CVE-2026-2300 BJ Lazy Load <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom HTML Block

The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the filterimages function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing pregreplace that does not properly handle HTML attribute boundaries when replacing sr...

Cross-site Scripting (XSS)

Overview clevertap-web-sdk is a Affected versions of this package are vulnerable to Cross-site Scripting XSS via the handleCustomHtmlPreviewPostMessageEvent function due to insufficient origin validation using the includes method. An attacker can execute arbitrary scripts in the context of the...

CVE-2026-3041

The vulnerability CVE-2026-3041 affects BaykeShop (up to version 1.3.20), specifically the Article Sidebar Module’s file at src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html. The issue arises from a manipulation of the argument sidebar.content in the Article Sidebar Module, en...

CVE-2026-3041 xingfuggz BaykeShop Article Sidebar custom.html cross site scripting

A security vulnerability has been detected in xingfuggz BaykeShop up to 1.3.20. Impacted is an unknown function of the file src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html of the component Article Sidebar Module. Such manipulation of the argument sidebar.content leads to cro...

EUVD-2021-25584

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2021-39202

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets edito...

CVE-2018-15530

Cross-site scripting XSS in the web interface of the Xerox ColorQube 8580 allows remote persistent injection of custom HTML / JavaScript code...

CVE-2024-11188

The Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to POST-Based Reflected Cross-Site Scripting via the Custom HTML Form parameters in all versions up to, and including, 6.16.1.2 due to insufficient input...

WordPress Formidable Forms plugin <= 6.16.1.2 - Reflected Cross-Site Scripting via Custom HTML Form Parameter vulnerability

Reflected Cross-Site Scripting via Custom HTML Form Parameter vulnerability discovered by mikemyers in WordPress Plugin Formidable Forms versions = 6.16.1.2...

BIT-WORDPRESS-2021-39202

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the cust...

BIT-WORDPRESS-MULTISITE-2021-39202

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the cust...

PT-2023-24825 · Microsoft · Windows Qrc Handler

Name of the Vulnerable Software and Affected Versions: Jami version 20222284 Description: The issue is related to improper input validation in hyperlink interpretation. This allows an attacker to send a custom HTML anchor tag to pass a string value to the Windows QRC Handler through the Jami...

projectSend r1605 - Stored XSS

Exploit Title: projectSend r1605 - Stored XSS Application: projectSend Version: r1605 Bugs: Stored Xss Technology: PHP Vendor URL: https://www.projectsend.org/ Software Link: https://www.projectsend.org/ Date of found: 11-06-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & P...

CVE-2023-0546 FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to...

FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field

The plugin does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the...

SUSE CVE-2018-18500

A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash. This vulnerability affects Thunderbird 60.5, Firefox ESR 60.5, and...

CVE-2022-23543 HTML attributes when attaching a YouTube link to the post

Silverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped...

CVE-2022-1896

The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletredhtml capability is disallowed...

WordPress plugin underConstruction 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. The WordPress plugin is an application plugin. cross-site scripting vulnerability exists in versions of the WordPress underConstruction plugin...

WordPress Plugin Cross-Site Scripting Vulnerability (CNVD-2021-94153)

WordPress is a PHP, MySQL and JavaScript based project and uses Node as its JavaScript dependency. A native development environment is available for getting up and running quickly. An XSS vulnerability exists in WordPress in version 5.8 beta 1, which is related to the affected version not properl...