EUVD-2025-60946

The Share to Google Classroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sharetogoogle shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

EUVD-2025-60931

The Jeba Cute forkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter in the 'jebaforkit' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2025-12590

The YSlider plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.1. This is due to missing nonce verification on the content configuration page and insufficient input sanitization and output escaping. This makes it...

CVE-2025-12631

The Squirrels Auto Inventory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

CVE-2025-12658

CVE-2025-12658 affects the WordPress plugin Preload Current Images (versions up to 1.3). The vulnerability is a Stored Cross‑Site Scripting (XSS) via the complete parameter in the preload_progress_bar shortcode, caused by insufficient input sanitization and output escaping of user-supplied attrib...

CVE-2025-11859 Paypal Donation Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Paypal Donation Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'paypal' shortcode in all versions up to, and including, 0.1. This is due to the plugin not properly sanitizing user input and output of the 'title' and 'text' parameters. This makes it possibl...

CVE-2025-12671

The CVE-2025-12671 entry concerns the WordPress WP-Iconics plugin with stored cross-site scripting in the wp_iconics shortcode parameters. Affected versions are listed as up to 0.0.4 (and upstream updates address 0.0.5+ per remediation notes). Root cause is insufficient input sanitization and ina...

CVE-2025-11869 Precise Columns <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Precise Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wrapid shortcode attribute in all versions up to, and including, 1.0. This is due to the plugin not properly sanitizing user input or escaping output when inserting the wrapper ID into the generated HTML...

CVE-2025-12589

CVE-2025-12589 affects the WordPress plugin WP-Walla (versions up to and including 0.5.3.5). The issue is a combination of Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) due to missing nonce verification on the settings page and insufficient input sanitization/output esca...

CVE-2025-12672 Flickr Show <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Flickr Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'divheight' parameter of the 'flickrshow' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2025-12589 WP-Walla <= 0.5.3.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The WP-Walla plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 0.5.3.5. This is due to missing nonce verification on the settings page and insufficient input sanitization and output escaping. This makes it possibl...

CVE-2025-12754

CVE-2025-12754 (Geopost WordPress plugin) : Concrete details are provided across multiple connected sources. The Geopost plugin (WordPress) is affected in all versions up to 1.2 and is vulnerable to Stored Cross-Site Scripting via the height parameter of the geopost shortcode. The root cause is i...

CVE-2025-41107

Stored Cross Site Scripting XSS vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/onlineadmission', wich affects the parameters 'firstname', 'lastname', 'guardianname' and others. This vulnerability could allow a remote user to send ...

CVE-2025-48083

Cross-Site Request Forgery CSRF vulnerability in andriassundskard wpNamedUsers wpnamedusers allows Stored XSS.This issue affects wpNamedUsers: from n/a through = 0.5...

PT-2025-45199

Cross-Site Request Forgery CSRF vulnerability in andriassundskard wpNamedUsers wpnamedusers allows Stored XSS.This issue affects wpNamedUsers: from n/a through = 0.5...

CVE-2025-12396

The clubmember plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

CVE-2025-57244

OpenKM Community Edition 6.3.12 is vulnerable to stored cross-site scripting XSS in the user account creation interface. The Name field accepts script tags and the Email field is vulnerable when the POST request is modified to include encoded script tags, by passing frontend validation...

CVE-2025-63417

A Stored Cross-Site Scripting XSS vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated attackers to inject arbitrary web scripts or HTML via the chat message input field. This malicious content is stored and then executed in the context of other users'...

CVE-2025-12045

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the category and tag 'name' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output...

CVE-2025-12403

CVE-2025-12403 concerns the WordPress plugin Associados Amazon Plugin (brzon) &lt;= 0.8. Wordfence notes a Cross-Site Request Forgery (CSRF) vulnerability that leverages missing or incorrect nonce validation in brzon_admin_panel(), enabling unauthenticated attackers to trigger settings updates an...