CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

194 matches found

CVE-2026-3643

The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config with the permissioncallback set to returntrue...

7.2CVSS0.00179EPSS

Exploits0References1

RedhatCVE•added 3 hours ago•0 views

CVE-2026-8203

Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential...

7.3CVSS0.00025EPSS

Exploits0References1

NVD•added 2026/05/27 6:16 p.m.•12 views

CVE-2026-46426

Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if isPublicUser or if isPublicUser ...

7.6CVSS0.00033EPSS

Exploits0References2

Positive Technologies•added 2026/05/20 12:0 a.m.•8 views

PT-2026-42075

Name of the Vulnerable Software and Affected Versions Faces of Users versions prior to 0.0.4 Description The Faces of Users plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping within the default attribute of the...

6.4CVSS6AI score0.00032EPSS

Exploits0References6

Patchstack•added 2026/05/19 12:4 p.m.•7 views

WordPress Sticky plugin <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Sticky versions = 2.5.6...

6.4CVSS5.8AI score0.00036EPSS

Exploits0References1Affected Software1

Positive Technologies•added 2026/05/16 12:0 a.m.•12 views

PT-2026-41440

Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which...

6.4CVSS5.7AI score0.00034EPSS

Exploits0References5

Vulnrichment•added 2026/05/14 8:44 p.m.•5 views

CVE-2026-44212 PrestaShop: Stored XSS executable in customer service view

PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting XSS vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The...

9.3CVSS5.8AI score0.00022EPSS

Exploits0References1

CVE•added 2026/05/10 12:43 p.m.•7 views

CVE-2021-47924

The CVE-2021-47924 entry concerns the WordPress plugin Ultimate Product Catalog, version 5.8.2. The vulnerability is a stored cross-site scripting (XSS) flaw in which authenticated attackers can inject HTML/JavaScript into the price parameter via POST to post.php, leading to code execution when a...

6.4CVSS6AI score0.00047EPSS

Exploits0References4

Positive Technologies•added 2026/05/10 12:0 a.m.•5 views

PT-2026-39501

CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file...

6.4CVSS5.8AI score0.00034EPSS

Exploits0References5

EUVD•added 2026/04/23 6:30 a.m.•1 views

EUVD-2026-25170

Successful exploitation of the stored cross-site scripting XSS vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to Koollab LMS’ courselet feature...

5.4CVSS5.9AI score0.00011EPSS

Exploits0References2

Cvelist•added 2026/04/22 7:45 a.m.•25 views

CVE-2026-4142 Sentence To SEO (keywords, description and tags) <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Permanent keywords' Field

The Sentence To SEO keywords, description and tags plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via...

4.4CVSS0.00027EPSS

Exploits0References11

Cvelist•added 2026/04/22 7:45 a.m.•22 views

CVE-2026-4125 WPMK Block <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the...

6.4CVSS0.00014EPSS

Exploits0References5

Positive Technologies•added 2026/04/22 12:0 a.m.•1 views

PT-2026-34278

Name of the Vulnerable Software and Affected Versions Quran Live Multilanguage plugin for WordPress versions prior to 1.0.4 Description Stored Cross-Site Scripting is possible due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran live render...

6.4CVSS6AI score0.0002EPSS

Exploits0References16

ATTACKERKB•added 2026/04/18 9:26 a.m.•2 views

CVE-2026-2505

The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'ztaxonomyimage' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates...

5.4CVSS5.9AI score0.00011EPSS

Exploits0References3

Cvelist•added 2026/04/17 8:3 p.m.•14 views

CVE-2026-40283 WeGIA has stored XSS in profile_paciente.php

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting XSS vulnerability allows an authenticated user to inject malicious JavaScript via the "Nome" field in the "Informações Pacientes" page. The payload is stored and executed when the patien...

6.8CVSS0.00036EPSS

Exploits1References1

Cvelist•added 2026/04/16 2:10 p.m.•28 views

CVE-2026-2840 Email Encoder – Protect Email Addresses and Phone Numbers <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via eeb_mailto Shortcode

The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eebmailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.00037EPSS

Exploits0References3

Patchstack•added 2026/04/16 10:31 a.m.•2 views

WordPress Product Pricing Table by WooBeWoo plugin <= 1.1.0 - Cross-Site Request Forgery to Stored XSS and Pricing Table Deletion vulnerability

Cross-Site Request Forgery to Stored XSS and Pricing Table Deletion vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Product Pricing Table by WooBeWoo versions = 1.1.0...

6.1CVSS5.8AI score0.00006EPSS

Exploits0References1Affected Software1

Vulnrichment•added 2026/04/16 5:29 a.m.•1 views

CVE-2026-3551 Custom New User Notification <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting

The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on multiple settings fields including 'User Mail...

4.4CVSS5.9AI score0.00029EPSS

Exploits0References17

Vulnrichment•added 2026/04/15 8:28 a.m.•1 views

CVE-2026-3659 WP Circliful <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the circliful shortcode and via multiple shortcode attributes of the circlifuldirect shortcode in all versions up to and including 1.2. This is due to insufficient input...

6.4CVSS5.9AI score0.00073EPSS

Exploits0References9

NVD•added 2026/04/14 3:16 a.m.•3 views

CVE-2026-4388

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field Text Box input type in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization sanitizetextfield strips tags but not quotes and...

7.2CVSS0.00133EPSS

Exploits0References5

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by