Lucene search
+L

36824 matches found

CVE
CVE
added 7 hours ago8 views

CVE-2026-10525

The CVE concerns the NEX-Forms WordPress plugin, affected versions before 9.2.3. The underlying issue is insufficient sanitisation and escaping of submitted form data that is stored and later output in the admin dashboard, enabling a Stored XSS attack. Impact: unauthenticated users could perform ...

6.1AI score
Exploits0References1
Nuclei
Nuclei
added 8 hours ago8 views

WPBot <= 8.4.9 - Cross-Site Scripting

WPBot = 8.4.9 is vulnerable to stored cross-site scripting via the conversation parameter in the qcldwbchatbotconversationsave AJAX action. The AJAX nonce qcsecretbotnonceval123qc is publicly emitted on every frontend page via wplocalizescript under the ajaxnonce key, making it freely obtainable ...

7.2CVSS4.8AI score0.00524EPSS
Exploits0References2
Nuclei
Nuclei
added 8 hours ago21 views

tagDiv Composer < 4.2 - Stored Cross-Site Scripting

tagDiv Composer plugin versions before 4.2 for WordPress are vulnerable to unauthenticated stored XSS via the /wp-json/tdw/savecss endpoint. An attacker can inject malicious JavaScript code through the compiledcss parameter, which gets stored and executed when the CSS is loaded. id: CVE-2023-3169...

6.1CVSS7AI score0.01582EPSS
Exploits2References2
Nuclei
Nuclei
added 8 hours ago24 views

The Events Calendar < 6.4.0.1 - Cross-site Scripting

The Events Calendar WordPress plugin 6.4.0.1 contains a stored XSS caused by improper sanitization of user-submitted content when rendering views via AJAX, letting attackers execute scripts in the context of the affected site. Exploitation requires user interaction. id: CVE-2024-4180 info: name:...

9.1CVSS5.2AI score0.01834EPSS
Exploits2References3
Nuclei
Nuclei
added 8 hours ago54 views

Limit Login Attempts WordPress - Stored Cross-site Scripting

Limit Login Attempts WordPress plugin 4.0.50 contains a stored cross-site scripting caused by not escaping IP addresses controlled via headers like X-Forwarded-For before outputting them in reports, letting unauthenticated attackers execute scripts in admin context. id: CVE-2021-24657 info: name:...

6.1CVSS5.9AI score0.01595EPSS
Exploits2References2
Nuclei
Nuclei
added 8 hours ago83 views

Duplicate Page WordPress - Stored Cross-Site Scripting

Duplicate Page WordPress plugin = 4.4.2 contains a stored cross-site scripting caused by unsanitized Duplicate Post Suffix settings in output, letting high privilege users execute malicious scripts, exploit requires high privilege user role. id: CVE-2021-24681 info: name: Duplicate Page WordPress...

4.8CVSS4.8AI score0.0087EPSS
Exploits2References3
Nuclei
Nuclei
added 8 hours ago138 views

Limit Login Attempts - Stored Cross-Site Scripting

Limit Login Attempts WordPress plugin 4.0.72 contains a stored cross-site scripting caused by unsanitized and unescaped settings, letting malicious administrators inject Javascript code, exploit requires administrator privileges. id: CVE-2022-1029 info: name: Limit Login Attempts - Stored...

4.8CVSS4.8AI score0.00848EPSS
Exploits2References1
Nuclei
Nuclei
added 8 hours ago64 views

Microweber <1.2.12 - Stored Cross-Site Scripting

Microweber prior to 1.2.12 contains a stored cross-site scripting vulnerability. It allows unrestricted upload of XML files,. id: CVE-2022-0963 info: name: Microweber 1.2.12 - Stored Cross-Site Scripting author: amit-jd severity: medium description: | Microweber prior to 1.2.12 contains a stored...

5.7CVSS5.3AI score0.01877EPSS
Exploits1References5
Nuclei
Nuclei
added 8 hours ago81 views

ChurchCRM 4.5.3 - Cross-Site Scripting

A stored Cross-site scripting XSS vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. id: CVE-2023-26843 info: name: ChurchCRM 4.5.3 - Cross-Site Scripting author: Harsh severity: medium description: | A stored Cross-site scripti...

5.4CVSS5.8AI score0.0142EPSS
Exploits1References5
EUVD
EUVD
added 10 hours ago4 views

EUVD-2026-45136

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.6. This is due to the savefilter AJAX handler storing the raw $POST'filter' array into a WordPress option via updateoption without any capability check, nonce...

6.4CVSS6.2AI score
Exploits0References2
EUVD
EUVD
added 11 hours ago5 views

EUVD-2026-45130

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'digitalSignature' Field Value in all versions up to, and including, 2.4.18 due to insufficient input sanitization and output escaping. This makes it possible for...

7.2CVSS6.2AI score
Exploits0References8
CVE
CVE
added 12 hours ago13 views

CVE-2026-2594

The CVE-2026-2594 entry concerns the WordPress plugin Smart Custom Fields. A stored cross-site scripting (XSS) flaw affects versions up to and including 5.0.7, caused by insufficient input sanitization and output escaping for uploaded image attachment titles. This enables authenticated attackers ...

6.4CVSS6.2AI score
Exploits0References3
Nuclei
Nuclei
added yesterday127 views

LiteSpeed Cache <= 5.7 - Unauthenticated Stored XSS

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache- from n/a through 5.7. id: CVE-2023-40000 info: name: LiteSpeed Cache = 5.7 - Unauthenticated Stored XSS...

8.3CVSS6.8AI score0.54872EPSS
Exploits5References3
NVD
NVD
added yesterday7 views

CVE-2026-13755

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'pricewrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00225EPSS
Exploits0References5
Cvelist
Cvelist
added yesterday26 views

CVE-2026-15021 wpForo Forum <= 3.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'location' Profile Field

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access...

6.4CVSS0.00206EPSS
Exploits0References8
CVE
CVE
added yesterday8 views

CVE-2026-13755

The Tickera – Sell Tickets & Manage Events WordPress plugin (up to version 3.6.0.0) is affected by a Stored Cross‑Site Scripting vulnerability via the price_wrapper shortcode attribute. The root cause is insufficient input sanitization and output escaping, allowing authenticated attackers with co...

6.4CVSS6.3AI score0.00225EPSS
Exploits0References5
Cvelist
Cvelist
added yesterday26 views

CVE-2026-13755 Tickera <= 3.6.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'price_wrapper' Shortcode Attribute

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'pricewrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00225EPSS
Exploits0References5
NVD
NVD
added yesterday6 views

CVE-2026-13042

The RPB Chessboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content in all versions up to, and including, 8.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

7.2CVSS0.00247EPSS
Exploits0References8
EUVD
EUVD
added yesterday5 views

EUVD-2026-44865

The RPB Chessboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content in all versions up to, and including, 8.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

7.2CVSS6.2AI score0.00247EPSS
Exploits0References8
EUVD
EUVD
added yesterday5 views

EUVD-2026-44861

The Easy Accordion – AI-Powered FAQ & Accordion Blocks, Product FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'align' Block Attribute in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS6.2AI score0.00197EPSS
Exploits0References5
Rows per page
Query Builder