CVE-2021-4367

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Options Change by using the floimportformsoptions AJAX action in versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping along with missing...

CVE-2025-48144

Cross-Site Request Forgery CSRF vulnerability in sidngr Import Export For WooCommerce allows Stored XSS. This issue affects Import Export For WooCommerce: from n/a through 1.6.2...

CVE-2024-9663

The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-8095

The BabelZ WordPress plugin through 1.1.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-5440

The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...

WordPress plugin Contribuinte Checkout 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forgery...

WordPress plugin Team Members 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...

WordPress plugin Bknewsticker 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request...

PT-2025-14231 · Smartarget · Smartarget Popup

Name of the Vulnerable Software and Affected Versions: Smartarget Popup versions 1.4 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject...

WordPress cTabs plugin <= 1.3 - CSRF to Stored XSS Vulnerability

CSRF to Stored XSS Vulnerability discovered by Abdi Pranata in WordPress Plugin cTabs versions = 1.3...

WordPress plugin cTabs 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request...

WordPress plugin Pro Rank Tracker 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forger...

PT-2025-12560 · WordPress · Metaslider

Name of the Vulnerable Software and Affected Versions: The Slider, Gallery, and Carousel by MetaSlider WordPress plugin versions prior to 3.95.0 Description: The issue allows high privilege users, such as editors, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html...

Multiple vulnerabilities in home gateway HGW-BL1500HM

Overview Home gateway HGW-BL1500HM provided by KDDI CORPORATION contains multiple vulnerabilities listed below. Stored cross-site scripting in the NickName registration screen CWE-79 - CVE-2025-27567 Stored cross-site scripting in the USB storage file-sharing function CWE-79 - CVE-2025-27574 Path...

CVE-2025-2078

The BlogBuzzTime for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissio...

CVE-2024-9019

The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's secupresscheckbanipsform shortcode in all versions up to, and including, 2.2.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This...

CVE-2025-0953

The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...

PT-2025-6572 · WordPress · Cats Job Listings

Name of the Vulnerable Software and Affected Versions: CATS Job Listings plugin for WordPress versions up to and including 2.0.9 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'catsone' shortcode due to insufficient input sanitization and output escaping on...

PT-2025-5961 · Unknown · Djjmz Simple Auto Tag

Name of the Vulnerable Software and Affected Versions: djjmz Simple Auto Tag versions 1.1 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web application,...

PT-2025-5944 · Zmseo · Zmseo

Name of the Vulnerable Software and Affected Versions: ZMSEO versions 1.14.1 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web application, and also stor...