WordPress Mstoic Shortcodes plugin <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'start' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'start' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin Mstoic Shortcodes versions = 2.0...

WordPress 1180px Shortcodes plugin <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin 1180px Shortcodes versions = 1.1.1...

WordPress Recras WordPress plugin plugin <= 6.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'recrasname' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'recrasname' Shortcode Attribute vulnerability discovered by Sopon Tangpathum SoNaJaa - freelance in WordPress Plugin Recras versions = 6.4.1...

CVE-2025-4776

The Phlox theme for WordPress (Phlox) is affected by CVE-2025-4776: a Stored XSS via the data-caption attribute in Phlox versions up to and including 2.17.7. Exploitation requires authentication with Contributor-level access or higher and can allow injection of arbitrary scripts that run when use...

CVE-2025-4776 Phlox <= 2.17.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-caption` HTML Attribute

The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the data-caption HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

CVE-2025-14153 Page Expire Popup/Redirection for WordPress <= 1.0 - Authenticated (Author+) SQL Injection via 'id' Shortcode Attribute

The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

CVE-2025-14153

CVE-2025-14153 is a WordPress plugin vulnerability in Page Expire Popup/Redirection for WordPress. The issue is a time-based SQL Injection via the shortcod e attribute id in versions up to 1.0, caused by insufficient escaping and lack of proper query preparation. Exploitation requires authenticat...

PT-2026-1417

Name of the Vulnerable Software and Affected Versions Phlox theme for WordPress versions through 2.17.7 Description The Phlox theme for WordPress is susceptible to Stored Cross-Site Scripting through the data-caption HTML attribute. Insufficient input sanitization and output escaping allow...

1180px Shortcodes <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute

Description The 1180px Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

WordPress Phlox plugin <= 2.17.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-caption` HTML Attribute vulnerability

Software : Phlox Type : Theme Vulnerable versions : = 2.17.7 Fixed in : 2.17.11 OWASP Top 10 : A3: Injection Classification : Cross Site Scripting XSS CVE ID : CVE-2025-4776 Patchstack priority : Low CVSS severity : 6.5 Required privilege : Contributor Developer : Claim ownership PSID :...

WordPress Phlox plugin <= 2.17.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-caption` HTML Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via data-caption HTML Attribute vulnerability discovered by Webbernaut in WordPress Theme Phlox versions = 2.17.7...

PT-2026-6153

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains a flaw within the fou module. Specifically, the FOU ATTR IPPROTO attribute should not be set to 0. When FOU ATTR IPPROTO is 0, the skb socket buffer is not...

PT-2026-20853

Name of the Vulnerable Software and Affected Versions SPIP versions prior to 4.4.8 Description The application does not properly handle iframe content in the private area, allowing an attacker to inject and execute malicious scripts through iframe tags. The issue occurs because the application do...

PT-2026-8124

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The hp-bioscfg driver attempts to register kobjects with empty names when the HP BIOS returns attributes with empty name strings, resulting in kernel warnings. Specifically, the driver...

EUVD-2025-206094

Trix has a stored XSS vulnerability through its attachment attribute...

SUSE CVE-2022-50841

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add overflow check for attribute size The offset addition could overflow and pass the used size check given an attribute with very large size e.g., 0xffffff7f while parsing MFT attributes. This could lead to out-of-boun...

SUSE CVE-2023-54262

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't clone flow post action attributes second time The code already clones post action attributes in mlx5ecloneflowattrforpostact. Creating another copy in mlx5etcpostactadd is a erroneous leftover from original...

WordPress WishSuite plugin <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'buttontext' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin WishSuite versions = 1.5.1...

Trix has a stored XSS vulnerability through its attachment attribute

The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads. An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user'...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-993197)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-993197 advisory. In the Linux kernel, the following vulnerability has been resolved: ntfs: check overflow when iterating ATTRRECORDs Kernel iterates over ATTRRECORDs in mft record in...