CVE-2013-7481

The contact-form-plugin plugin before 3.3.5 for WordPress has XSS...

CVE-2013-6280

Cross-site scripting XSS vulnerability in Social Sharing Toolkit plugin before 2.1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

CVE-2022-27204

A cross-site request forgery vulnerability in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a86c and earlier allows attackers to connect to an attacker-specified URL...

CVE-2022-27209

A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...

CVE-2019-16902

In the ARforms plugin 3.7.1 for WordPress, arfdeletefile in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname...

CVE-2019-16524

The easy-fancybox plugin before 1.8.18 for WordPress aka Easy FancyBox is susceptible to Stored XSS in the Settings Menu inc/class-easyfancybox.php due to improper encoding of arbitrarily submitted settings parameters. This occurs because there is no inline styles output filter...

CVE-2019-16551

A cross-site request forgery vulnerability in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials...

CVE-2024-2216

A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting futu...

CVE-2024-2263

Themify WordPress plugin before 1.4.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-2430

The Website Content in Page or Post WordPress plugin before 2024.04.09 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...

CVE-2024-2376

The WPQA Builder WordPress plugin before 6.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

CVE-2024-2101

The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the...

CVE-2024-2118

The Social Media Share Buttons & Social Sharing Icons WordPress plugin before 2.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2025-1063

The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcltaxonomysettingsexport function. This makes it possible for unauthenticated attackers to extract sensiti...

CVE-2025-1441

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1007. This is due to missing or incorrect nonce validation on the 'wprfilterwooproducts' function. This makes it possible for unauthenticated attacke...

CVE-2025-1973

The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.6.2 via the downloadfile function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrar...

CVE-2025-1766

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'paymentcomplete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated...

CVE-2025-1456

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widgetGrid, widgetCountDown, and widgetInstagramFeed methods in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it...

CVE-2025-1690

The ThemeMakers Stripe Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'stripe' shortcode in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-1663

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.142 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...