Lucene search
K

1188 matches found

NVD
NVD
added 7 hours ago7 views

CVE-2025-15665

The Ultimate Before After Image Slider & Gallery WordPress plugin before 4.7.1 does not escape the value of the BEAF Slider widget's shortcode field before outputting it on the front end the value is passed through doshortcode, which echoes non-shortcode content verbatim, allowing users with...

5.4CVSS
Exploits0References1
CVE
CVE
added 7 hours ago6 views

CVE-2025-15665

The Ultimate Before After Image Slider & Gallery WordPress plugin before 4.7.1 does not escape the value of the BEAF Slider widget's shortcode field before outputting it on the front end the value is passed through doshortcode, which echoes non-shortcode content verbatim, allowing users with...

5.4CVSS6.1AI score
Exploits0References1
NVD
NVD
added 3 days ago12 views

CVE-2026-15097

The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'heightslider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00201EPSS
Exploits0References6
CVE
CVE
added 3 days ago9 views

CVE-2026-15096

The CVE concerns the Themify Builder WordPress plugin. A Stored Cross-Site Scripting (XSS) flaw exists in the Map Module’s b_width_map field across all versions up to 7.7.6, caused by insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or hig...

6.4CVSS6.2AI score0.00193EPSS
Exploits0References5
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-42842

The Hostel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wphostel-book' shortcode in all versions up to and including 1.1.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the second shortcode...

6.4CVSS6.2AI score0.00206EPSS
Exploits0References8
NVD
NVD
added 4 days ago8 views

CVE-2026-15292

The Sudoku Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'background' parameter in the 'sudoku-sc' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00243EPSS
Exploits0References5
Cvelist
Cvelist
added 4 days ago33 views

CVE-2026-15301 BuddyHolis TableSearch <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The BuddyHolis TableSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00156EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-15296 affiliate-toolkit – WP Affiliate Plugin with Amazon <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The affiliate-toolkit – WP Affiliate Plugin with Amazon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'atkpproduct' shortcode in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. Th...

6.4CVSS0.00266EPSS
Exploits0References3
EUVD
EUVD
added 4 days ago9 views

EUVD-2026-42739

Cotonti Siena 0.9.26 and earlier contains a stored cross-site scripting vulnerability that allows authenticated users with PFS access to inject arbitrary script payloads by supplying malicious HTML in the ntitle parameter processed through the TXT filter in pfs.main.php. Attackers can create a...

5.4CVSS6AI score0.00136EPSS
Exploits0References2
NVD
NVD
added 5 days ago5 views

CVE-2026-58144

Cotonti Siena 0.9.26 and earlier contains a stored cross-site scripting vulnerability that allows authenticated users with PFS access to inject arbitrary script payloads by supplying malicious HTML in the ntitle parameter processed through the TXT filter in pfs.main.php. Attackers can create a...

5.4CVSS0.00136EPSS
Exploits0References1
CVE
CVE
added 5 days ago9 views

CVE-2026-60120

Bagisto CVE-2026-60120 affects Bagisto before 2.4.4. It is a stored XSS via client-side template injection: an unauthenticated attacker registers a customer with malicious payload in the first or last name, causing the Create Order page to render in administrator browsers and execute arbitrary Ja...

5.4CVSS6.1AI score0.00201EPSS
Exploits0References3
CVE
CVE
added 6 days ago14 views

CVE-2025-14785

The CVE-2025-14785 entry covers a Stored Cross-Site Scripting vulnerability in the Website Builder by SeedProd – Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode WordPress plugin up to version 6.20.2. The issue arises from insufficient input sanitization and output escaping...

6.4CVSS6.1AI score0.00156EPSS
Exploits0References2
Cvelist
Cvelist
added 6 days ago34 views

CVE-2025-14785 Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'seedprodnestedmenuwidget' Shortcode

The Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's seedprodnestedmenuwidget shortcode in all versions up to, and including, 6.20.2 due to insufficient input...

6.4CVSS0.00156EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/06 6:0 a.m.37 views

CVE-2026-11766 Ultimate Member < 2.12.0 - Subscriber+ Stored XSS via Custom Textarea Profile Fields

The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, includin...

0.00247EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/03 6:50 a.m.6 views

CVE-2026-9148

The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor function, which interpolates the stored commentauthorurl...

7.2CVSS6.1AI score0.00305EPSS
Exploits0References12
CVE
CVE
added 2026/07/03 4:30 a.m.18 views

CVE-2026-8892

CVE-2026-8892 affects the CM Business Directory plugin for WordPress (versions up to and including 1.5.7). The vulnerability is a Stored Cross-Site Scripting (XSS) via the Business Address Meta Fields, caused by insufficient input sanitization and output escaping. Authenticated attackers with con...

6.4CVSS5.9AI score0.00212EPSS
Exploits0References7
CVE
CVE
added 2026/07/03 4:30 a.m.18 views

CVE-2026-9626

The CVE-2026-9626 entry concerns the WordPress JSON API User plugin (

6.4CVSS5.9AI score0.00228EPSS
Exploits0References6
CVE
CVE
added 2026/07/03 4:30 a.m.21 views

CVE-2026-8489

The CVE-2026-8489 case involves the WordPress plugin Ultimate Member (User Profile, Registration, Login, etc.). Affected: all versions up to 2.11.4. Vulnerability: Stored Cross-Site Scripting via the about_me field in user profiles, caused by insufficient input sanitization and output escaping. I...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References11
NVD
NVD
added 2026/07/03 2:16 a.m.7 views

CVE-2026-12734

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'connectorWidth' Block Attribute in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This makes i...

6.4CVSS0.00206EPSS
Exploits0References4
CVE
CVE
added 2026/07/01 8:44 p.m.24 views

CVE-2026-55661

CVE-2026-55661 affects TinaCMS rich-text rendering (Slate JSON) where the url field on Slate link/image nodes was not sanitized, allowing stored XSS via dangerous URL schemes such as javascript: or data:text/html. Affected versions include tinacms/mdx &lt;2.1.7 and tinacms =2.1.7 and tinacms &gt;...

4.8CVSS5.6AI score0.00239EPSS
Exploits0References2
Rows per page
Query Builder