Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

358 matches found

NVD
NVDadded 2026/05/29 7:16 a.m.11 views

CVE-2026-6275

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounteraddToTags function. The function is hooked to wphead...

6.4CVSS0.0004EPSS
Exploits0References6
ATTACKERKB
ATTACKERKBadded 2026/05/29 5:32 a.m.6 views

CVE-2026-6275

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounteraddToTags function. The function is hooked to wphead...

6.4CVSS5.8AI score0.0004EPSS
Exploits0References7
CVE
CVEadded 2026/05/29 5:32 a.m.8 views

CVE-2026-6275

CVE-2026-6275 : The StatCounter – Free Real Time Visitor Stats WordPress plugin is vulnerable in versions up to 2.1.1 due to insufficient output escaping in the statcounter_addToTags() function, which is hooked to wp_head. It retrieves the post author’s nickname with the_author_meta() and echoes ...

6.4CVSS6AI score0.0004EPSS
Exploits0References6
Cvelist
Cvelistadded 2026/05/29 5:32 a.m.32 views

CVE-2026-6275 StatCounter <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Author Nickname

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounteraddToTags function. The function is hooked to wphead...

6.4CVSS0.0004EPSS
Exploits0References6
Vulnrichment
Vulnrichmentadded 2026/05/29 5:32 a.m.5 views

CVE-2026-6275 StatCounter <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Author Nickname

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounteraddToTags function. The function is hooked to wphead...

6.4CVSS6AI score0.0004EPSS
Exploits0References6
CNNVD
CNNVDadded 2026/05/29 12:0 a.m.5 views

WordPress plugin StatCounter 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

6.4CVSS5.8AI score0.0004EPSS
Exploits0References6
Positive Technologies
Positive Technologiesadded 2026/05/29 12:0 a.m.6 views

PT-2026-44751

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounter addToTags function. The function is hooked to wp he...

6.4CVSS6AI score0.0004EPSS
Exploits0References7
RedhatCVE
RedhatCVEadded 2026/03/27 2:24 p.m.2 views

CVE-2021-27559

The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field...

5.4CVSS5.6AI score0.00191EPSS
Exploits1References1
SUSE CVE
SUSE CVEadded 2026/03/11 5:29 p.m.1 views

SUSE CVE-2025-13821

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID:...

5.7CVSS5.8AI score0.00044EPSS
Exploits0References3
RedhatCVE
RedhatCVEadded 2026/03/11 7:8 a.m.1 views

CVE-2026-30913

Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting...

4.6CVSS5.8AI score0.00039EPSS
Exploits0References1
Snyk
Snykadded 2026/03/10 12:56 a.m.1 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the notification email process. An attacker can mislead recipients into visiting attacker-controlled domains by setting a specially crafted nickname that is rendered as a clickable link in notification email...

5.1CVSS5.5AI score0.00039EPSS
Exploits0References2
OSV
OSVadded 2026/03/09 10:42 p.m.1 views

CVE-2026-30913 flarum/nickname: Display name injection in notification emails (autolink & markdown)

Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting...

4.6CVSS5.7AI score0.00039EPSS
Exploits0References5
ATTACKERKB
ATTACKERKBadded 2026/03/09 10:42 p.m.2 views

CVE-2026-30913

Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting...

4.6CVSS5.8AI score0.00039EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichmentadded 2026/03/09 10:42 p.m.1 views

CVE-2026-30913 flarum/nickname: Display name injection in notification emails (autolink & markdown)

Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting...

4.6CVSS5.8AI score0.00039EPSS
Exploits0References3
CVE
CVEadded 2026/03/09 10:42 p.m.5 views

CVE-2026-30913

The CVE concerns Flarum with the nicknames extension enabled. A user’s nickname is inserted verbatim into plain‑text notification emails, allowing email clients to render it as a hyperlink. This can mislead recipients into visiting attacker‑controlled domains. The issue is tied to nickname handli...

4.6CVSS5.8AI score0.00039EPSS
Exploits0References3
Positive Technologies
Positive Technologiesadded 2026/03/09 12:0 a.m.2 views

PT-2026-24146

Name of the Vulnerable Software and Affected Versions Flarum affected versions not specified Description The Flarum forum software, when used with the flarum/nicknames extension, allows a registered user to set a nickname that email clients may interpret as a hyperlink. This nickname is directly...

4.6CVSS5.8AI score0.00039EPSS
Exploits0References7
RedhatCVE
RedhatCVEadded 2026/02/20 7:22 a.m.3 views

CVE-2025-13048

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.7AI score0.00043EPSS
Exploits0References1
NVD
NVDadded 2026/02/19 7:17 a.m.3 views

CVE-2025-13048

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00043EPSS
Exploits0References3
CVE
CVEadded 2026/02/19 3:25 a.m.12 views

CVE-2025-13048

CVE-2025-13048 affects the StatCounter – Free Real Time Visitor Stats WordPress plugin. It is a Stored XSS via the Nickname field in versions up to 2.1.0, exploitable by authenticated attackers with Contributor-level access. The Wordfence and related sources in the Connected documents indicate re...

6.4CVSS5.7AI score0.00043EPSS
Exploits0References3
Cvelist
Cvelistadded 2026/02/19 3:25 a.m.25 views

CVE-2025-13048 Official StatCounter Plugin <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nickname

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00043EPSS
Exploits0References3
Rows per page
Query Builder