CVE-2025-15000

CVE-2025-15000 (Page Keys for WordPress) is a stored XSS in the Page Key parameter affecting Page Keys plugin versions

CVE-2025-14792

CVE-2025-14792: Key Figures (WordPress) plugin vulnerable to Stored XSS via kf_field_figure_default_color_render in all versions up to 1.1; affects multisite and sites with unfiltered_html disabled. Exploitation requires authenticated admin-level access; payloads execute when users visit the inje...

CVE-2025-14792 Key Figures <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_default_color_render

The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kffieldfiguredefaultcolorrender function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-14792 Key Figures <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_default_color_render

The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kffieldfiguredefaultcolorrender function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-14888 Simple User Meta Editor <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via User Meta Value Field

The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-14888

CVE-2025-14888 : Simple User Meta Editor (WordPress) is vulnerable to stored XSS via the User Meta Value field in all versions up to 1.0.0, due to insufficient input sanitization and output escaping. This affects multisite setups and installations where unfiltered_html is disabled, enabling an au...

CVE-2025-14888 Simple User Meta Editor <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via User Meta Value Field

The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-14887 twinklesmtp – Email Service Provider For WordPress <= 1.03 - Authenticated (Administrator+) Stored Cross-Site Scripting via Sender Settings

The twinklesmtp – Email Service Provider For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's sender settings in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-14887

CVE-2025-14887 affects the twinklesmtp – Email Service Provider For WordPress plugin for WordPress. It is a Stored XSS via the plugin's sender settings in all versions up to 1.03, exploitable by authenticated attackers with administrator-level permissions and above. The vulnerability affects mult...

PT-2026-1612

Name of the Vulnerable Software and Affected Versions The Email Customizer for WooCommerce versions up to and including 2.6.7 Description The Email Customizer for WooCommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting through email template content. Insufficient input...

PT-2026-1580

Name of the Vulnerable Software and Affected Versions Key Figures plugin for WordPress versions prior to 1.2 Description The Key Figures plugin for WordPress is susceptible to Stored Cross-Site Scripting through the kf field figure default color render function. Insufficient input sanitization an...

PT-2026-1598

Name of the Vulnerable Software and Affected Versions Page Keys versions prior to 1.3.4 Description The Page Keys plugin for WordPress is susceptible to Stored Cross-Site Scripting through the page key parameter. Insufficient input sanitization and output escaping allow authenticated attackers wi...

PT-2026-1571

Name of the Vulnerable Software and Affected Versions Simple User Meta Editor versions prior to 1.0.1 Description The Simple User Meta Editor plugin for WordPress has a flaw that allows an attacker to inject malicious web scripts into pages viewed by users. This is due to a lack of proper...

PT-2026-1570

Name of the Vulnerable Software and Affected Versions twinklesmtp – Email Service Provider For WordPress plugin versions up to and including 1.03 Description The twinklesmtp – Email Service Provider For WordPress plugin for WordPress is susceptible to Stored Cross-Site Scripting through the...

EUVD-2026-0836

The FlexTable WordPress plugin before 3.19.2 does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2025-14509

The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization...

CVE-2025-14509

The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization...

CVE-2025-14509 Lucky Wheel for WooCommerce – Spin a Sale <= 1.1.13 - Authenticated (Administrator+) PHP Code Injection via Conditional Tags

The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization...

EUVD-2025-205769

The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization...

PT-2025-53921

Name of the Vulnerable Software and Affected Versions Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress versions up to and including 1.1.13 Description The software contains a PHP Code Injection issue stemming from the use of eval to process user-provided input from the 'Conditional...