CVE-2025-1289 Plugin Oficial – Getnet para WooCommerce <= 1.7.3 - Admin+ Stored XSS

The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-0329

The CVE-2025-0329 entry concerns the AI ChatBot for WordPress (WPBot) plugin for WordPress, affected versions prior to 6.2.4. The root cause is insufficient sanitization and escaping of certain settings, which could enable stored cross-site scripting (XSS) by high-privilege users (e.g., admins), ...

CVE-2024-9882

The CVE applies to the WordPress plugin Salon Booking System (versions prior to 1.9.4). Root cause: insufficient sanitisation/escaping of certain settings, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as in multisite setups). Impact: sto...

CVE-2024-8493 The Events Calendar < 6.6.4 - Admin+ Stored XSS

The Events Calendar WordPress plugin before 6.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-8618

The CVE-2024-8618 entry concerns the Page Builder: Pagelayer WordPress plugin. The vulnerability affects versions prior to 1.9.0 and stems from insufficient sanitisation/escaping of certain settings, enabling stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowe...

CVE-2024-8187 Smart Post Show <= 3.0.0 - Editor+ Stored XSS

The Smart Post Show WordPress plugin before 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-7556

CVE-2024-7556 affects the WordPress Simple Share plugin (

CVE-2024-6713 PVN Auth Popup <= 1.0.0 - Admin+ Stored XSS

The PVN Auth Popup WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6693

CVE-2024-6693 affects the wccp-pro WordPress plugin. Versions prior to 15.3 do not sanitize/escape certain settings, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (e.g., multisite). The impact is Stored XSS within admin-facing content/configs; ...

CVE-2024-6665 kbucket < 4.1.6 - Admin+ Stored XSS

The KBucket: Your Curated Content in WordPress plugin before 4.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-5026 CM Tooltip Glossary < 4.3.4 - Admin+ Stored XSS

The CM Tooltip Glossary WordPress plugin before 4.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-13730 Podlove Podcast Publisher < 4.2.1 - Admin+ Stored XSS

The Podlove Podcast Publisher WordPress plugin before 4.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-13730 Podlove Podcast Publisher < 4.2.1 - Admin+ Stored XSS

The Podlove Podcast Publisher WordPress plugin before 4.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-13482 Icegram Engage < 3.1.32 - Admin+ Stored XSS

The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-13382

CVE-2024-13382 – Calculated Fields Form (WordPress) is a stored XSS vulnerability in versions before 5.2.64 caused by insufficient sanitization/escaping of certain settings. Exploitation requires authenticated admin-level access (Admin+), and can occur even when unfiltered_html is disallowed (e.g...

CVE-2024-13313 AWeber <= 7.3.20 - Admin+ Stored XSS

The AWeber WordPress plugin through 7.3.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-13313 AWeber <= 7.3.20 - Admin+ Stored XSS

The AWeber WordPress plugin through 7.3.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-11221 Full Screen (Page) Background Image Slideshow <= 1.1 - Admin+ Stored XSS

The Full Screen Page Background Image Slideshow WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-11221 Full Screen (Page) Background Image Slideshow <= 1.1 - Admin+ Stored XSS

The Full Screen Page Background Image Slideshow WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-11109

The WP Google Review Slider WordPress plugin before version 15.6 does not sanitize and escape some settings, allowing high-privilege users (e.g., admins) to perform Stored Cross-Site Scripting even when unfiltered_html is disallowed (including multisite setups). Affected component: plugin setting...