40 matches found
CVE-2025-12019
CVE-2025-12019 affects the WordPress Featured Image plugin (versions up to 2.1). It is a Stored XSS via image metadata, requiring an authenticated attacker with administrator+ privileges, and applies to multi-site setups or sites with unfiltered_html disabled. The Wordfence report confirms the vu...
CVE-2025-12520
The WP Airbnb Review Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2 due to insufficient URL validation that allows users to pull in a malicious HTML file. This makes it possible for authenticated attackers, wit...
PT-2025-44701
Name of the Vulnerable Software and Affected Versions CSS & JavaScript Toolbox versions prior to 12.0.6 Description The CSS & JavaScript Toolbox plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allows...
CVE-2025-12034 Fast Velocity Minify <= 3.5.1 - Authenticated (Admin+) Stored Cross-Site Scripting
The Fast Velocity Minify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
CVE-2025-10053
The TableGen – Data Table Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-9372
CVE-2025-9372 documents a stored XSS vulnerability in WordPress plugin Ultimate Multi Design Video Carousel (versions ≤ 1.4) caused by insufficient input sanitization and output escaping. Exploitation requires authenticated access at editor level and affects multi-site installations or sites wher...
CVE-2025-5490
The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...
CVE-2023-0087
The Swifty Page Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘spmpluginoptionspagetreemaxwidth’ parameter in versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...
PT-2024-39560 · WordPress · Wp Booking Calendar
Name of the Vulnerable Software and Affected Versions: WP Booking Calendar plugin for WordPress versions up to, and including, 10.6 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows...
PT-2024-38455 · Peepso · The Community By Peepso
Name of the Vulnerable Software and Affected Versions: The Community by PeepSo plugin for WordPress versions up to, and including, 6.4.5.0 Description: The issue is related to Stored Cross-Site Scripting via the content parameter due to insufficient input sanitization and output escaping. This...
CVE-2024-6692
The Easy Digital Downloads – Sell Digital Files & Subscriptions eCommerce Store + Payments Made Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escapin...
PT-2024-22444 · WordPress · Visual Footer Credit Remover
Name of the Vulnerable Software and Affected Versions: Visual Footer Credit Remover plugin for WordPress versions up to, and including, 2 Description: The issue allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages via the selector parameter due t...
CVE-2024-2296
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.8.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
PT-2024-15569 · WordPress · Artibot Free Chat Bot For Wordpress Websites
Name of the Vulnerable Software and Affected Versions: ArtiBot Free Chat Bot for WordPress WebSites plugin for WordPress versions up to, and including, 1.1.6 Description: The issue allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pag...
CVE-2023-6446
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
CVE-2023-5606
The ChatBot for WordPress is vulnerable to Stored Cross-Site Scripting via the FAQ Builder in versions 4.8.6 through 4.9.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject...
CVE-2023-3369
The About Me 3000 widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permission...
CVE-2023-2450
The FiboSearch - AJAX Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.23.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2023-1470
The eCommerce Product Catalog plugin for WordPress is vulnerable to Stored Cross-Site Scripting via some of its settings parameters in versions up to, and including, 3.3.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2021-39332
The Business Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found throughout the plugin which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.4.5. This...