CVE-2024-13851

The Modal Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject...

PT-2025-9072 · WordPress · Modal Portfolio

Name of the Vulnerable Software and Affected Versions: Modal Portfolio plugin for WordPress versions up to, and including, 1.7.4.2 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with...

PT-2025-8689 · WordPress · Quiz Organizer

Name of the Vulnerable Software and Affected Versions: Quiz Organizer plugin for WordPress versions up to and including 2.9.1 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with...

CVE-2024-10545

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.9 does not sanitise and escape some of its Image settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-13605

The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2025-7703 · WordPress · The Form Maker

Name of the Vulnerable Software and Affected Versions: The Form Maker by 10Web WordPress plugin versions prior to 1.15.33 Description: The issue allows high privilege users, such as admin, to perform Stored Cross-Site Scripting attacks even when the unfiltered html capability is disallowed, for...

CVE-2024-13900

The Head, Footer and Post Injections plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject PHP Code in multisite environments...

CVE-2024-13314

The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-13900

The Head, Footer and Post Injections plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject PHP Code in multisite environments...

CVE-2024-13900

The Head, Footer and Post Injections plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject PHP Code in multisite environments...

CVE-2024-13900 Head, Footer and Post Injections <= 3.3.0 - Authenticated (Administrator+) PHP Code Injection in Multisite Environments

The Head, Footer and Post Injections plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject PHP Code in multisite environments...

CVE-2024-13900 Head, Footer and Post Injections <= 3.3.0 - Authenticated (Administrator+) PHP Code Injection in Multisite Environments

The Head, Footer and Post Injections plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject PHP Code in multisite environments...

CVE-2024-13314

The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-13314 Carousel, Slider, Gallery by WP Carousel < 2.7.4 - Admin+ Stored XSS

The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-13314

CVE-2024-13314 affects the WordPress plugin “Carousel, Slider, Gallery by WP Carousel” (pre-2.7.4). The issue is insufficient sanitization/escaping of settings, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed. Public details show mitigation by up...

PT-2025-7369 · WordPress · Ajax Search Lite

Name of the Vulnerable Software and Affected Versions: Ajax Search Lite WordPress plugin version 4.12.4 and earlier Description: The issue concerns the Ajax Search Lite WordPress plugin, which does not properly sanitize and escape some of its settings. This could allow high-privilege users, such ...

PT-2025-7404 · WordPress · Head

Name of the Vulnerable Software and Affected Versions: Head, Footer and Post Injections plugin for WordPress versions up to, and including, 3.3.0 Description: The issue allows authenticated attackers with Administrator-level access and above to inject PHP code in multisite environments...

WordPress plugin Head, Footer and Post Injections 代码注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A code injection vulnerability exists in th...

WordPress Head, Footer and Post Injections plugin <= 3.3.0 - Authenticated (Administrator+) PHP Code Injection in Multisite Environments vulnerability

Authenticated Administrator+ PHP Code Injection in Multisite Environments vulnerability discovered by Francesco Carlucci in WordPress Plugin Head, Footer and Post Injections versions = 3.3.0...

PT-2025-7396 · WordPress · Cookie Notice Bar

Name of the Vulnerable Software and Affected Versions: Cookie Notice Bar plugin for WordPress version 1.3.0 and earlier Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with...