CVE-2024-10145 Hubbub Lite < 1.34.4 - Admin+ Stored XSS

The Hubbub Lite WordPress plugin before 1.34.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-10143

CVE-2024-10143 affects the MB Custom Post Types & Custom Taxonomies WordPress plugin, prior to version 2.7.7. The issue arises from inadequate sanitisation/escapes of certain settings, enabling Stored Cross-Site Scripting by high-privilege users (e.g., admins) even when unfiltered_html is disallo...

PT-2025-21477 · WordPress · Cm Tooltip Glossary

Name of the Vulnerable Software and Affected Versions: CM Tooltip Glossary WordPress plugin version prior to 4.3.4 Description: The issue concerns the CM Tooltip Glossary WordPress plugin, which does not properly sanitize and escape some of its settings. This could allow high-privilege users, suc...

PT-2025-21399 · WordPress · Rbs Image Gallery

Name of the Vulnerable Software and Affected Versions: Rbs Image Gallery WordPress plugin versions prior to 3.2.22 Description: The issue concerns the Rbs Image Gallery WordPress plugin, where some settings are not properly sanitized and escaped, potentially allowing high-privilege users, such as...

PT-2025-21455 · WordPress · Hd Quiz

Name of the Vulnerable Software and Affected Versions: HD Quiz WordPress plugin version prior to 2.0.0 Description: The issue concerns the HD Quiz WordPress plugin, where versions prior to 2.0.0 do not properly sanitise and escape some of its settings. This could allow high privilege users, such ...

CVE-2025-3583 Newsletter < 8.7.1 - Admin+ Stored XSS

The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-3583 Newsletter < 8.7.1 - Admin+ Stored XSS

The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-13381 Calculated Fields Form < 5.2.62 - Admin+ Stored XSS

The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-13381

CVE-2024-13381 affects the WordPress plugin Calculated Fields Form. The issue is that settings are not properly sanitised/escaped, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disabled. The vulnerability is tied to versions before 5.2.62. Remediation: up...

CVE-2024-9771

The WP-Recall WordPress plugin before 16.26.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-0627

The WordPress Tag, Category, and Taxonomy Manager WordPress plugin before 3.30.0 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2024-9771

The WP-Recall WordPress plugin before 16.26.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-0627 AI Autotagger < 3.30.0 - Admin+ Stored XSS

The WordPress Tag, Category, and Taxonomy Manager WordPress plugin before 3.30.0 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2024-9771 WP-Recall < 16.26.12 - Admin+ Stored XSS

The WP-Recall WordPress plugin before 16.26.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-10680

The Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-1453

The Category Posts Widget WordPress plugin before 4.9.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-2162

The MapPress Maps for WordPress plugin before 2.94.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-1525

The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-11924

The Icegram Express formerly known as Email Subscribers WordPress plugin before 5.7.52 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2024-11924 Email Subscribers < 5.7.52 - Admin+ Stored XSS

The Icegram Express formerly known as Email Subscribers WordPress plugin before 5.7.52 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...