CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

1151 matches found

Vulnrichment•added 2026/02/11 8:26 a.m.•2 views

CVE-2026-1853 BuddyHolis ListSearch <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'placeholder' Shortcode Attribute

The BuddyHolis ListSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listsearch' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.8AI score0.00248EPSS

Exploits0References4

CVE•added 2026/02/11 8:26 a.m.•17 views

CVE-2026-1853

CVE-2026-1853 : The BuddyHolis ListSearch plugin for WordPress is vulnerable to a Stored Cross-Site Scripting (SXSS) via the plugin’s shortcodes. In versions up to and including 1.1, insufficient input sanitization and output escaping on user-supplied attributes enables an attacker with at least ...

6.4CVSS5.8AI score0.00248EPSS

Exploits0References4

Cvelist•added 2026/02/11 8:26 a.m.•21 views

CVE-2026-1821 Microtango <= 0.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Microtango plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'restkey' parameter of the mtreservation shortcode in all versions up to, and including, 0.9.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

6.4CVSS0.00248EPSS

Exploits0References4

Vulnrichment•added 2026/02/11 4:36 a.m.•3 views

CVE-2026-1893 Orbisius Random Name Generator <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute

The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnlabel' parameter in the 'orbisiusrandomnamegenerator' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it...

6.4CVSS5.7AI score0.00227EPSS

Exploits0References3

CVE•added 2026/02/09 7:25 p.m.•10 views

CVE-2026-25491

Craft CMS has a stored XSS in Entry Type names for versions 5.0.0-RC1 to 5.8.21, caused by names not being sanitized when displayed in the Entry Types list. The issue is fixed in version 5.8.22. Exploitation details are not provided in the available documents.

4.8CVSS5.4AI score0.0031EPSS

Exploits1References3Affected Software1

Cvelist•added 2026/02/07 8:26 a.m.•24 views

CVE-2026-0555 Premmerce <= 1.3.20 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'premmerce_wizard_actions' AJAX Endpoint

The Premmerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premmercewizardactions' AJAX endpoint in all versions up to, and including, 1.3.20. This is due to missing capability checks and insufficient input sanitization and output escaping on the state parameter. Thi...

6.4CVSS0.00244EPSS

Exploits0References6

Vulnrichment•added 2026/02/07 5:52 a.m.•2 views

CVE-2025-12159 Bold Page Builder <= 5.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's btbbrawcontent shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.7AI score0.00205EPSS

Exploits0References2

ATTACKERKB•added 2026/02/07 5:52 a.m.•4 views

CVE-2025-12803

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'btbbtabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS5.6AI score0.00245EPSS

Exploits0References4

EUVD•added 2026/02/07 5:52 a.m.•4 views

EUVD-2025-206898

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's btbbaccordionitem shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.6AI score0.00205EPSS

Exploits0References2

Positive Technologies•added 2026/02/07 12:0 a.m.•6 views

PT-2026-6893

Name of the Vulnerable Software and Affected Versions Wonka Slide versions up to and including 1.3.3 Description The Wonka Slide plugin for WordPress is susceptible to Stored Cross-Site Scripting through the list class shortcode. Insufficient input sanitization and output escaping on user-supplie...

6.4CVSS5.7AI score0.0019EPSS

Exploits0References4

Vulnrichment•added 2026/02/05 6:47 a.m.•4 views

CVE-2026-1268 Dynamic Widget Content <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Content Field

The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes ...

6.4CVSS5.6AI score0.00288EPSS

Exploits0References4

Positive Technologies•added 2026/02/04 12:0 a.m.•5 views

PT-2026-6021

Name of the Vulnerable Software and Affected Versions WP Content Permission versions prior to 1.3 Description The WP Content Permission plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping in the ohmem-message...

4.4CVSS5.7AI score0.00264EPSS

Exploits0References5

OSV•added 2026/02/03 6:7 p.m.•3 views

CVE-2026-25489 Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Ta...

6.1CVSS5.4AI score0.00283EPSS

Exploits1References6

CVE•added 2026/02/03 6:38 a.m.•16 views

CVE-2026-1058

The vulnerability CVE-2026-1058 affects the WordPress Form Maker plugin by 10Web. A stored XSS exists in all versions up to 1.15.35 due to insufficient escaping of hidden field values in the admin submissions list; html_entity_decode() is applied to user-supplied hidden field values without prope...

7.1CVSS5.6AI score0.0032EPSS

Exploits0References3

CVE•added 2026/02/03 6:38 a.m.•19 views

CVE-2026-1447

Summary: The Mail Mint plugin for WordPress (versions ≤ 1.19.2) is affected by a Cross-Site Request Forgery (CSRF) due to missing nonce validation in the create_or_update_note function. This can allow unauthenticated attackers to create or update contact notes by tricking an administrator, with t...

5.4CVSS5.3AI score0.00162EPSS

Exploits0References6

Positive Technologies•added 2026/02/03 12:0 a.m.•3 views

PT-2026-6045

Name of the Vulnerable Software and Affected Versions Mail Mint plugin for WordPress versions up to and including 1.19.2 Description The Mail Mint plugin for WordPress is susceptible to Cross-Site Request Forgery due to a lack of nonce validation in the create or update note function. This allows...

5.4CVSS5.2AI score0.00162EPSS

Exploits0References9

Github Security Blog•added 2026/02/02 11:0 p.m.•5 views

Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation

Summary A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. Proof of Concept Requirments -...

6.1CVSS5.7AI score0.00283EPSS

Exploits1References6Affected Software1

Patchstack•added 2026/02/02 12:52 p.m.•6 views

WordPress Bold Page Builder plugin <= 4.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget URL Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Widget URL Attribute vulnerability discovered by wesley wcraft in WordPress Plugin Bold Page Builder versions = 4.8.8...

6.4CVSS5.3AI score0.00426EPSS

Exploits0References1Affected Software1

Patchstack•added 2026/02/02 9:35 a.m.•5 views

WordPress Content Blocks (Custom Post Widget) plugin <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via content_block Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via contentblock Shortcode vulnerability discovered by Alex Thomas - Wordfence in WordPress Plugin Content Blocks Custom Post Widget versions = 3.3.0...

6.4CVSS5.3AI score0.00314EPSS

Exploits0References1Affected Software1

Patchstack•added 2026/02/02 9:22 a.m.•6 views

WordPress Login Logout Register Menu plugin <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'llrmloginlogout' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'llrmloginlogout' Shortcode vulnerability discovered by Krzysztof Zając - CERT PL in WordPress Plugin Login Logout Register Menu versions = 2.0...

6.4CVSS5.3AI score0.00267EPSS

Exploits0References1Affected Software1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by