1447 matches found
CVE-2026-57402
CVE-2026-57402 concerns the WordPress plugin Flexible Refund and Return Order for WooCommerce (versions
CVE-2026-57417 WordPress Cart Lift plugin <= 3.1.57 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in RexTheme Cart Lift cart-lift allows Stored XSS.This issue affects Cart Lift: from n/a through = 3.1.57...
CVE-2026-57387 WordPress picu plugin <= 3.5.1 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in picu picu picu allows Stored XSS.This issue affects picu: from n/a through = 3.5.1...
PT-2026-57559
Name of the Vulnerable Software and Affected Versions luci-app-upnp affected versions not specified Description Stored cross-site scripting occurs when unauthenticated LAN clients inject JavaScript through UPnP IGD AddPortMapping SOAP requests. The issue arises because the NewPortMappingDescripti...
CVE-2026-5743 Mixed Media Gallery Blocks <= 3.3.3.1 - Authenticated (Author+) Stored Cross-Site Scripting via sliderMaxHeight Block Attribute
The SimpLy Gallery Block & Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block attributes in all versions up to, and including, 3.3.3.2. This is due to insufficient input sanitization and output escaping on the sliderMaxHeight block attribute in the...
EUVD-2026-43049
Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Tagify allows Stored XSS. This issue affects Tagify versions: from 0.0.0 to 1.2.52...
EUVD-2026-43002
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 7.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-13710 Jeg Kit for Elementor <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sg_body_description' Parameter via 'jkit_image_box' Shortcode/Widget
The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Box widget's 'sgbodydescription' parameter in versions up to, and including, 3.2.6. This is due to insufficient input...
CVE-2026-13710
The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress is affected by a Stored Cross-Site Scripting vulnerability in the Image Box widget’s sg_body_description parameter, affecting versions up to 3.2.6. The issue stems from insufficient input sanitization and...
CVE-2026-13441
EventPrime – Events Calendar, Bookings and Tickets for WordPress is affected by a stored cross-site scripting (Stored XSS) in the new_event_type_background_color parameter, present in all versions up to and including 4.3.4.2. The vulnerability arises from insufficient input sanitization and outpu...
CVE-2026-6459 Essential Addons for Elementor <= 6.6.2 - Authenticated (Author+) Stored Cross-Site Scripting via Event Calendar Widget Popup
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on event titles sourced...
CVE-2026-12948
The CVE-2026-12948 vulnerability affects the web management interfaces of Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA. It is a stored XSS (CWE-79) that permits a remote, authenticated administrator to inject script into certain system configuration fields; the script can exec...
CVE-2026-11855 Simple Membership < 4.7.5 - Unauthenticated Stored XSS via Stripe Webhook API Version
The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web...
CVE-2026-4804
The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields zakramenuitemcolor, zakramenuitemhovercolor, and zakramenuitemactivecolor with 'showinrest' = tr...
PT-2026-55517
Name of the Vulnerable Software and Affected Versions Zakra versions prior to 4.2.1 Description The Zakra theme for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the theme registers three post meta fields—zakra menu item color, zakra menu item hover color, and zakra...
CVE-2026-13704
Summary: CVE-2026-13704 affects the GiveWP – Donation Plugin and Fundraising Platform for WordPress. The vulnerability is a Stored Cross‑Site Scripting issue exploitable via the parameter sequoia[introduction][image] and exists in all versions up to and including 4.16.1 due to insufficient input ...
EUVD-2026-40934
The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classwrapperform' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections method at line 98, wher...
CVE-2026-9107 Kali Forms <= 2.4.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'kaliforms_field_components' Parameter
The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'metakaliformsfieldcomponents' parameter in all versions up to, and including, 2.4.13 due to insufficient input sanitization and output escaping. This makes it possible...
EUVD-2026-40888
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockid' and other shortcode attributes of the 'givewpcampaigncomments' shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitizati...
CVE-2026-8141
The Ajax Load More - Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'taxonomyincludechildren' parameter in all versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers t...