1375 matches found
CVE-2026-2289 Taskbuilder <= 5.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Block Emails' Field
The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2026-2289
The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2026-2499
The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2026-2498 WP Social Meta <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings
The WP Social Meta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...
CVE-2026-2282
The Slidorion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2025-13727
The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...
CVE-2026-1055
The TalkJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2026-1044 Tennis Court Bookings <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings and Calendar Parameters
The Tennis Court Bookings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
CVE-2026-1044 Tennis Court Bookings <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings and Calendar Parameters
The Tennis Court Bookings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
CVE-2026-2282 Slidorion <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Slidorion Settings
The Slidorion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
PT-2026-20794
The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Testimonial Heading' setting in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
PT-2026-20635
Name of the Vulnerable Software and Affected Versions TalkJS plugin for WordPress versions prior to 0.1.16 Description The TalkJS plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow authenticated...
CVE-2025-13727 Video Share VOD <= 2.7.11 - Authenticated (Editor+) Stored Cross-Site Scripting via Custom Field Meta Values
The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...
CVE-2026-1943
CVE-2026-1943 concerns the WordPress plugin YayMail – WooCommerce Email Customizer (versions
CVE-2026-1943
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop...
CVE-2026-0735
The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tabcolorpickerlanguageswitch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
CVE-2026-0735
The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tabcolorpickerlanguageswitch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
CVE-2026-0693
The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the wpksesdata output filter for termdescription, linkdescription,...
CVE-2025-15483
CVE-2025-15483 concerns the WordPress plugin Link Hopper (versions ≤ 2.5). It permits Stored XSS via the hop_name parameter. Exploitation requires authenticated admin access and is limited to multi-site installations or sites where unfiltered_html is disabled. The provided documents confirm the v...
CVE-2026-0693 Allow HTML in Category Descriptions <= 1.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Category Descriptions
The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the wpksesdata output filter for termdescription, linkdescription,...