8493 matches found
CVE-2025-13089
CVE-2025-13089 (WP Directory Kit) : WordPress plugin is vulnerable to unauthenticated SQL Injection via parameters hide_fields and attr_search in all versions up to 1.4.7 due to insufficient escaping and lack of prepared statements. Exploitation could allow an attacker to append SQL to existing q...
WordPress plugin Colibri Page Builder 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripti...
Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: aide (UTSA-2025-991233)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-991233 advisory. AIDE is an advanced intrusion detection environment. Prior to version 0.19.2, there is an improper output neutralization vulnerability in AIDE. An attacker can craft...
CVE-2025-67741
In JetBrains TeamCity before 2025.11 stored XSS was possible via session attribute...
vuln_XSS_web
Vulnerable Websites for XSS Testing Đây là 4 website mẫu, mỗi...
EUVD-2025-203007
The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callback' shortcode attribute in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied 'callback' attributes, which are evaluated as...
CVE-2025-13989
The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callback' shortcode attribute in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied 'callback' attributes, which are evaluated as...
CVE-2025-13843
CVE-2025-13843 : VigLink SpotLight By ShortCode WordPress plugin is vulnerable to Stored Cross-Site Scripting via the float attribute of the spotlight shortcode. Affected versions include all up to 1.0.a. Exploitation requires authenticated access at Contributor level or higher, enabling injectio...
CVE-2025-13843 VigLink SpotLight By ShortCode <= 1.0.a - Authenticated (Contributor+) Stored Cross-Site Scripting via 'float' Shortcode Attribute
The VigLink SpotLight By ShortCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'float' parameter of the 'spotlight' shortcode in all versions up to, and including, 1.0.a due to insufficient input sanitization and output escaping on user supplied attributes. This make...
CVE-2025-13843 VigLink SpotLight By ShortCode <= 1.0.a - Authenticated (Contributor+) Stored Cross-Site Scripting via 'float' Shortcode Attribute
The VigLink SpotLight By ShortCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'float' parameter of the 'spotlight' shortcode in all versions up to, and including, 1.0.a due to insufficient input sanitization and output escaping on user supplied attributes. This make...
CVE-2025-13963 FX Currency Converter <= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The FX Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fxccconvert' shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-13966
CVE-2025-13966 : The Paypal Payment Shortcode plugin for WordPress is vulnerable to a stored XSS via the buttom_image parameter in the [paypal-shortcode] shortcode, affecting all versions up to 1.01. The Wordfence Vulnerability DB notes that this requires Contributor+ access and that a patch is n...
CVE-2025-13840
CVE-2025-13840 — Bukazu Search Widget (WordPress) Vulnerability: Stored XSS via the shortcodes attribute of bukazu_search. Exploitation requires authentication at Contributor level or higher. Impact: injected scripts execute when users load the affected page. Affected versions: all versions up to...
CVE-2025-13840 BUKAZU Search widget <= 3.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'shortcode' Shortcode Attribute
The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode' parameter of the 'bukazusearch' shortcode in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...
CVE-2025-13969 Reviews Sorted <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'space' Shortcode Attribute
The Reviews Sorted plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'space' parameter of the reviews-slider shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...
CVE-2025-13969 Reviews Sorted <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'space' Shortcode Attribute
The Reviews Sorted plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'space' parameter of the reviews-slider shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...
CVE-2025-13989 WP Dropzone <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'callback' Shortcode Attribute
The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callback' shortcode attribute in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied 'callback' attributes, which are evaluated as...
CVE-2025-13989 WP Dropzone <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'callback' Shortcode Attribute
The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callback' shortcode attribute in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied 'callback' attributes, which are evaluated as...
CVE-2025-13989
CVE-2025-13989: WP Dropzone for WordPress is vulnerable to Stored Cross-Site Scripting via the callback attribute in shortcode usage up to version 1.1.1. Insufficient input sanitization and output escaping allow authenticated users with Contributor+ rights to inject scripts that may execute when ...
CVE-2025-14143
The CVE describes a Stored Cross-Site Scripting (XSS) in the Ayo Shortcodes WordPress plugin (Ayo Shortcodes) via the color attribute of the ayo_action shortcode, affecting all versions up to 0.2. The vulnerability allows authenticated attackers with Contributor-level access or higher to inject s...