PT-2026-1860

Name of the Vulnerable Software and Affected Versions Perch CMS version 3.2 Description A stored Cross-Site Scripting XSS issue exists in Perch CMS. An attacker with administrative privileges can inject malicious JavaScript code into the “Help button url” setting within the admin panel. The...

WordPress plugin Viitor Button Shortcodes 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripting...

PT-2026-1622

Name of the Vulnerable Software and Affected Versions Viitor Button Shortcodes plugin for WordPress versions up to and including 3.0.0 Description The Viitor Button Shortcodes plugin for WordPress is susceptible to Stored Cross-Site Scripting through the link shortcode attribute. Insufficient inp...

CVE-2025-66686

The CVE describes a stored Cross-Site Scripting (XSS) flaw in Perch CMS version 3.2. An attacker with administrative privileges can inject malicious JavaScript into the “Help button url” in the admin panel; the payload is stored and executes when any authenticated user clicks the Help button. Imp...

WordPress Viitor Button Shortcodes plugin <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'link' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin Viitor Button Shortcodes versions = 3.0.0...

SUSE CVE-2017-18890

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request...

PT-2026-20915

Name of the Vulnerable Software and Affected Versions SPIP versions prior to 4.4.9 Description SPIP versions before 4.4.9 contain a Cross-Site Scripting XSS issue in the private area. A previous fix in SPIP 4.4.8 was incomplete, and the echappe anti xss function was not consistently applied to...

MAL-2025-192995 Malicious code in @vietmoney/react-native-action-button (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector df1a9f2c1ef7c8dd8ece133048315f8ab738a4d5d8bf1a11dbe5f932d39e2eca The package @vietmoney/react-native-action-button was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-205936

Malicious code in @vietmoney/react-native-action-button npm...

WordPress Magic Buttons for Elementor plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via magic-button Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via magic-button Shortcode vulnerability discovered by Gilang - DJ in WordPress Plugin Magic Buttons for Elementor versions = 1.0...

WordPress Anber Elementor Addon plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Banner button link vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Banner button link vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Anber Elementor Addon versions = 1.0.1...

WordPress TableOn plugin <= 1.0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via tableon_popup_iframe_button Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via tableonpopupiframebutton Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin TableOn versions = 1.0.4.1...

WordPress WishSuite plugin <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'buttontext' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin WishSuite versions = 1.5.1...

CMSimple Cross-Site Scripting Vulnerability

CMSimple is a free content management system. CMSimple suffers from a cross-site scripting vulnerability that stems from the application not effectively filtering or neutralizing HTML Unicode encoding when processing user input. An attacker could use this vulnerability to execute arbitrary...

3loc (>=0.1.0 <=0.4.0), 3scale (>=0.2.0 <=0.6.2) +657 more potentially affected by CVE-2025-25341 via libxmljs (>=0.10.0 <=1.0.9)

libxmljs NPM version =0.10.0, =0.1.0, =0.2.0, =0.3.2, =0.0.1, =4.0.1, =1.10.4, =1.8.1, =1.5.8, =1.5.1, =1.8.3, =0.1.0, =1.0.1, =1.2.0 and more Source cves: CVE-2025-25341 Source advisory: SNYK:JS-LIBXMLJS-14723210...

CVE-2021-47733

CMSimple 5.4 is affected by a cross-site scripting vulnerability that bypasses input filtering by HTML Unicode encoding. The vulnerability arises because the application does not effectively neutralize HTML Unicode encoding when processing user input, enabling an attacker to inject arbitrary Java...

CVE-2021-47733 CMSimple 5.4 Cross-Site Scripting via HTML Unicode Encoding

CMSimple 5.4 contains a cross-site scripting vulnerability that allows attackers to bypass input filtering by using HTML to Unicode encoding. Attackers can inject malicious scripts by encoding payloads like '-alert1// and execute arbitrary JavaScript when victims interact with delete buttons...

PT-2025-52833

Name of the Vulnerable Software and Affected Versions CMSimple version 5.4 Description The software contains a cross-site scripting issue that allows attackers to bypass input filtering. This is achieved by using HTML to Unicode encoding, enabling the injection of malicious scripts. Attackers can...

EUVD-2025-204653

The WishSuite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttontext' parameter of the 'wishsuitebutton' shortcode in all versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

PT-2025-52572

Name of the Vulnerable Software and Affected Versions WishSuite versions up to and including 1.5.1 Description The WishSuite plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping in the 'button text' parameter of the...