Lucene search
+L

1375 matches found

cvelist
cvelist
added 2026/03/04 1:21 a.m.32 views

CVE-2026-2289 Taskbuilder <= 5.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Block Emails' Field

The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.4CVSS0.00254EPSS
Exploits0References6
attackerkb
attackerkb
added 2026/03/04 1:21 a.m.9 views

CVE-2026-2289

The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.4CVSS5.9AI score0.00254EPSS
Exploits0References7
attackerkb
attackerkb
added 2026/02/26 1:24 a.m.5 views

CVE-2026-2499

The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.4CVSS5.6AI score0.00193EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2026/02/26 1:24 a.m.5 views

CVE-2026-2498 WP Social Meta <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings

The WP Social Meta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

4.4CVSS5.6AI score0.00199EPSS
Exploits0References5
redhatcve
redhatcve
added 2026/02/20 7:22 a.m.6 views

CVE-2026-2282

The Slidorion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.4CVSS5.7AI score0.00237EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/02/19 1:29 p.m.4 views

CVE-2025-13727

The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...

4.4CVSS5.7AI score0.00274EPSS
Exploits0References1
nvd
nvd
added 2026/02/19 7:17 a.m.9 views

CVE-2026-1055

The TalkJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.4CVSS0.00203EPSS
Exploits0References6
cvelist
cvelist
added 2026/02/19 4:36 a.m.31 views

CVE-2026-1044 Tennis Court Bookings <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings and Calendar Parameters

The Tennis Court Bookings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS0.00254EPSS
Exploits0References6
vulnrichment
vulnrichment
added 2026/02/19 4:36 a.m.5 views

CVE-2026-1044 Tennis Court Bookings <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings and Calendar Parameters

The Tennis Court Bookings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS5.7AI score0.00254EPSS
Exploits0References6
cvelist
cvelist
added 2026/02/19 4:36 a.m.32 views

CVE-2026-2282 Slidorion <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Slidorion Settings

The Slidorion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.4CVSS0.00237EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/02/19 12:0 a.m.10 views

PT-2026-20794

The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Testimonial Heading' setting in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

4.4CVSS5.7AI score0.00189EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/02/19 12:0 a.m.6 views

PT-2026-20635

Name of the Vulnerable Software and Affected Versions TalkJS plugin for WordPress versions prior to 0.1.16 Description The TalkJS plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow authenticated...

4.4CVSS6AI score0.00203EPSS
Exploits0References9
vulnrichment
vulnrichment
added 2026/02/18 9:25 a.m.5 views

CVE-2025-13727 Video Share VOD <= 2.7.11 - Authenticated (Editor+) Stored Cross-Site Scripting via Custom Field Meta Values

The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...

4.4CVSS5.7AI score0.00274EPSS
Exploits0References6
cve
cve
added 2026/02/18 7:25 a.m.25 views

CVE-2026-1943

CVE-2026-1943 concerns the WordPress plugin YayMail – WooCommerce Email Customizer (versions

4.4CVSS5.7AI score0.00264EPSS
Exploits0References5
attackerkb
attackerkb
added 2026/02/18 7:25 a.m.4 views

CVE-2026-1943

The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop...

4.4CVSS5.7AI score0.00264EPSS
Exploits0References6
redhatcve
redhatcve
added 2026/02/15 7:10 a.m.13 views

CVE-2026-0735

The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tabcolorpickerlanguageswitch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

4.4CVSS5.7AI score0.00237EPSS
Exploits0References1
nvd
nvd
added 2026/02/14 7:16 a.m.20 views

CVE-2026-0735

The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tabcolorpickerlanguageswitch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

4.4CVSS0.00237EPSS
Exploits0References3
nvd
nvd
added 2026/02/14 7:16 a.m.42 views

CVE-2026-0693

The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the wpksesdata output filter for termdescription, linkdescription,...

4.4CVSS0.00237EPSS
Exploits0References3
cve
cve
added 2026/02/14 6:42 a.m.20 views

CVE-2025-15483

CVE-2025-15483 concerns the WordPress plugin Link Hopper (versions ≤ 2.5). It permits Stored XSS via the hop_name parameter. Exploitation requires authenticated admin access and is limited to multi-site installations or sites where unfiltered_html is disabled. The provided documents confirm the v...

4.4CVSS5.7AI score0.00206EPSS
Exploits0References2
cvelist
cvelist
added 2026/02/14 6:42 a.m.30 views

CVE-2026-0693 Allow HTML in Category Descriptions <= 1.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Category Descriptions

The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the wpksesdata output filter for termdescription, linkdescription,...

4.4CVSS0.00237EPSS
Exploits0References3
Rows per page
Query Builder