CVE-2026-2126

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due to the uspgetsubmittedcategory function accepting user-submitted category IDs from the POST body...

Cross site scripting

The You Shang WordPress plugin through 1.0.1 does not escape its qrcode links settings, which result into Stored Cross-Site Scripting issues in frontend posts and the plugins settings page depending on the payload used...

Wechat Reward <= 1.7 - CSRF to Stored Cross-Site Scripting

The plugin does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. Put the following payload in the QR setting: "alert/XSS/ The XSS will be triggered in the plugin's...

AddToAny Share Buttons < 1.7.48 - Admin+ Stored Cross-Site Scripting

The plugin does not escape its Image URL button setting, which could lead allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Add the following payload in the Universal Button Image URL settings: " onerror=alert/XSS/ " The XSS...