Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update

The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the...

EUVD-2022-55982

WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend Settings interface. Attackers can inject malicious scripts in the URL field of the Display page setting...

CVE-2022-50961

WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend Settings interface. Attackers can inject malicious scripts in the URL field of the Display page setting...

PT-2026-39486

WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend Settings interface. Attackers can inject malicious scripts in the URL field of the Display page setting...

CVE-2026-4131 WP Responsive Popup + Optin <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpo_image_url' Parameter

The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page wpoadminpage.php lacking nonce generation wpnoncefield and verification wpverifynonce/checkadminreferer. Thi...

CVE-2025-12027

CVE-2025-12027 affects the WordPress plugin Mesmerize Companion up to version 1.6.158 . The vulnerability arises from a missing capability check in the functions openPageInCustomizer and openPageInDefaultEditor , allowing authenticated users with subscriber-level access and above on sites using t...

CVE-2026-1215

The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the mmacalltrackingmenu admin page. This makes it possible for unauthenticated attackers...

CVE-2025-1780

The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wc4bpdeletepage function in all versions up to, and including, 3.4.25. This makes it possible for authenticated...

CVE-2025-67290

A stored cross-site scripting XSS vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field...

Cross-site Scripting (XSS)

Overview piranha is an a complete rewrite of Piranha CMS for .NET Core. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Excerpt field in the Page Settings module. An authenticated attacker can execute arbitrary web scripts or HTML by injecting a crafted payloa...

Piranha has stored cross-site scripting (XSS) vulnerability

A stored cross-site scripting XSS vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field...

GHSA-FW48-7QF9-455M Piranha has stored cross-site scripting (XSS) vulnerability

A stored cross-site scripting XSS vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field...

CVE-2025-67290

A stored cross-site scripting XSS vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field...

CVE-2025-67290

A stored cross-site scripting XSS vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field...

CVE-2025-67290

A stored cross-site scripting XSS vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field...

CVE-2025-67290

A stored cross-site scripting XSS vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field...

PT-2025-52684

Name of the Vulnerable Software and Affected Versions Piranha CMS version 12.1 Description A stored cross-site scripting XSS issue exists in the Page Settings module. This allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Excerpt field...

CVE-2025-67290

The CVE-2025-67290 issue is a stored XSS in Piranha CMS v12.1, specifically in the Page Settings Excerpt field. The vulnerability allows an attacker to inject arbitrary web scripts/HTML that are stored and later rendered to users, enabling script execution in the browser. Affected component: Page...

CVE-2024-58292

XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, enabling script execution for...

CVE-2024-58292

XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, enabling script execution for...