CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

24485 matches found

CVE-2026-12136

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...

6.4CVSS

Exploits0References5

CVE•added 10 hours ago•9 views

CVE-2026-12136

CVE-2026-12136 affects the WordPress plugin “Customize My Account for WooCommerce” up to version 4.3.6. The root cause is insufficient input sanitization and output escaping on shortcode attributes (min_height, min_width, max_height, max_width) used by sysbasics_user_avatar, which are concatenate...

6.4CVSS5.6AI score

Exploits0References5

Nuclei•added 14 hours ago•41 views

osTicket < 1.12.1 - Cross-Site Scripting

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the...

6.1CVSS6.8AI score0.11687EPSS

Exploits4References5

Nuclei•added 14 hours ago•22 views

WordPress MF Gig Calendar <=1.1 - Cross-Site Scripting

WordPress MF Gig Calendar plugin 1.1 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize or escape the id GET parameter before outputting back in the admin dashboard when editing an event. id: CVE-2021-24510 info: name: WordPress MF Gig Calendar =1.2 which...

6.1CVSS5.9AI score0.0231EPSS

Exploits1References4

Nuclei•added 14 hours ago•24 views

Membership Database <= 1.0 - Cross-Site Scripting

Membership Database before 1.0 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker t...

6.1CVSS6.9AI score0.0085EPSS

Exploits2References3

Nuclei•added 14 hours ago•104 views

WordPress Jannah Theme <5.4.5 - Cross-Site Scripting

WordPress Jannah theme before 5.4.5 contains a reflected cross-site scripting vulnerability. It does not properly sanitize the 'query' POST parameter in its tieajaxsearch AJAX action. id: CVE-2021-24407 info: name: WordPress Jannah Theme 5.4.5 - Cross-Site Scripting author: pikpikcu severity:...

6.1CVSS5.9AI score0.02697EPSS

Exploits2References4

Nuclei•added 14 hours ago•28 views

WordPress WPQA <5.4 - Cross-Site Scripting

WordPress WPQA plugin prior to 5.4 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape a parameter on its reset password form. id: CVE-2022-1597 info: name: WordPress WPQA 5.4 - Cross-Site Scripting author: veshraj severity: medium description: | WordPress WPQ...

6.1CVSS5.8AI score0.0291EPSS

Exploits2References5

Nuclei•added 14 hours ago•23 views

WordPress Copyright Proof <=4.16 - Cross-Site-Scripting

WordPress Copyright Proof plugin 4.16 and prior contains a cross-site scripting vulnerability. It does not sanitize and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users when a specific setting is enabled. id: CVE-2022-1906...

6.1CVSS5.8AI score0.00922EPSS

Exploits2References4

Nuclei•added 14 hours ago•44 views

wpForo Forum <= 2.1.8 - Cross-Site Scripting

The wpForo Forum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpforodebug’ function in versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

6.1CVSS7.3AI score0.00812EPSS

Exploits1References4

Nuclei•added 14 hours ago•32 views

ChurchCRM v4.5.3 - Cross-Site Scripting

A stored Cross-site scripting XSS vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. id: CVE-2023-31548 info: name: ChurchCRM v4.5.3 - Cross-Site Scripting author: Harsh severity: medium...

5.4CVSS5.9AI score0.01248EPSS

Exploits1References3

Nuclei•added 14 hours ago•12 views

WP Triggers Lite - Cross-Site Scripting

WP Triggers Lite WordPress plugin v2.5.3 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...

7.1CVSS8.1AI score0.00549EPSS

Exploits1References2

Nuclei•added 14 hours ago•19 views

WordPress Email Newsletter - Reflected XSS

WordPress Email Newsletter plugin through 1.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to cra...

5.4CVSS8.1AI score0.0068EPSS

Exploits1References1

Nuclei•added 14 hours ago•17 views

GamiPress <= 2.8.9 - SQL Injection

GamiPress WordPress plugin version 2.8.9 and below suffers from an SQL injection vulnerability due to insufficient sanitization of user input, allowing attackers to execute arbitrary SQL commands. id: CVE-2024-13496 info: name: GamiPress = 2.8.9 - SQL Injection author: ritikchaddha severity: high...

7.5CVSS9AI score0.02191EPSS

Exploits0References2

Nuclei•added 14 hours ago•41 views

LoLLMS WebUI - Subfolder Prediction via Path Traversal

A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'addreferencetolocalmode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. id: CVE-2024-4841 info: name: LoLLMS WebUI - Subfolder Prediction via Path...

4CVSS4.9AI score0.00674EPSS

Exploits1

Nuclei•added 14 hours ago•11 views

Bulk Me Now! Plugin <= 2.0 - Cross-Site Scripting

Bulk Me Now! WordPress plugin = 2.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...

7.1CVSS8.1AI score0.00526EPSS

Exploits1References2

Nuclei•added 14 hours ago•32 views

Grafana Post-Auth DuckDB - SQL Injection To File Read

The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitized before being passed to duckdb, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or highe...

9.9CVSS6.6AI score0.97781EPSS

Exploits9References3

Nuclei•added 2 days ago•70 views

GLPI < 10.0.17 - Pre-Auth SQL Injection

A pre-authentication SQL injection vulnerability exists in the Inventory feature of GLPI. The vulnerability is caused by insufficient sanitization of user input in the handleAgent function when processing XML requests. The issue occurs because SimpleXMLElement objects can bypass the...

9.8CVSS6.1AI score0.86222EPSS

Exploits5References3

Github Security Blog•added 3 days ago•10 views

@angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)

An issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism createComponent failed to reject mounting components directly onto a or namespaced script element such as . This...

6.1AI score0.00101EPSS

Exploits0References4Affected Software1

CVE•added 3 days ago•4 views

CVE-2016-20070

CVE-2016-20070 affects WordPress plug‑in Booking Calendar Contact Form 1.0.23 . The vulnerability comprises a privilege escalation and a stored XSS flaw that allows authenticated, subscriber‑level users to modify plugin options and inject XSS payloads. Payloads can be supplied via parameters such...

6.4CVSS5.3AI score0.00231EPSS

Exploits0References3

OSV•added 5 days ago•10 views

BIT-GITLAB-2026-10087 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code on behalf of a...

8.7CVSS5.9AI score0.00427EPSS

Exploits0References4

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by