Lucene search
K

539 matches found

Nuclei
Nuclei
added yesterday7 views

Custom Field Manager WordPress - Cross-Site Scripting

Custom Field Manager WordPress plugin through 1.0 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12873 info: name: Custom Field Manager...

6.1CVSS7.2AI score0.0053EPSS
Exploits1References2
NVD
NVD
added 2 days ago6 views

CVE-2026-57687

Contributor SQL Injection in Custom Field Template = 2.7.8 versions...

8.5CVSS0.0022EPSS
Exploits0References1
CVE
CVE
added 2 days ago11 views

CVE-2026-57687

CVE-2026-57687 concerns a SQL Injection vulnerability in the WordPress plugin Custom Field Template (versions

8.5CVSS5.8AI score0.0022EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago32 views

CVE-2026-57687 WordPress Custom Field Template plugin <= 2.7.8 - SQL Injection vulnerability

Contributor SQL Injection in Custom Field Template = 2.7.8 versions...

8.5CVSS0.0022EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-41296

Contributor SQL Injection in Custom Field Template = 2.7.8 versions...

8.5CVSS5.8AI score0.0022EPSS
Exploits0References1
Nuclei
Nuclei
added 2 days ago54 views

Advanced Custom Fields < 6.1.6 - Cross-Site Scripting

Advanced Custom Fields beofre 6.1.6 is susceptible to cross-site scripting via the poststatus parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow th...

7.1CVSS7.1AI score0.38768EPSS
Exploits3References5
Patchstack
Patchstack
added 5 days ago6 views

WordPress Custom Field Template plugin <= 2.7.8 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin Custom Field Template versions = 2.7.8...

8.5CVSS5.8AI score0.0022EPSS
Exploits0Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/19 4:31 a.m.7 views

CVE-2026-1856

The Appointment Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom booking field labels in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS6AI score0.00193EPSS
Exploits0References5
CVE
CVE
added 2026/06/19 4:31 a.m.22 views

CVE-2026-1856

Summary: CVE-2026-1856 affects the WordPress plugin “Appointment Booking Calendar” (Creavi Booking Service)

6.4CVSS5.5AI score0.00193EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:34 p.m.9 views

CVE-2026-1541

The Avada Fusion Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's fusiongetpostcustomfield function failing to validate whether metadata keys are protected underscore-prefixed. This makes it...

4.3CVSS5.4AI score0.00269EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 9:16 p.m.11 views

CVE-2026-41897

Mantis Bug Tracker MantisBT is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filtertarget parameter on returndynamicfilters.php normally used as an AJAX in View Issues Page allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This...

5.3CVSS0.00281EPSS
Exploits0References3
OSV
OSV
added 2026/05/11 7:34 p.m.11 views

GHSA-QJ6W-V29Q-4RGX MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values

Improper escaping of a textarea custom field's contents in the Update Issue page bugupdatepage.php allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. Impact Session theft leading to admin account takeover, full project data access....

5.4CVSS6.1AI score0.0023EPSS
Exploits0References5
Snyk
Snyk
added 2026/05/11 7:34 p.m.9 views

Cross-site Scripting (XSS)

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper escaping of textarea custom field contents in the bugupdatepage.php process. An attacker can inject HTML and, if content security policy settings allow,...

5.4CVSS5.8AI score0.0023EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/11 7:34 p.m.11 views

MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values

Improper escaping of a textarea custom field's contents in the Update Issue page bugupdatepage.php allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. Impact Session theft leading to admin account takeover, full project data access....

5.4CVSS6.8AI score0.0023EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/04/22 9:31 p.m.9 views

EUVD-2026-22822

The Avada Fusion Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's fusiongetpostcustomfield function failing to validate whether metadata keys are protected underscore-prefixed. This makes it...

4.3CVSS5.7AI score0.00269EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/15 8:18 a.m.4 views

CVE-2025-40899 Stored Cross-Site Scripting (XSS) in Assets and Nodes in Guardian/CMC before 26.0.0

A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the...

8.9CVSS5.8AI score0.00288EPSS
Exploits0References1
CVE
CVE
added 2026/04/15 1:25 a.m.11 views

CVE-2026-1541

The CVE concerns the Avada (Fusion) Builder WordPress plugin, affected up to version 3.15.1. The root cause is that fusion_get_post_custom_field() does not validate whether metadata keys are underscore-prefixed, enabling authenticated users with Subscriber-level access and above to expose protect...

4.3CVSS5.7AI score0.00269EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/15 1:25 a.m.4 views

CVE-2026-1541 Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference

The Avada Fusion Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's fusiongetpostcustomfield function failing to validate whether metadata keys are protected underscore-prefixed. This makes it...

4.3CVSS5.7AI score0.00269EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/15 1:25 a.m.6 views

CVE-2026-1541

The Avada Fusion Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's fusiongetpostcustomfield function failing to validate whether metadata keys are protected underscore-prefixed. This makes it...

4.3CVSS5.7AI score0.00269EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.8 views

PT-2026-32995

The Avada Fusion Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's fusion get post custom field function failing to validate whether metadata keys are protected underscore-prefixed. This makes it...

4.3CVSS5.7AI score0.00269EPSS
Exploits0References2
Rows per page
Query Builder