CVE-2026-9281

The Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jtlmacustomjs' Page Setting Custom JS Extension in all versions up to, and including, 3.1.0 due to insufficient input...

CVE-2026-3645 Punnel <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action

The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The saveconfig function, which handles the 'punnelsaveconfig' AJAX action, lacks any capability check currentusercan and nonce verification. This makes it...

CVE-2015-9436

The dynamic-widgets plugin before 1.5.11 for WordPress has XSS via the wp-admin/admin-ajax.php?action=termtree prefix or widgetid parameter...

CVE-2022-28035

Atom.CMS 2.0 is vulnerable to SQL Injection via Atom.CMSadminajaxblur-save.php...

Shopp eCommerce <= 1.4 - Unauthenticated Arbitrary File Upload

The shoppuploadfile AJAX action of the plugin, available to both unauthenticated and authenticated user does not have any security measure in place to prevent upload of malicious files, such as PHP, allowing unauthenticated users to upload arbitrary files and leading to RCE...

Easy Cookie Policy <= 1.6.2 - Broken Access Control to Stored Cross-Site Scripting

The plugin is lacking any capability and CSRF check when saving it's settings, allowing any authenticated users such as subscriber to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in al...

WordPress responsive-add-ons access control error vulnerability

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on PHP and MySQL servers. responsive-add-ons is a responsive loading plugin used in it. A security vulnerability exists in WordPress responsive-add-ons versions...

gewerbeforum-zorneding.de XSS vulnerability

Open Bug Bounty ID: OBB-637946 Description| Value ---|--- Affected Website:| gewerbeforum-zorneding.de Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Other Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

misjonshuset.moss.no XSS vulnerability

Open Bug Bounty ID: OBB-637425 Description| Value ---|--- Affected Website:| misjonshuset.moss.no Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Other Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

joyplus-cms cross-site scripting vulnerability (CNVD-2018-08698)

joyplus-cms joy video is an open source video backend management system based on PHP and MySQL. The system has a video resource acquisition , user feedback management , automatic address resolution and message push management and other functions . A cross-site scripting vulnerability exists in...

induscs.ca XSS vulnerability

Open Bug Bounty ID: OBB-568379 Description| Value ---|--- Affected Website:| induscs.ca Vulnerable Application:| WordPress Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Disclosure Standard:| Coordinated Disclosure based on I...

WordPress Plugin Photo Gallery 'wp-admin/admin-ajax.php' SQL Injection Vulnerability

WordPress is a set of WordPress Software Foundation's blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. A SQL injection vulnerability exists in the WordPress plugin Photo Gallery 'wp-admin/admin-ajax.php'. Due to the program...