Advance Post Prefix WordPress plugin - Reflected XSS

Advance Post Prefix WordPress plugin through 1.1.1 contains a reflected cross-site scripting caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12734 info: name: Advance...

CVE-2026-6427 a3 Lazy Load <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Element

The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the filtervideos method that breaks HTML attribute quoting when processing crafted elements, combined with unescaped output in the...

CVE-2026-5109

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted...

Data Illusion Zumbrunn NGSurvey Enterprise Edition 安全漏洞

Data Illusion Zumbrunn NGSurvey Enterprise Edition is a questionnaire and data collection system from the Swiss company Data Illusion Zumbrunn. A security vulnerability exists in Data Illusion Zumbrunn NGSurvey Enterprise Edition version 3.6.4, which stems from improper coding of survey content a...

CVE-2022-1220

The FoxyShop WordPress plugin before 4.8.2 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...

CVE-2021-46780

The Easy Google Maps WordPress plugin before 1.9.32 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting...

CVE-2022-0641

The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the aysfbtab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...

CVE-2021-25031

The Image Hover Effects Ultimate Image Gallery, Effects, Lightbox, Comparison or Magnifier WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting...

CVE-2021-25079

The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various parameters, such as formid, status, enddate, order, orderby and search before outputting them back in the admin page...

CVE-2021-25040

The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the bookingtype parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...