CVE-2026-8844

The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes in the rspccheckshortcode...

CVE-2026-8847

The CVE-2026-8847 entry concerns the WordPress Dideo plugin (version 1.0) with a Stored XSS flaw in the dideo shortcode. The root cause is insufficient input sanitization and output escaping on the id attribute, which is inserted into an iframe src without escaping in the dideo() handler. Attacke...

CVE-2026-8844

The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes in the rspccheckshortcode...

CVE-2026-8844 Responsive Check <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes in the rspccheckshortcode...

CVE-2026-8847

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...

CVE-2026-8877

The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'remvideo' shortcode in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes notably 'id' and 'list' in the...

EUVD-2026-32053

The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'remvideo' shortcode in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes notably 'id' and 'list' in the...

CVE-2026-8877

The CVE-2026-8877 entry concerns the WordPress plugin Responsive Video Embedder (

PT-2026-43513

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...

PT-2026-43523

The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rem video' shortcode in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes notably 'id' and 'list' in the video...

CVE-2019-12184

There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136...

Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink

Summary The lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. Details...

CVE-2020-19697

Cross Site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script in the src parameter...

Mozilla Firefox Same-Origin Policy Bypass Vulnerability (CNVD-2016-08178)

Mozilla Firefox is an open source web browser. A vulnerability in Mozilla Firefox's handling of segment identifiers in the SRC attribute of the IFRAME element allows remote attackers to build malicious web pages that can be exploited to trick users into parsing them, which can be used to bypass t...

CVE-2016-6209

A user supplied GET parameter is used to create the value used as the src value of an iframe displayed on all pages. It allows for CSRF and javascript insertion techniques among others. An attacker could forge a malicious URL that could include javascript execution in the main browser frame...

FCMS CMS 2.7.2 - Multiple Cross-Site Request Forgery Vulnerabilities

FCMS2.7.2 cms and earlier multiple CSRF Vulnerability =================================================================================== Exploit Title: FCMS2.7.2 cms multiple CSRF Vulnerability Download link...

security flaw

The WYSIWYG rendering engine "rich mail" editor in Mozilla Thunderbird 1.0.7 and earlier allows user-assisted attackers to bypass javascript security settings and obtain sensitive information or cause a crash via an e-mail containing a javascript URI in the SRC attribute of an IFRAME tag, which i...

Mozilla Thunderbird code execution

IFRAME SRC attribute allows javascript execution...

Redirection and refresh parses local file

Redirection and refresh parses local file "that's all" is the end of file if you are in a hurry tested OS:WinXp Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/10/30 demo http://www.safecenter.net/UMBRELLAWEBV4/IredirNrefresh/IredirNrefresh-MyPage.htm exp if an iframe whose SRC points to a...