulnerability is unauthenticated a...

WordPress plugin Testimonial Master 跨站脚本漏洞

WordPress and the WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scriptin...

WordPress plugin Stumble! for WordPress 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plug-in. A cross-site scriptin...

WordPress plugin Post Like Dislike 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripting...