49 matches found
CVE-2026-3568
CVE-2026-3568 affects the WordPress MStore API plugin up to version 4.18.3. The root cause is in update_user_profile() processing the raw JSON field 'meta_data' without validation, allowlisting, or sanitization, and then applying arbitrary keys/values to update_user_meta() after cookie-based auth...
EUVD-2022-25038
Malicious code in bioql PyPI...
EUVD-2023-2433
Malicious code in bioql PyPI...
EUVD-2023-0921
Malicious code in bioql PyPI...
EUVD-2024-1870
Malicious code in bioql PyPI...
EUVD-2023-2935
Malicious code in bioql PyPI...
EUVD-2025-4273
Malicious code in bioql PyPI...
EUVD-2023-0918
Malicious code in bioql PyPI...
CVE-2025-7672 Stored-XSS possibility in Namo CrossEditor4
The improper default setting in JiranSoft CrossEditor4 on Windows, Linux, Unix API modules potentaily allows Stored XSS. This issue affects CrossEditor4: from 4.0.0.01 before 4.6.0.23...
CVE-2024-7860
The Simple Headline Rotator WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
CVE-2024-5284
The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
CVE-2024-13057
The Dyn Business Panel WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
CVE-2022-2171
The Progressive License WordPress plugin through 1.1.0 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue...
CVE-2021-32475
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected...
CVE-2021-36398
In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk...
CVE-2021-24586
The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting feature mentioned by the plugin, this...
CVE-2024-8095
CVE-2024-8095 concerns the BabelZ WordPress plugin (versions up to 1.1.5). Multiple sources confirm a lack of CSRF protection in certain areas, plus insufficient sanitisation and escaping, enabling a logged-in admin to inject a Stored XSS payload via a CSRF attack. The vulnerability affects BabelZ
PT-2025-17135 · Buildium · Buildium
Name of the Vulnerable Software and Affected Versions: Listings for Buildium versions 0.1.4 and earlier Description: The issue is related to a Cross-Site Request Forgery CSRF vulnerability that also allows Stored XSS. This means an attacker could potentially trick a user into performing unintende...
CVE-2025-39548 WordPress Right Click Disable OR Ban plugin <= 1.1.17 - CSRF to Stored XSS vulnerability
Cross-Site Request Forgery CSRF vulnerability in A WP Life Right Click Disable OR Ban allows Stored XSS. This issue affects Right Click Disable OR Ban: from n/a through 1.1.17...
Moodle 4.4.x < 4.4.1 Multiple Vulnerabilities
According to its self-reported version, the Moodle install hosted on the remote host is prior to 4.1.11, 4.2.x prior to 4.2.8, or 4.3.x prior to 4.3.5 or 4.4.x prior to 4.4.1. It is, therefore, affected by multiple vulnerabilities. - A unique key should be generated for a user's QR login key and...