119 matches found
WordPress OneTone theme <= 3.0.6 – Unauthenticated Stored XSS
includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues. id: CVE-2019-17231 info: name: WordPress OneTone theme = 3.0.6 – Unauthenticated Stored XSS author: daffainfo severity: medium description: | includes/theme-functions.php in the OneTone...
CVE-2026-8071
The CVE-2026-8071 entries (NVD, CVE List, EUVD/ENISA, and VulnEnrichment) document a stored XSS vulnerability in the Anti-Spam by CleanTalk WordPress plugin. Affected: the plugin before version 6.79; Root cause: improper sanitization of content inside a custom shortcode used in the plugin’s email...
CVE-2026-7052
The CVE concerns the HT Contact Form – Drag & Drop Form Builder for WordPress plugin. A Stored Cross-Site Scripting (XSS) vulnerability exists in the file_upload parameter for all versions up to 2.8.2 due to insufficient input sanitization and output escaping. Exploitation requires the Store Subm...
CVE-2026-5324
The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when ...
CVE-2026-5110 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Single Product Field Inside Repeater
The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are...
PT-2026-36594
The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when ...
CVE-2025-15386
The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved...
CVE-2020-12132
Fifthplay S.A.M.I before 2019.3HP2 allows unauthenticated stored XSS via a POST request...
PT-2025-51810
The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This...
EUVD-2021-11263
Malware in sbrugna...
EUVD-2020-13413
Malware in sbrugna...
EUVD-2019-4891
Malware in sbrugna...
EUVD-2019-7655
Malware in sbrugna...
EUVD-2017-8010
Malware in sbrugna...
EUVD-2025-16698
Malicious code in bioql PyPI...
CVE-2025-3662 FancyBox for WordPress < 3.3.6 - Unauthenticated Stored XSS
The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher Marc Montpas escalated it to an Unauthenticated Stored XSS...
CVE-2021-24350
The Visitors WordPress plugin through 0.3 is affected by an Unauthenticated Stored Cross-Site Scripting XSS vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel...
CVE-2019-17213
The WebARX plugin 1.3.0 for WordPress has unauthenticated stored XSS via the URI or the X-Forwarded-For HTTP header...
CVE-2024-8703 Z-Downloads < 1.11.6 - Unauthenticated Stored XSS
The Z-Downloads WordPress plugin before 1.11.6 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks when accessing share URLs...
CVE-2025-0613
The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed...