CVE-2025-6746

The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server,...

CVE-2025-7059

The Simple Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slideshow’ parameter in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-5014

The Home Villas | Real Estate WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wpremcswidgetfiledelete' function in all versions up to, and including, 2.8. This makes it possible for authenticated attackers, with...

CVE-2025-6462

The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's SQLREPORT shortcode in all versions up to, and including, 5.25.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes...

CVE-2025-6537

The Namasha By Mdesign plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘playicontitle’ parameter in all versions up to, and including, 1.2.00 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-5488

The WP Masonry & Infinite Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wmis' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-5258

The Conference Scheduler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

CVE-2025-4479

The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin image comparison widget's before/after labels in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied...

CVE-2025-5950

The IndieBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘kind’ parameter in all versions up to, and including, 0.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2025-5144

The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-date-’ parameters in all versions up to, and including, 6.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-5568

The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2025-5239

The Domain For Sale plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘classname’ parameter in all versions up to, and including, 3.0.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...

CVE-2025-5568 WpEvently <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2024-9994

CVE-2024-9994 affects the WordPress plugin Essential Addons for Elementor – Pricing Table Widget. Vulnerable component: eael_pricing_item_tooltip_content; vulnerability type: Stored Cross-Site Scripting (XSS) due to insufficient input sanitization/output escaping. Affected versions: all up to 6.1...

CVE-2025-5538

The CVE-2025-5538 entry corresponds to a Stored Cross-Site Scripting vulnerability in the WordPress plugin BNS Featured Category, affecting all versions up to 2.8.2. The flaw arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin’s bnsfc shortcod...

CVE-2025-4224

The wpForo + wpForo Advanced Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via media upload names in all versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-4944

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Compare and Google Maps widgets in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This...

CVE-2025-4595

The FastSpring plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fastspring/block-fastspringblocks-complete-product-catalog' block in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping on the 'color' attribute. Thi...

CVE-2025-0365

The Jupiter X Core plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.8.7 via the inline SVG feature. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server,...

CVE-2025-0193

A stored Cross-site Scripting XSS vulnerability exists in the MGate 5121/5122/5123 Series firmware version v1.0 because of insufficient sanitization and encoding of user input in the "Login Message" functionality. An authenticated attacker with administrative access can exploit this vulnerability...