CVE-2019-25742 WordPress Theme Zoner Real Estate 4.1.1 Persistent XSS

WordPress Theme Zoner Real Estate 4.1.1 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through the Address input field when creating properties. Attackers can inject JavaScript payloads in the property creation form that execu...

CVE-2026-39390 CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting cMap field in compInfosPost sanitizes input using striptags with an allowlist and regex-based removal of...

CVE-2026-2440

The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce required for submission, allowing...

CVE-2025-59158

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting XSS attack in the project creation workflow. An authenticated user with low privileges e.g....

PT-2025-34150 · Dts-Shop · Dts-Shop

Name of the Vulnerable Software and Affected Versions: dts-shop version 0.0.1-SNAPSHOT Description: Incorrect access control in dts-shop allows attackers to bypass authentication by sending a crafted payload to the /admin/auth/index API endpoint. Recommendations: As a temporary workaround, restri...

Post Views Count <= 3.0.2 - Contributor+ Stored XSS in Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a Contributor+ create a new post and add...

CVE-2022-1772

The Google Places Reviews WordPress plugin before 2.0.0 does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing th...

w3tw0rk / Pitbull Perl IRC Bot - Remote Code Execution

thehunter.py Exploit Title: Pitbull / w3tw0rk Perl IRC Bot Remote Code Execution Author: Jay Turla @shipcod3 Description: pitbull-w3tw0rkhunter is POC exploit for Pitbull or w3tw0rk IRC Bot that takes over the owner of a bot which then allows Remote Code Execution. import socket import sys def...