CVE-2025-49266 WordPress Ultimate Reviews plugin <= 3.2.14 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Rustaurius Ultimate Reviews allows Reflected XSS. This issue affects Ultimate Reviews: from n/a through 3.2.14...

CVE-2024-9169

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin debug settings in all versions up to, and including, 6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

CVE-2024-5081

The wp-eMember WordPress plugin before v10.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-5997

The Duplica – Duplicate Posts, Pages, Custom Posts or Users plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the duplicateuser and duplicatepost functions in all versions up to, and including, 0.6. This makes it possible for authenticate...

CVE-2023-24445

Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins...

CVE-2022-4657

The Restaurant Menu WordPress plugin before 2.3.6 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2021-24572

The Accept Donations with PayPal WordPress plugin before 1.3.1 provides a function to create donation buttons which are internally stored as posts. The deletion of a button is not CSRF protected and there is no control to check if the deleted post was a button post. As a result, an attacker could...

CVE-2024-10075 Jetpack < 13.8 - Unauthenticated Arbitrary Block & Shortcode Execution

The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block...

Vvveb 安全漏洞

Vvveb is a powerful and easy-to-use CMS from Givan Personal Developers for building websites, blogs or e-commerce stores. A security vulnerability exists in Vvveb version v1.0.6, which stems from a flaw in the plugin mechanism that could lead to the execution of arbitrary code...

CVE-2025-3583

The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-31861

CVE-2025-31861 is a stored XSS in the Perfect Font Awesome Integration WordPress plugin (affected up to 2.2). It stems from improper input neutralization during web page generation. Wordfence lists the vulnerability as patched; no exploits or fixed version are detailed in the provided documents.

WordPress plugin ShortPixel Adaptive Images 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2024-13413 ProductDyno <= 1.0.24 - Reflected Cross-Site Scripting via 'res' Parameter

The ProductDyno plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘res’ parameter in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web script...

CVE-2024-8682 JNews - WordPress Newspaper Magazine Blog AMP Theme <= 11.6.6 - Unauthorized User Registration

The JNews - WordPress Newspaper Magazine Blog AMP Theme theme for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 11.6.6. This is due to the plugin not properly validate if the user can register option is enabled prior to creating a user though the...

WordPress plugin Traveler 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2024-12522

The Yay! Forms | Embed Custom Forms, Surveys, and Quizzes Easily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'yayforms' shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied...

CVE-2022-43642

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the YouTube plugin for the xupnpd service, which listens on TC...

CVE-2022-43645

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the IVI plugin for the xupnpd service, which listens on TCP po...

CVE-2024-12881

The PlugVersions – Easily rollback to previous versions of your plugins plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the eospluginreviewsrestoreversion function in all versions up to, and including, 0.0.7. This makes it possible for authenticat...

CVE-2024-12708

The Bulk Me Now! WordPress plugin through 2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...