EUVD-2021-34815

Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers can inject script payloads into user profile fields at the edituser endpoint, which execute in th...

PT-2025-51859

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to insufficient input...

EUVD-2025-201710

In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting XSS. On the backend, the relatedvulnerabilities field of bundles accepted arbitrary strings without format validation or proper...

HackerOne: Residual Malicious Payloads on HackerOne after Vulnerability Fixes

A vulnerability was previously discovered on the HackerOne platform that allowed users to add malicious payloads to their profile pages. Despite remediation efforts, some of these malicious payloads were not fully removed from user profiles. This situation meant that the malicious content could...

CVE-2023-7125

The Community by PeepSo WordPress plugin before 6.3.1.2 does not have CSRF check when creating a user post visible on their wall in their profile page, which could allow attackers to make logged in users perform such action via a CSRF attack...