CVE-2025-68457 Orejime has executable code in HTML attributes

Orejime is a consent manager that focuses on accessibility. On HTML elements handled by Orejime prior to version 2.3.2, one could run malicious code by embedding javascript: code within data attributes. When consenting to the related purpose, Orejime would turn data attributes into unprefixed one...

CVE-2025-68457 Orejime has executable code in HTML attributes

Orejime is a consent manager that focuses on accessibility. On HTML elements handled by Orejime prior to version 2.3.2, one could run malicious code by embedding javascript: code within data attributes. When consenting to the related purpose, Orejime would turn data attributes into unprefixed one...

PT-2025-52495

Name of the Vulnerable Software and Affected Versions Orejime versions prior to 2.3.2 Description Orejime, a consent manager focusing on accessibility, had a flaw where malicious code could be executed on HTML elements it handled. This occurred because the software, prior to version 2.3.2, would...

CVE-2025-11820

The Graphina – Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple chart widgets in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output escaping on data attributes. This makes it possible for authenticat...

CVE-2025-11820 Graphina – Elementor Charts and Graphs <= 3.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Chart Widgets

The Graphina – Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple chart widgets in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output escaping on data attributes. This makes it possible for authenticat...

CVE-2025-11841

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Chart Data attributes in all versions up to, and including, 12.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

WordPress Greenshift plugin <= 12.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Chart Data Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Chart Data Attributes vulnerability discovered by Webbernaut in WordPress Plugin Greenshift versions = 12.2.7...

CVE-2025-11841

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Chart Data attributes in all versions up to, and including, 12.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-11841 Greenshift – animation and page builder blocks <= 12.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Chart Data Attributes

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Chart Data attributes in all versions up to, and including, 12.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-11841

CVE-2025-11841 (Greenshift – animation and page builder blocks) affects Greenshift for WordPress up to and including version 12.2.7. The vulnerability is a stored XSS via Chart Data attributes caused by insufficient input sanitization and output escaping. It requires authenticated access at Contr...

PT-2025-44914

Name of the Vulnerable Software and Affected Versions Greenshift – animation and page builder blocks versions up to and including 12.2.7 Description The Greenshift plugin for WordPress is susceptible to Stored Cross-Site Scripting through the Chart Data attributes. Insufficient input sanitization...

CVE-2025-62659

The CVE-2025-62659 issue affects the MediaWiki CookieConsent extension for Cookie consent management. It is a Cross-Site Scripting (XSS) vulnerability caused by improper handling of reserved data attributes in the Sanitizer::validateAttributes() function, enabling arbitrary scripts to run in a us...

CVE-2025-62659 The CookieConsent extension does not properly use reserved data attributes, thus introducing potential XSS vectors

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in The Wikimedia Foundation MediaWiki CookieConsent extension allows Cross-Site Scripting XSS.This issue affects MediaWiki CookieConsent extension: from v0.1.0 before v2.0.0...

CVE-2025-62659 The CookieConsent extension does not properly use reserved data attributes, thus introducing potential XSS vectors

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in The Wikimedia Foundation MediaWiki CookieConsent extension allows Cross-Site Scripting XSS.This issue affects MediaWiki CookieConsent extension: from v0.1.0 before v2.0.0...

EUVD-2025-31038

Malicious code in bioql PyPI...

EUVD-2025-28378

Malicious code in bioql PyPI...

CVE-2025-9075

The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google...

CVE-2025-59839

Summary (CVE-2025-59839): The Star Citizen Wiki EmbedVideo Extension (MediaWiki) versions 4.0.0 and earlier allowed adding arbitrary HTML attributes via wikitext, enabling stored XSS through non-reserved data attributes (e.g., data-iframeconfig). Evidence from multiple sources notes this XSS clas...

GHSA-4J5H-MVJ3-M48V Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes

Summary The EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. Details The attributes of an iframe are populated with the value of an unreserved data attribute data-iframeconfig that can be set via wikitext:...

CVE-2025-7732 Lazy Load for Videos <= 2.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via data-video-title and href Attributes

The Lazy Load for Videos plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its lazy‑loading handlers in all versions up to, and including, 2.18.7 due to insufficient input sanitization and output escaping. The plugin’s JavaScript registration handlers read the client‑supplied...