WordPress King Addons for Elementor plugin <= 51.1.38 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by Webbernaut in WordPress Plugin King Addons for Elementor versions = 51.1.53...

WordPress Elementor Addon Elements plugin <= 1.13.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by Webbernaut in WordPress Plugin Elementor Addon Elements versions = 1.13.6...

WordPress Ultimate Blocks plugin <= 3.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin Ultimate Blocks versions = 3.3.3...

CVE-2025-8360 LA-Studio Element Kit for Elementor <= 1.5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's widgets in all versions up to, and including, 1.5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

PT-2025-34962

Name of the Vulnerable Software and Affected Versions: Unlimited Elements For Elementor plugin for WordPress versions prior to 1.5.149 Description: The Unlimited Elements For Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting through multiple widgets. Insufficient input...

CVE-2025-8567

The Nexter Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 4.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

CVE-2025-8567 Nexter Blocks <= 4.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The Nexter Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 4.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

CVE-2025-8874

The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.0.8.6 due to insufficient input sanitization and output...

CVE-2025-2918 Ultimate Blocks – WordPress Blocks Plugin <= 3.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

WordPress HT Mega plugin <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by zer0gh0st in WordPress Plugin HT Mega versions = 2.8.3...

WordPress Master Addons plugin <= 2.0.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by Webbernaut in WordPress Plugin Master Addons for Elementor versions = 2.0.7.2...

WordPress Divi Torque Lite plugin <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by Webbernaut in WordPress Plugin DiviTorque – Divi Theme, Divi Builder and Extra Theme versions = 4.1.0...

WordPress Avada Builder plugin <= 3.11.11 - Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting in Multiple Widgets vulnerability discovered by Webbernaut in WordPress Plugin Fusion Builder versions = 3.11.11...

CVE-2025-0371

CVE-2025-0371 concerns the WordPress JetElements plugin, with stored cross-site scripting in multiple widgets in all versions up to 2.7.2.1. The root cause is insufficient input sanitization and output escaping on user-supplied attributes, enabling an authenticated attacker (contributor level or ...

WordPress CMSMasters Elementor Addon plugin <= 1.14.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by István Márton in WordPress Plugin CMSMasters Elementor Addon versions = 1.14.7...

WordPress UltraAddons Elementor Lite plugin <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by stealthcopter in WordPress Plugin UltraAddons Elementor Lite versions = 1.1.6...

WordPress HT Mega – Absolute Addons For Elementor plugin <= 2.5.5 - Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability

Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by stealthcopter in WordPress Plugin HT Mega versions = 2.5.5...

Wordpress CoDesigner plugin <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by stealthcopter in WordPress Plugin CoDesigner versions = 4.4.1...

WordPress Events Addon for Elementor plugin <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by stealthcopter in WordPress Plugin Events Addon for Elementor versions = 2.1.4...

Hash Elements < 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter in Multiple Widgets

Description The Hash Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter within multiple widgets in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...