CVE-2026-27937

October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and...

CVE-2026-27937

CVE-2026-27937 concerns the October CMS platform. Affected versions prior to 3.7.16 and 4.1.16 have a vulnerability in the backend DataTable widget where a query parameter is rendered without proper output escaping, resulting in a reflected Cross-Site Scripting (XSS) condition. The root cause is ...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the GitHub OAuth callback handler when the refreshInterval query parameter is embedded verbatim into an error message and rendered unescaped into HTML. An attacker can execute arbitrary JavaScript in the...

AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php

Summary The UserLocation plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricte...

CVE-2025-14719

CVE-2025-14719 : Relevanssi Free (<4.26.0) and Relevanssi Premium (

EUVD-2021-11638

Malware in sbrugna...

EUVD-2021-11943

Malware in sbrugna...

EUVD-2022-15705

Malicious code in bioql PyPI...

CVE-2025-55727

CVE-2025-55727 affects XWiki Remote Macros (column macro width parameter). The issue: missing escaping of the width parameter in versions 1.0 through 1.26.4 enables remote code execution when a user can edit a page or access the CKEditor converter, due to unescaped XWiki syntax in the width param...

wabac.js 跨站脚本漏洞

wabac.js is an open source archive browsing client for Webrecorder. A cross-site scripting vulnerability exists in wabac.js version 2.23.10 and earlier, which stems from an uncleaned and unescaped requestURL parameter that could lead to a reflective cross-site scripting attack...

CVE-2023-2654

The Conditional Menus WordPress plugin before 1.2.1 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-0955

The WP Statistics WordPress plugin before 14.0 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manageoptions capability admin+, however the plugin has a settings to allow low...

CVE-2022-4230

The WP Statistics WordPress plugin before 13.2.9 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manageoptions capability admin+, however the plugin has a settings to allow low...

CVE-2022-4166

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in 4activate.php. This may allow malicious users with at least author privilege to leak sensitive informati...

CVE-2022-1547

The Check & Log Email WordPress plugin before 1.0.6 does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting...

CVE-2021-24908

The Check & Log Email WordPress plugin before 1.0.4 does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting...

CVE-2024-11287

The Ebook Store plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 5.8001. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages th...

PT-2024-16883 · WordPress · Ebook Store

Name of the Vulnerable Software and Affected Versions: Ebook Store plugin for WordPress versions up to, and including, 5.8001 Description: The issue is related to Reflected Cross-Site Scripting due to the use of add query arg without appropriate escaping on the URL. This allows unauthenticated...

PT-2024-15994 · WordPress · Persian Woocommerce Sms

Name of the Vulnerable Software and Affected Versions: Persian WooCommerce SMS plugin for WordPress versions up to, and including, 7.0.5 Description: The issue is related to Reflected Cross-Site Scripting due to the use of remove query arg without appropriate escaping on the URL. This allows...

PT-2024-16937 · WordPress · The Crypto/Defi Widgets – Web3 Cryptocurrency Shortcodes

Name of the Vulnerable Software and Affected Versions: The Crypto and DeFi Widgets – Web3 Cryptocurrency Shortcodes plugin for WordPress versions up to, and including, 1.1.6 Description: The issue arises from the use of add query arg without proper escaping on the URL, allowing unauthenticated...