CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 2025/09/30 3:35 a.m.•1 views

CVE-2025-10128 Eulerpool Research Systems <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Eulerpool Research Systems plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aaq' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS4.7AI score0.00176EPSS

Cvelist•added 2025/09/30 3:35 a.m.•8 views

CVE-2025-8623 WeedMaps Menu for WordPress <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via weedmaps_menu Shortcode

The WeedMaps Menu for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's weedmapsmenu shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS0.00211EPSS

CVE•added 2025/09/30 3:35 a.m.•18 views

CVE-2025-10179

CVE-2025-10179 – My AskAI (WordPress) – Stored XSS . Affected: My AskAI WordPress plugin; vulnerable component is the myaskai shortcode. Root cause: insufficient input sanitization and output escaping on user-supplied attributes. Impact: authenticated attackers with contributor-level access can i...

6.4CVSS4.7AI score0.00183EPSS

CVE•added 2025/09/30 3:35 a.m.•17 views

CVE-2025-8566

Summary (CVE-2025-8566) The GutenBee – Gutenberg Blocks WordPress plugin is vulnerable to Stored Cross-Site Scripting in CountUp and Google Maps blocks. Affected versions are up to 2.18.0 due to insufficient input sanitization and output escaping. Exploitation requires authenticated access at Con...

6.4CVSS4.7AI score0.00221EPSS

CNNVD•added 2025/09/29 12:0 a.m.•3 views

Mealie 安全漏洞

Mealie is a self-hosted recipe manager and meal planner by an individual developer in Hayden, USA. A security vulnerability exists in Mealie 3.0.1 and prior versions, which stems from the failure to clean and escape user input in the note and text fields in the recipe creation feature, which coul...

9CVSS5.7AI score0.0034EPSS

Exploits2References4

RedhatCVE•added 2025/09/27 3:47 a.m.•13 views

CVE-2025-9044

The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple fields in versions up to, and including, 1.20.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level permissions and...

6.4CVSS5.1AI score0.00239EPSS

NVD•added 2025/09/26 9:15 a.m.•14 views

CVE-2025-60172

Cross-Site Request Forgery CSRF vulnerability in flytedesk Flytedesk Digital flytedesk-digital allows Stored XSS.This issue affects Flytedesk Digital: from n/a through = 20181101...

7.1CVSS0.00108EPSS

CVE•added 2025/09/26 8:32 a.m.•10 views

CVE-2025-60173

CVE-2025-60173 : GST for WooCommerce (plugin) has a CSRF flaw that enables Stored XSS in versions up to 2.0. The NVD entry lists a CVSS v3.1 base score of 7.1 (HIGH) with NETWORK attack vector, UI required, and updated as of 2026-01-27. Connected sources corroborate the vendor/plugin (GST for Woo...

7.1CVSS5.9AI score0.00108EPSS

NVD•added 2025/09/26 7:15 a.m.•3 views

CVE-2025-10490

The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.202 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS0.00182EPSS

NVD•added 2025/09/26 4:16 a.m.•14 views

CVE-2025-9044

6.4CVSS0.00239EPSS

Exploits0References6

Cvelist•added 2025/09/26 1:47 a.m.•6 views

CVE-2025-10178 CM Business Directory <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The CM Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cmbdfeaturedimage' shortcode in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS0.00223EPSS

Exploits0References5

Positive Technologies•added 2025/09/26 12:0 a.m.•2 views

PT-2025-39571

Name of the Vulnerable Software and Affected Versions Ryan Hellyer Simple Colorbox versions through 1.6.1 Description The software contains a flaw related to improper input handling during web page generation, which can lead to Cross-site Scripting XSS. This specific instance allows for Stored XS...

6.5CVSS5.5AI score0.00196EPSS

Vulnrichment•added 2025/09/23 2:55 p.m.•1 views

CVE-2025-4760 Authenticated Stored Cross-Site Scripting (XSS) in Multiple WSO2 Products via API Document Upload in Publisher

An authenticated stored cross-site scripting XSS vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript,...

4.8CVSS5.2AI score0.00173EPSS

NVD•added 2025/09/22 7:16 p.m.•4 views

CVE-2025-58261

Cross-Site Request Forgery CSRF vulnerability in PressPage Entertainment Inc Mavis HTTPS to HTTP Redirection mavis-https-to-http-redirect allows Stored XSS.This issue affects Mavis HTTPS to HTTP Redirection: from n/a through = 1.4.3...

7.1CVSS0.00118EPSS

Cvelist•added 2025/09/20 4:27 a.m.•6 views

CVE-2025-10181 Draft List <= 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

6.4CVSS0.00223EPSS

Exploits0References5

CVE•added 2025/09/17 1:49 a.m.•24 views

CVE-2025-9851

CVE-2025-9851 affects the WordPress Appointmind plugin. The vulnerability is a Stored Cross‑Site Scripting via the appointmind_calendar shortcode in all versions up to 4.1.0, caused by insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers with co...

6.4CVSS4.7AI score0.0018EPSS

RedhatCVE•added 2025/09/13 7:25 a.m.•10 views

CVE-2025-9855

The Enhanced BibliPlug plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bibliplugauthors' shortcode in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5AI score0.0018EPSS

CVE•added 2025/09/11 7:24 a.m.•17 views

CVE-2025-8318

CVE-2025-8318 affects the WordPress Jobify plugin (versions

6.4CVSS4.7AI score0.00216EPSS

Vulnrichment•added 2025/09/11 7:24 a.m.•1 views

CVE-2025-5801 Digital Events Calendar <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via column Parameter

The Digital Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘column’ parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

6.4CVSS4.7AI score0.00271EPSS