Lucene search
+L

39979 matches found

Nuclei
Nuclei
added 7 hours ago84 views

Duplicate Page WordPress - Stored Cross-Site Scripting

Duplicate Page WordPress plugin = 4.4.2 contains a stored cross-site scripting caused by unsanitized Duplicate Post Suffix settings in output, letting high privilege users execute malicious scripts, exploit requires high privilege user role. id: CVE-2021-24681 info: name: Duplicate Page WordPress...

4.8CVSS4.8AI score0.0087EPSS
Exploits2References3
Nuclei
Nuclei
added 7 hours ago22 views

tagDiv Composer < 4.2 - Stored Cross-Site Scripting

tagDiv Composer plugin versions before 4.2 for WordPress are vulnerable to unauthenticated stored XSS via the /wp-json/tdw/savecss endpoint. An attacker can inject malicious JavaScript code through the compiledcss parameter, which gets stored and executed when the CSS is loaded. id: CVE-2023-3169...

6.1CVSS7AI score0.01582EPSS
Exploits2References2
Nuclei
Nuclei
added 7 hours ago55 views

Limit Login Attempts WordPress - Stored Cross-site Scripting

Limit Login Attempts WordPress plugin 4.0.50 contains a stored cross-site scripting caused by not escaping IP addresses controlled via headers like X-Forwarded-For before outputting them in reports, letting unauthenticated attackers execute scripts in admin context. id: CVE-2021-24657 info: name:...

6.1CVSS5.9AI score0.01595EPSS
Exploits2References2
Nuclei
Nuclei
added 7 hours ago82 views

ChurchCRM 4.5.3 - Cross-Site Scripting

A stored Cross-site scripting XSS vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. id: CVE-2023-26843 info: name: ChurchCRM 4.5.3 - Cross-Site Scripting author: Harsh severity: medium description: | A stored Cross-site scripti...

5.4CVSS5.8AI score0.0142EPSS
Exploits1References5
Nuclei
Nuclei
added 7 hours ago25 views

The Events Calendar < 6.4.0.1 - Cross-site Scripting

The Events Calendar WordPress plugin 6.4.0.1 contains a stored XSS caused by improper sanitization of user-submitted content when rendering views via AJAX, letting attackers execute scripts in the context of the affected site. Exploitation requires user interaction. id: CVE-2024-4180 info: name:...

9.1CVSS5.2AI score0.01834EPSS
Exploits2References3
Nuclei
Nuclei
added 7 hours ago9 views

WPBot <= 8.4.9 - Cross-Site Scripting

WPBot = 8.4.9 is vulnerable to stored cross-site scripting via the conversation parameter in the qcldwbchatbotconversationsave AJAX action. The AJAX nonce qcsecretbotnonceval123qc is publicly emitted on every frontend page via wplocalizescript under the ajaxnonce key, making it freely obtainable ...

7.2CVSS4.8AI score0.00524EPSS
Exploits0References2
Nuclei
Nuclei
added 7 hours ago139 views

Limit Login Attempts - Stored Cross-Site Scripting

Limit Login Attempts WordPress plugin 4.0.72 contains a stored cross-site scripting caused by unsanitized and unescaped settings, letting malicious administrators inject Javascript code, exploit requires administrator privileges. id: CVE-2022-1029 info: name: Limit Login Attempts - Stored...

4.8CVSS4.8AI score0.00848EPSS
Exploits2References1
Nuclei
Nuclei
added 7 hours ago65 views

Microweber <1.2.12 - Stored Cross-Site Scripting

Microweber prior to 1.2.12 contains a stored cross-site scripting vulnerability. It allows unrestricted upload of XML files,. id: CVE-2022-0963 info: name: Microweber 1.2.12 - Stored Cross-Site Scripting author: amit-jd severity: medium description: | Microweber prior to 1.2.12 contains a stored...

5.7CVSS5.3AI score0.01877EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added yesterday4 views

CVE-2026-48015 Shopware: Stored XSS via SVG file upload — no SVG sanitization

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, SVG files are in the allowedextensions whitelist in src/Core/Framework/Resources/config/packages/shopware.yaml and can be uploaded via the media manager without SVG content sanitization in the upload pipeline from...

4.9CVSS5.5AI score0.00039EPSS
Exploits0References5
CVE
CVE
added yesterday23 views

CVE-2026-48015

Shopware core is affected by CVE-2026-48015 due to SVG files being allowed in the media upload whitelist and not sanitized in the upload pipeline (MediaUploadController → FileSaver → TypeDetector). Prior to versions 6.6.10.18 and 6.7.10.1, uploading SVGs could allow embedded JavaScript (onload, [...

4.9CVSS5.4AI score0.00039EPSS
Exploits0References5
NVD
NVD
added yesterday7 views

CVE-2026-9588

A stored cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition 8.3 104997 within the voicemail notification template functionality. The submitmodifyvoicemailtemplate endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious...

7CVSS
Exploits0References2
NVD
NVD
added yesterday9 views

CVE-2026-58148

The Joomla extension ChronoForms is vulnerable to an unauthenticated stored XSS vulnerability...

8.7CVSS
Exploits0References1
Vulnrichment
Vulnrichment
added yesterday5 views

CVE-2026-9588 Authenticated Stored Cross-Site Scripting (XSS) in Switchvox SMB Web Portal

A stored cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition 8.3 104997 within the voicemail notification template functionality. The submitmodifyvoicemailtemplate endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious...

7CVSS4.9AI score
Exploits0References2
EUVD
EUVD
added yesterday7 views

EUVD-2026-45207

A stored cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition 8.3 104997 within the voicemail notification template functionality. The submitmodifyvoicemailtemplate endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious...

7CVSS4.8AI score
Exploits0References2
NVD
NVD
added yesterday6 views

CVE-2026-10525

The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting...

6.1CVSS0.00235EPSS
Exploits0References1
CVE
CVE
added yesterday11 views

CVE-2026-10525

The CVE-2026-10525 entry concerns the NEX-Forms WordPress plugin prior to version 9.2.3. The root cause is insufficient sanitization and escaping of submitted form data before storing it and when rendering it in the admin dashboard. This results in a Stored XSS vulnerability that could allow unau...

6.1CVSS6.1AI score0.00235EPSS
Exploits0References1
EUVD
EUVD
added yesterday6 views

EUVD-2026-45144

The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting...

6.1CVSS5.2AI score0.00235EPSS
Exploits0References1
NVD
NVD
added yesterday8 views

CVE-2026-15395

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'digitalSignature' Field Value in all versions up to, and including, 2.4.18 due to insufficient input sanitization and output escaping. This makes it possible for...

7.2CVSS0.00247EPSS
Exploits0References8
CVE
CVE
added yesterday11 views

CVE-2026-15161

The Ninja Forms - Excel Export plugin for WordPress (up to v3.3.6) is affected by a Stored XSS due to save_filter() storing raw $_POST['filter'] without capability check, nonce verification, or sanitization. The get_filter_row() code concatenates stored filter values into HTML attributes without ...

6.4CVSS6.2AI score0.00156EPSS
Exploits0References2
EUVD
EUVD
added yesterday6 views

EUVD-2026-45136

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.6. This is due to the savefilter AJAX handler storing the raw $POST'filter' array into a WordPress option via updateoption without any capability check, nonce...

6.4CVSS6.2AI score0.00156EPSS
Exploits0References2
Rows per page
Query Builder