64 matches found
CVE-2026-4804 Zakra <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta REST API
The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields zakramenuitemcolor, zakramenuitemhovercolor, and zakramenuitemactivecolor with 'showinrest' = tr...
CVE-2026-4804
The Zakra WordPress theme (
CVE-2026-4804
The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields zakramenuitemcolor, zakramenuitemhovercolor, and zakramenuitemactivecolor with 'showinrest' = tr...
CVE-2026-8892
The CM Business Directory – Optimise and showcase local business plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Business Address Meta Fields in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2026-8892 CM Business Directory <= 1.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Business Address Meta Fields
The CM Business Directory – Optimise and showcase local business plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Business Address Meta Fields in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for...
Corteza SQL注入漏洞
Corteza is an open-source low-code platform developed by the Corteza Project, designed for quickly building CRM, business processes, and structured data applications. The Corteza 2024.9.8 version contains a SQL injection vulnerability. This vulnerability arises from the SQL injection vulnerabilit...
CVE-2026-4088
The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppwctabox' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'ctaboxbuttonlink',...
CVE-2026-3534
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ast-page-background-meta and ast-content-background-meta post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escapin...
CVE-2026-3534
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ast-page-background-meta and ast-content-background-meta post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escapin...
CVE-2026-3534
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ast-page-background-meta and ast-content-background-meta post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escapin...
CVE-2026-3534 Astra <= 4.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ast-page-background-meta and ast-content-background-meta post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escapin...
CVE-2026-3534
CVE-2026-3534 affects the Astra WordPress theme (versions
PT-2026-24590
🚨 CVE-2026-3534 The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ast-page-background-meta and ast-content-background-meta post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missin...
CVE-2026-2583 Blocksy <= 2.1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via `blocksy_meta` Fields
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the blocksymeta metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level acce...
CVE-2026-2583 Blocksy <= 2.1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via `blocksy_meta` Fields
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the blocksymeta metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level acce...
WordPress plugin Blocksy 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...
PT-2026-22705
Name of the Vulnerable Software and Affected Versions Blocksy theme for WordPress versions up to and including 2.1.30 Description The Blocksy theme for WordPress is susceptible to Stored Cross-Site Scripting through the blocksy meta metadata fields. Insufficient input sanitization and output...
CVE-2025-14039
The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplefolioitemclientname' and 'simplefolioitemlink' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for...
EUVD-2025-206507
The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplefolioitemclientname' and 'simplefolioitemlink' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2025-14039
The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplefolioitemclientname' and 'simplefolioitemlink' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for...