CVE-2025-14453

CVE-2025-14453 affects the My Album Gallery WordPress plugin. A stored XSS exists via the style_css shortcode attribute in all versions up to 1.0.4 due to insufficient input sanitization and output escaping. Exploitation requires authenticated access (Contributor level or higher) and affects page...

CVE-2025-13849 Cool YT Player <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

CVE-2025-14028

CVE-2025-14028 affects Contact Us Simple Form (WordPress) plugins

WordPress SVG Map Plugin plugin <= 1.0.0 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting vulnerability discovered by dayea song - Ahnlab in WordPress Plugin SVG Map Plugin versions = 1.0.0...

CVE-2025-14888

CVE-2025-14888 : Simple User Meta Editor (WordPress) is vulnerable to stored XSS via the User Meta Value field in all versions up to 1.0.0, due to insufficient input sanitization and output escaping. This affects multisite setups and installations where unfiltered_html is disabled, enabling an au...

CVE-2025-14891 Customer Reviews for WooCommerce <= 5.93.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via displayName Parameter

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-12513 A user with elevated privileges can inject XSS in the Hosts configuration parameters page

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Centreon Infra Monitoring Hosts configuration form modules allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0...

CVE-2026-21431

Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the Resource media library function while publishing an article. As of time of publication, no known patched versions are available...

CVE-2025-49346

Cross-Site Request Forgery CSRF vulnerability in peterwsterling Simple Archive Generator simple-archive-generator allows Stored XSS.This issue affects Simple Archive Generator: from n/a through = 5.2...

CVE-2025-49357 WordPress Audiomack plugin <= 1.4.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Audiomack allows Stored XSS.This issue affects Audiomack: from n/a through 1.4.8...

EUVD-2025-205969

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Curator.Io allows Stored XSS.This issue affects Curator.Io: from n/a through 1.9.5...

CVE-2025-63005

CVE-2025-63005 corresponds to the WordPress Tooltips plugin vulnerability. Connected sources confirm a Stored Cross-Site Scripting (XSS) issue in Tooltips for WordPress, affecting versions up to 10.8.3 (i.e.,

CVE-2025-68885 WordPress Custom Post Status plugin <= 1.1.0 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in page-carbajal Custom Post Status custom-post-status allows Stored XSS.This issue affects Custom Post Status: from n/a through = 1.1.0...

CVE-2025-68885 WordPress Custom Post Status plugin <= 1.1.0 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in page-carbajal Custom Post Status custom-post-status allows Stored XSS.This issue affects Custom Post Status: from n/a through = 1.1.0...

CVE-2025-49346

Cross-Site Request Forgery CSRF vulnerability in peterwsterling Simple Archive Generator simple-archive-generator allows Stored XSS.This issue affects Simple Archive Generator: from n/a through = 5.2...

WordPress FunnelKit plugin <= 3.13.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wfop_phone Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wfopphone Shortcode vulnerability discovered by zaim in WordPress Plugin Funnel Builder by FunnelKit versions = 3.13.1.2...

WordPress Ultimate Blocks plugin <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via content Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Ultimate Blocks versions = 3.2.7...

CVE-2025-65442

DOM-based Cross-Site Scripting XSS vulnerability in 201206030 novel V3.5.0 allows remote attackers to execute arbitrary JavaScript code or disclose sensitive information e.g., user session cookies via a crafted "wvstest" parameter in the URL or malicious script injection into window.localStorage...

CVE-2019-25244

Legrand BTicino Driver Manager F454 1.0.51 contains multiple web vulnerabilities that allow attackers to perform administrative actions without proper request validation. Attackers can exploit cross-site request forgery to change passwords and inject stored cross-site scripting payloads through...

CVE-2025-67630 WordPress WH Tweaks plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in webheadcoder WH Tweaks wh-tweaks allows Stored XSS.This issue affects WH Tweaks: from n/a through = 1.0.2...