CVE-2026-7850

The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks...

CVE-2026-9125

The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkurl' parameter of the prestoplayeroverlay shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays function, which copies...

CVE-2026-9125 The Ultimate Video Player For WordPress <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link_url' Shortcode Attribute

The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkurl' parameter of the prestoplayeroverlay shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays function, which copies...

PT-2026-48818

The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link url' parameter of the presto player overlay shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays function, which...

CVE-2019-25643

creationtimestamp| type| source ---|---|--- 2026-03-24 13:54:30+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mhspysaiyz2p...

CVE-2026-26985

creationtimestamp| type| source ---|---|--- 2026-02-26 01:05:41+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mfpyw4brcq2d 2026-02-26 05:15:58+00:00| seen| https://bsky.app/profile/postac001.bsky.social/post/3mfqgvmufgs2h 2026-02-26 07:17:19+00:00| seen|...

CVE-2026-1985

CVE-2026-1985 pertains to the WordPress Press3D plugin up to version 1.0.2, where a vulnerability in the 3D Model Gutenberg block allows Stored Cross-Site Scripting via the link URL parameter. The root cause is inadequate sanitization/validation of the URL scheme when storing model block URLs, en...

CVE-2026-1985 Press3D <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block

The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing javascript:...

WordPress Press3D plugin <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block vulnerability

Authenticated Author+ Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block vulnerability discovered by WordFence in WordPress Plugin Press3D versions = 1.0.2...

CVE-2026-22867

LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting XSS vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacke...

CVE-2025-59384

creationtimestamp| type| source ---|---|--- 2026-01-02 17:43:25+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mbhgzjvezu2o 2026-01-02 18:54:57+00:00| seen| Telegram/fKGzgPxm4HdOPbxQ-IlBp8HZpa9ZU7wv577tZMCQId7qg 2026-01-02 21:56:58+00:00| seen|...

EUVD-2021-0462

Malware in sbrugna...

PT-2025-38694

Name of the Vulnerable Software and Affected Versions MuYuCMS versions prior to 2.7 Description A server-side request forgery condition exists in MuYuCMS. The issue is located in an unknown function within the /index/index.html file of the Add Fiend Link Handler component. Manipulation of the Lin...

CVE-2025-58746

The CVE-2025-58746 issue affects the Volkov Labs Business Links panel for Grafana, where prior to version 2.4.0 an Editor can escalate to Administrator due to arbitrary JavaScript code injection in the Layout → Link → URL field. The vulnerability enables arbitrary administrative actions on affect...

CVE-2025-7440

The Anber Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $item'buttonlink''url' parameter in all versions up to, and including, 1.0.1 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-7439 Anber Elementor Addon <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Banner button link

Anber Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $anberitem'buttonlink''url'’ parameter in all versions up to, and including, 1.0.1 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-54310

qBittorrent before 5.1.2 does not prevent access to a local file that is referenced in a link URL. This affects rsswidget.cpp and searchjobwidget.cpp...

CVE-2024-1074

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the audio widget 'linkurl' parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2021-29434

Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could...

CVE-2020-15902

Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option...