CVE-2026-6275

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounteraddToTags function. The function is hooked to wphead...

Twig: The `spaceless` filter implicitly marks its output as safe

Description The spaceless filter is registered with issafe = 'html', which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying spaceless to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote |raw...

CVE-2026-6405

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF leading to Stored Cross-Site Scripting XSS in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output...

PT-2026-42171

Name of the Vulnerable Software and Affected Versions Twig affected versions not specified Description The spaceless filter is registered with is safe = 'html', causing Twig's autoescaper to skip escaping its output in HTML contexts. This allows attacker-controlled input containing markup to be...

PT-2026-20395

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

WordPress plugin Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin Cross-site Script Vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2021-24873

The Tutor LMS WordPress plugin before 1.9.11 does not sanitise and escape user input before outputting back in attributes in the Student Registration page, leading to a Reflected Cross-Site Scripting issue...

WordPress plugin Wp-ImageZoom 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

AZL-43104 CVE-2023-24531 affecting package msft-golang for versions less than 1.21.0-1

Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is...

CVE-2021-24792

The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template wpbtnsavetemplate function hooked to the init action, nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a...

WordPress 插件跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on PHP and MySQL servers.WordPress Plugin is an open source application plugin for WordPress. A cross-site scripting vulnerability exists in...

Stored Cross-Site Scripting Vulnerability in DBSHOP_0.9.3_Beta

DBShop is an open source e-commerce online store system developed using endFramework. A stored cross-site scripting vulnerability exists at DBSHOP0.9.3Beta /module/Goods/view/goods/ask/index.phtml. Due to the failure to handle the output to the page of the inquiry response, the content is directl...