248 matches found
CVE-2025-9353
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access an...
CVE-2025-9883
The Browser Sniff plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web script...
CVE-2025-9992
The CVE-2025-9992 entry concerns Ghost Kit – Page Builder Blocks, Motion Effects & Extensions for WordPress. It is vulnerable to Stored Cross-Site Scripting via the custom JS field in all versions up to and including 3.4.3, due to insufficient input sanitization and output escaping. Exploitation ...
CVE-2025-8686
The WP Easy FAQs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WPEASYFAQ shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
PT-2025-37156
The Enhanced BibliPlug plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bibliplug authors' shortcode in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-9344
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uwpprofile' and 'uwpprofileheader' shortcodes in all versions up to, and including, 1.2.42 due to insufficient...
CVE-2025-8607
The SlingBlocks – Gutenberg Blocks by FunnelKit Formerly WooFunnels plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block's attributes in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping on user suppli...
CVE-2025-8867
The Graphina - Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple chart widget parameters in version 3.1.3 and below. This is due to insufficient input sanitization and output escaping on user supplied attributes such as chart categories,...
CVE-2025-7684
The Last.fm Recent Album Artwork plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the 'lastfmalbumsartwork.php' page. This makes it possible for unauthenticated attackers to update...
CVE-2025-7686
The weichuncaiWP伪春菜 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the sm-options.php page. This makes it possible for unauthenticated attackers to update settings and inject...
CVE-2025-7686
CVE-2025-7686 refers to a CSRF-to-Stored XSS vulnerability in the WordPress plugin weichuncai(WP伪春菜) up to version 1.5, caused by missing or incorrect nonce validation on sm-options.php. Exploitation requires social engineering to persuade an admin to perform an action (e.g., clicking a forged li...
CVE-2025-7668
CVE-2025-7668 — Linux Promotional Plugin for WordPress is a CSRF to Stored XSS vulnerability affecting all versions up to 1.4. The issue arises from missing or incorrect nonce validation on the plugin’s linux-promotional-plugin.php page, enabling unauthenticated attackers to update settings and i...
CVE-2025-7668 Linux Promotional Plugin <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The Linux Promotional Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'inux-promotional-plugin.php' page. This makes it possible for unauthenticated attackers to update...
PT-2025-33528 · WordPress · Surbma | Recent Comments Shortcode
Name of the Vulnerable Software and Affected Versions: Surbma | Recent Comments Shortcode plugin for WordPress versions up to and including 2.0 Description: The Surbma | Recent Comments Shortcode plugin for WordPress is susceptible to Stored Cross-Site Scripting via the plugin's recent-comments...
PT-2025-33462 · WordPress · Add User Meta
Name of the Vulnerable Software and Affected Versions: Add User Meta plugin for WordPress versions up to and including 1.0.1 Description: The Add User Meta plugin for WordPress is susceptible to Cross-Site Request Forgery due to missing or incorrect nonce validation on the add-user-meta page. Thi...
CVE-2025-8688
CVE-2025-8688 : The WordPress plugin Inline Stock Quotes (versions
CVE-2025-3614
The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of a custom widget in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...
CVE-2024-2926
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2024-5001
The Image Hover Effects for Elementor with Lightbox and Flipbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id', 'oxiaddonsftitletag', and 'contentdescriptiontag' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and outpu...
CVE-2024-4630
The Starter Templates — Elementor, WordPress & Beaver Builder Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘customuploadmimes’ function in versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible...