2348 matches found
Header Footer Code Manager < 1.1.24 - Cross-Site Scripting
The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting. id: CVE-2022-0899 info: name: Header Footer Code Manager 1.1.24 - Cross-Site Scripting author:...
EUVD-2026-41680
A vulnerability was identified in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 213babdbaa949e94557246414db0130e01394517. This vulnerability affects the function checkForPostRequests of the file application/core/MYController.php of the component Subscribed Emails Admin Page. Such manipulation...
EUVD-2026-40039
The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input e.g. a transient nam...
CVE-2026-10083
The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input e.g. a transient nam...
CVE-2026-50765
A stored cross-site scripting XSS vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label...
CVE-2026-50765
A stored cross-site scripting XSS vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label...
CVE-2026-50765
A stored cross-site scripting XSS vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label...
CVE-2020-37256
Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access...
CVE-2020-37256 Grav - Cross-Site Scripting in Admin Plugin Page Editor
Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access...
PT-2026-52606
Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.6.30 Description A cross-site scripting issue exists in the default security configuration of the Admin plugin page editor. Privileged users with page editing capabilities can inject malicious scripts to execute...
CVE-2026-9643
WP Meta SEO for WordPress insert(). This allows injection of arbitrary scripts that execute when an administrator visits the 404 & Redirects admin page (/wp-admin/admin.php?page=metaseo_broken_link). Exploitation details are not provided beyond the generic flow; no fixes, mitigations, or exploita...
CVE-2026-12137
The CVE concerns the WordPress plugin SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager. It is vulnerable to a Reflected Cross-Site Scripting (XSS) via the tab parameter in all versions up to and including 4.3.6, caused by insufficient input sanitization...
CVE-2026-8494 Permalink Manager Lite <= 2.5.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to insufficient output escaping. This makes it possible for authenticated attackers, with...
CVE-2016-20084 WordPress appointment-booking-calendar 1.1.24 Privilege Escalation XSS
WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScrip...
PT-2026-49079
Name of the Vulnerable Software and Affected Versions Store Locator WordPress plugin versions prior to 1.6.9 Description Insufficient sanitization and escaping of store logo metadata before it is stored and displayed on the admin page allows high-privileged users, such as administrators, to execu...
CVE-2026-53737 Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response
Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads...
CVE-2026-9060
CVE-2026-9060 concerns the Store Locator WordPress plugin (before 1.6.6). The vulnerability arises because a setting is not sanitized/escaped before storing and outputting it on the admin page, enabling Stored XSS by high-privilege users (e.g., administrators) even when unfiltered_html is disallo...
EUVD-2026-35048
A vulnerability was identified in CodeAstro Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/searchstaffforupdation.php. Such manipulation of the argument Name leads to sql injection. The attack may be performed from remote...
CVE-2026-11509 CodeAstro Leave Management System search_staff_for_updation.php sql injection
A vulnerability was identified in CodeAstro Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/searchstaffforupdation.php. Such manipulation of the argument Name leads to sql injection. The attack may be performed from remote...
CVE-2026-11506
A vulnerability has been found in CodeAstro Leave Management System 1.0. This impacts an unknown function of the file /admin/searchstafffordeletion.php. The manipulation of the argument Name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to t...