CVE-2026-41693

CVE-2026-41693 affects i18next-fs-backend

i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns

Summary Versions of i18next-http-backend prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template without any encoding, validation, or path sanitisation. When an application exposes the language-code selection to user-controlled input the defau...

CVE-2024-3641

The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins...

USN-6675-1: ImageProcessing vulnerability

It was discovered that ImageProcessing incorrectly handled series of operations that are coming from unsanitised inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code...

WP Post Popup <= 3.7.3 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its inputs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Enter the following payload in the...

BizLibrary <= 1.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Login as Admin. 2. Go to...

PT-2023-16966 · WordPress · Wp Vr

Name of the Vulnerable Software and Affected Versions: WP VR WordPress plugin versions prior to 8.2.9 Description: The issue is related to a Reflected Cross-Site Scripting problem. It occurs because some parameters are not properly sanitised and escaped before being outputted back in the page. Th...

CVE-2023-1377

The Solidres WordPress plugin through 0.9.4 does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

GetYourGuide Ticketing < 1.0.4 - Admin+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Navigate toward the GYG Ticketing and GYG...

CVE-2021-24412

The Html5 Audio Player – Audio Player for WordPress plugin before 2.1.3 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious...