Lucene search
K

663 matches found

NVD
NVD
added 2026/04/08 10:16 a.m.4 views

CVE-2026-4300

The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading Label' setting in all versions up to, and including, 5.1.3. The plugin uses a custom |...| marker pattern in its fixJsFunction method to embed raw JavaScript function references within JSON-encoded...

6.4CVSS0.00429EPSS
Exploits0References14
Vulnrichment
Vulnrichment
added 2026/04/08 9:25 a.m.2 views

CVE-2026-4300 Robo Gallery <= 5.1.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'Loading Label' Setting

The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading Label' setting in all versions up to, and including, 5.1.3. The plugin uses a custom |...| marker pattern in its fixJsFunction method to embed raw JavaScript function references within JSON-encoded...

6.4CVSS6.1AI score0.00429EPSS
Exploits0References14
NVD
NVD
added 2026/04/08 7:16 a.m.8 views

CVE-2025-1794

The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...

5.4CVSS0.00173EPSS
Exploits0References2
NVD
NVD
added 2026/04/08 5:16 a.m.3 views

CVE-2026-4341

The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'followustext' setting of the Mount widget in all versions up to, and including, 4.1.10. This is due to insufficient input sanitization and output escaping. Specifically, the...

6.4CVSS0.00362EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.3 views

PT-2026-31288

Name of the Vulnerable Software and Affected Versions Robo Gallery versions through 5.1.3 Description The Robo Gallery plugin for WordPress is susceptible to Stored Cross-Site Scripting via the 'Loading Label' setting. The plugin utilizes a custom |...| marker pattern within its fixJsFunction...

6.4CVSS5.9AI score0.00429EPSS
Exploits0References17
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.7 views

PT-2026-31090

Name of the Vulnerable Software and Affected Versions The AM LottiePlayer plugin for WordPress versions up to and including 3.6.0 Description The AM LottiePlayer plugin for WordPress is susceptible to Stored Cross-Site Scripting through uploaded SVG files. Insufficient input sanitization and outp...

5.4CVSS5.9AI score0.00173EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/04/05 10:55 a.m.9 views

CVE-2026-0738

The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sucarousel shortcode in all versions up to, and including, 7.4.8. This is due to insufficient input sanitization and output escaping in the 'suslidelink' attachment meta field...

6.4CVSS6.1AI score0.00346EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:8 p.m.6 views

CVE-2026-2569

The Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via PDF page labels in all versions up to, and including, 2.4.20 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS6AI score0.00152EPSS
Exploits0References1
NVD
NVD
added 2026/03/26 4:17 a.m.9 views

CVE-2026-4335

The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment posttitle in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup function and its corresponding media-popup.php template...

5.4CVSS0.00176EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/03/26 2:25 a.m.2 views

CVE-2026-4335

The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment posttitle in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup function and its corresponding media-popup.php template...

5.4CVSS6AI score0.00176EPSS
Exploits0References7
CVE
CVE
added 2026/03/26 2:25 a.m.10 views

CVE-2026-4335

The ShortPixel Image Optimizer WordPress plugin (≤ 6.4.3) is vulnerable to Stored Cross-Site Scripting via the attachment post_title. The root cause is insufficient output escaping in getEditorPopup() and media-popup.php, where the attachment title retrieved from get_post() is inserted into an HT...

5.4CVSS6AI score0.00176EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/03/21 3:27 a.m.31 views

CVE-2026-0609 Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'logo-slider' Shortcode

The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping in the 'logo-slider' shortcode...

6.4CVSS0.00156EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/18 6:31 p.m.8 views

EUVD-2026-12851

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the 'template' parameter in gallery shortcodes. This makes it possible for authenticated attackers, with Author-level access...

8.8CVSS6.3AI score0.00452EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/18 12:0 a.m.11 views

PT-2026-26087

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the 'template' parameter in gallery shortcodes. This makes it possible for authenticated attackers, with Author-level access...

8.8CVSS6.5AI score0.00452EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/03/13 8:25 a.m.24 views

CVE-2026-2879 GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Post Overwrite/Deletion

The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the id parameter in the create method of the GetGenieChat REST API endpoint. The method accepts a user-controlled post ID and, when...

5.4CVSS0.00281EPSS
Exploits0References4
EUVD
EUVD
added 2026/03/11 4:25 a.m.7 views

EUVD-2025-208561

The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possib...

8.8CVSS6.4AI score0.00468EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/11 4:25 a.m.30 views

CVE-2025-13067 Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass

The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possib...

8.8CVSS0.00468EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/10 11:21 p.m.3 views

CVE-2026-2569

The Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via PDF page labels in all versions up to, and including, 2.4.20 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS5.9AI score0.00152EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/10 3:33 a.m.4 views

CVE-2026-3585 The Events Calendar <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import

The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajaxcreateimport' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the...

7.5CVSS5.9AI score0.0035EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.8 views

PT-2026-24176

Name of the Vulnerable Software and Affected Versions The Events Calendar plugin for WordPress versions prior to 6.15.18 Description The Events Calendar plugin for WordPress is susceptible to a Path Traversal issue in versions up to and including 6.15.17. This allows authenticated attackers with...

7.5CVSS5.8AI score0.0035EPSS
Exploits0References6
Rows per page
Query Builder