EUVD-2026-36387

The Secure Copy Content Protection and Content Locking WordPress plugin before 5.1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2024-7083 Email Encoder < 2.3.4 - Admin+ Stored XSS

The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2026-1430

The WP Lightbox 2 WordPress plugin is affected in versions prior to 3.0.7. Root cause: insufficient sanitisation/escaping of certain settings, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (e.g., multisite). Impact: stored XSS could compromise ...

CVE-2026-2687

CVE-2026-2687 affects the WordPress plugin Reading progressbar prior to 1.3.1. The vulnerability arises because the plugin does not sanitize and escape certain settings, which could allow stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as in multisi...

CVE-2025-14579 Quiz Maker < 6.7.0.89 - Admin+ Stored XSS

The Quiz Maker WordPress plugin before 6.7.0.89 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

EUVD-2023-43924

Malicious code in bioql PyPI...

EUVD-2024-31668

Malicious code in bioql PyPI...

EUVD-2022-34434

Malicious code in bioql PyPI...

EUVD-2022-43174

Malicious code in bioql PyPI...

CVE-2024-5200 Postie < 1.9.71 - Admin+ Stored XSS

The Postie WordPress plugin before 1.9.71 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5200

CVE-2024-5200 – Postie WordPress plugin before 1.9.71 suffers from insufficient sanitization/escaping of settings, enabling stored XSS by high-privilege users (e.g., admin) even when unfiltered_html is disallowed (such as multisite) per CNVD/Red Hat/PatchStack entries. Affected product: Postie Pl...

PT-2025-36577

Name of the Vulnerable Software and Affected Versions: AI ChatBot for WordPress plugin versions prior to 7.1.0 Description: The AI ChatBot for WordPress plugin does not sanitise and escape some of its settings. This could allow high-privilege users, such as administrators, to perform Stored...

CVE-2023-3666 Sticky Side Buttons < 2.0.0 - Admin+ Stored XSS

The Sticky Side Buttons WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-6236

The Hostel WordPress plugin before 1.1.5.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-10562

The Form Maker by 10Web WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-9641

The LuckyWP Table of Contents WordPress plugin before 2.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6887

The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallow...

CVE-2023-3499

The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2022-4112

The Quizlord WordPress plugin through 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2022-3835

The Kwayy HTML Sitemap WordPress plugin before 4.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...