CVE-2026-25465 WordPress CP Multi View Event Calendar plugin <= 1.4.36 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in codepeople CP Multi View Event Calendar cp-multi-view-calendar allows Stored XSS.This issue affects CP Multi View Event Calendar : from n/a through = 1.4.36...

CVE-2026-1503

The login_register plugin for WordPress (versions up to 1.2.0) is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting due to missing nonce validation on the settings page and insufficient sanitization/escaping of the login_post parameter. This allows unauthenticated at...

CVE-2026-1822 WP NG Weather <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

EUVD-2026-13925

The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing...

CVE-2026-3572

The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing...

PT-2026-26722

The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing...

CVE-2026-2324

CVE-2026-2324 affects the LatePoint – Calendar Booking Plugin for Appointments and Events (WordPress). Up to version 5.2.7 is vulnerable due to missing/incorrect nonce validation in the reload_preview() function, enabling unauthenticated attackers to update settings and inject malicious scripts v...

CVE-2026-2679

Reflected Cross-Site Scripting XSS on the A3factura web platform, in parameter 'customerName', in 'a3factura-app.wolterskluwer.es//incomes/salesInvoices' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser...

CVE-2026-26993

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG or other active content formats such as HTML...

CVE-2019-25425

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the VIRUSADMIN parameter. Attackers can send POST requests to the smtpconfig endpoint with script payloads to execute arbitrary...

PT-2026-20605

Name of the Vulnerable Software and Affected Versions s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress versions through 251005 Description The s2Member plugin for WordPress is susceptible to Stored Cross-Site...

WordPress FluentForm plugin <= 5.1.19 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Welcome Screen Fields vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via Welcome Screen Fields vulnerability discovered by zer0gh0st in WordPress Plugin FluentForm versions = 5.1.19...

CVE-2019-25388

Smoothwall Express 3.1-SP4-polar-x8664-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the ipblock.cgi endpoint. Attackers can inject script tags through the SRCIP and COMMENT paramete...

CVE-2025-7799

CVE-2025-7799 describes a Reflected XSS vulnerability in Zirve Information Technologies Inc.’s E-Taxpayer Accounting Website (through 07082025). The issue stems from improper input neutralization during web page generation, enabling attacker-supplied input to be reflected back to the user in the ...

CVE-2025-69102

CVE-2025-69102 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin WP Test Email (wp-test-email) versions up to and including 1.1.7. The issue is described as improper neutralization of input during web page generation, enabling reflected XSS. Public references ...

CVE-2025-68008 WordPress WP Mail plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through = 1.3...

CVE-2025-67263

Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting XSS vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these...

CVE-2026-23847

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons type=8. The content query parameter is inserted directly into the S...

CVE-2026-23725 WeGIA Stored Cross-Site Scripting (XSS) – nome Parameter on Adopters Information Page

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting XSS vulnerability was identified in the html/pet/adotantes/cadastroadotante.php and html/pet/adotantes/informacaoadotantes.php endpoint of the WeGIA application. The application does not sanitize...

CVE-2026-0627

The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes...