CVE-2025-14298

The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's thegemtesearch shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

CVE-2025-14298

The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's thegemtesearch shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

CVE-2025-14298 FiboSearch – Ajax Search for WooCommerce <= 1.32.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via thegem_te_search Shortcode

The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's thegemtesearch shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

CVE-2025-14298 FiboSearch – Ajax Search for WooCommerce <= 1.32.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via thegem_te_search Shortcode

The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's thegemtesearch shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

CVE-2025-14298

CVE-2025-14298 (FiboSearch – Ajax Search for WooCommerce) stores cross-site scripting via thegem_te_search shortcode in all versions up to 1.32.0. Exploitation requires TheGem Theme (premium) with Header Builder mode and FiboSearch’s "Replace search bars" option enabled for TheGem integration. Th...

PT-2025-52549

Name of the Vulnerable Software and Affected Versions FiboSearch – Ajax Search for WooCommerce plugin for WordPress versions prior to 1.32.1 Description The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting. The issue stems from inadequate...

CVE-2024-4634

The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hfesvgmimetypes’ function in versions up to, and including, 1.6.28 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-1237

The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the flyoutlayout attribute in all versions up to, and including, 1.6.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-0853

CVE-2025-0853: PGS Core WordPress plugin

CVE-2024-12206

CVE-2024-12206 affects WordPress Header Builder Plugin – Pearl. The vulnerability is a CSRF on the stm_header_builder page that allows unauthenticated attackers to delete headers. It impacts all versions up to and including 1.3.8 due to missing nonce validation. Connected references indicate a pa...

CVE-2024-12206 Wordpress Header Builder Plugin <= 1.3.8 - Cross-Site Request Forgery to Header Deletion

The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing or incorrect nonce validation on the stmheaderbuilder page. This makes it possible for unauthenticated attackers to dele...

CVE-2024-12206 Wordpress Header Builder Plugin <= 1.3.8 - Cross-Site Request Forgery to Header Deletion

The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing or incorrect nonce validation on the stmheaderbuilder page. This makes it possible for unauthenticated attackers to dele...

PT-2025-1779 · WordPress · Wordpress Header Builder Plugin – Pearl

Name of the Vulnerable Software and Affected Versions: The WordPress Header Builder Plugin – Pearl plugin for WordPress versions up to, and including, 1.3.8 Description: The issue is due to missing or incorrect nonce validation on the stm header builder page, making it possible for unauthenticate...

WordPress plugin Boostify Header Footer Builder for Elementor 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plug-in. A security vulnerability...

CVE-2024-5468

The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to unauthorized site option deletion due to a missing validation and capability checks on the stmhbdelete function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to...

CVE-2024-5468 WordPress Header Builder Plugin – Pearl <= 1.3.7 - Missing Authorization to Unauthenticated Arbitrary Site Options Deletion

The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to unauthorized site option deletion due to a missing validation and capability checks on the stmhbdelete function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to...

CVE-2024-5468

The CVE-2024-5468 entry corresponds to WordPress Header Builder Plugin – Pearl (≤ 1.3.7). It describes an unauthorized deletion of arbitrary site options due to missing validation and capability checks in stm_hb_delete(), exploitable by unauthenticated attackers and potentially enabling DoS. Publ...

WordPress Header Builder Plugin – Pearl < 1.3.8 - Missing Authorization to Unauthenticated Arbitrary Site Options Deletion

Description The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to unauthorized site option deletion due to a missing validation and capability checks on the stmhbdelete function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated...

WordPress Elementor Header & Footer Builder plugin <= 1.6.26 - Authenticated (Author+) HTML Injection vulnerability

Authenticated Author+ HTML Injection vulnerability discovered by wesley wcraft in WordPress Plugin Ultimate Addons for Elementor - Lite versions = 1.6.26...

CVE-2024-4000

The CVE CVE-2024-4000 affects the WordPress Header Builder Plugin – Pearl (WordPress) and is a Stored Cross-Site Scripting vulnerability via the stm_hb shortcode. Affected versions are up to 1.3.6, with the issue caused by insufficient input sanitization and output escaping on user-provided short...