3456 matches found
CVE-2026-2277 rexCrawler <= 1.0.15 - Reflected Cross-Site Scripting via 'url' and 'regex' Parameters
The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2026-2277
The rexCrawler WordPress plugin (up to version 1.0.15) is vulnerable to Reflected Cross-Site Scripting via the url and regex parameters on the search-pattern tester page. The issue arises from insufficient input sanitization and output escaping, allowing an unauthenticated attacker to inject scri...
CVE-2026-2277
The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for...
PT-2026-26801
The Survey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above,...
PT-2026-26844
The Ricerca – advanced search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's settings in all versions up to, and including, 1.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-lev...
PT-2026-26804
The Mandatory Field plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...
PT-2026-26879
Name of the Vulnerable Software and Affected Versions The Review Map by RevuKangaroo plugin for WordPress versions prior to 1.8 Description The plugin is susceptible to Stored Cross-Site Scripting through insufficient input sanitization and output escaping in the plugin settings. This allows...
PT-2026-26853
The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' setting in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
PT-2026-26828
The Weaver Show Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add class' parameter in all versions up to, and including, 1.8.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...
EUVD-2026-13637
The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
CVE-2026-2432
The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
CVE-2026-2432 CM Custom Reports <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Labels
The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
CVE-2026-2432
CVE-2026-2432 affects CM Custom Reports – Flexible reporting to track what matters most, a WordPress plugin, with versions up to 1.2.7. The issue is stored cross-site scripting via admin settings/labels, exploitable by authenticated users with administrator-level permissions and above. Affected i...
CVE-2026-2432 CM Custom Reports <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Labels
The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
PT-2026-26585
Name of the Vulnerable Software and Affected Versions CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress versions through 1.2.7 Description The plugin is susceptible to Stored Cross-Site Scripting through admin settings due to inadequate input sanitization and...
BIT-WORDPRESS-MULTISITE-2026-3906 WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API
WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature block-level collaboration annotations was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API createitempermissionscheck method in...
EUVD-2026-11531
The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2026-2687
The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2026-2687 Reading progressbar < 1.3.1 - Admin+ Stored XSS
The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2026-2687
The CVE concerns the Reading progressbar WordPress plugin (pre-1.3.1) where settings are not properly sanitized/escaped, enabling Stored XSS by privileged users (e.g., admins) even when unfiltered_html is disallowed, such as in multisite installations. Affected version: plugin prior to 1.3.1. The...