EUVD-2026-30732

The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks...

Weblate vulnerable to XSS via crafted Markdown

Impact The Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. Patches https://github.com/WeblateOrg/weblate/pull/19259 Workarounds Even though the attacker might be able to inject code into the HTML, the Weblate's strict CSP should...

CVE-2025-34281

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...

DNN affected by Stored Cross-Site Scripting (XSS) in Profile Biography field

Summary Users can use special syntax to inject javascript code in their profile biography field. Although there was sanitization in place, it did not cover all possible scenarios Description When embedding information in the Biography field, even if that field is not rich-text, users could inject...

CVE-2025-7496

CVE-2025-7496 describes a DOM-based Stored XSS vulnerability in the WordPress plugin WPC Smart Compare for WooCommerce, affecting all versions up to 6.4.7. Exploitation requires authenticated access at Contributor level or higher, enabling injection of scripts that run when users load injected pa...

PT-2025-32621 · WordPress · Inline Stock Quotes

Name of the Vulnerable Software and Affected Versions: Inline Stock Quotes plugin for WordPress versions up to and including 0.2 Description: The Inline Stock Quotes plugin for WordPress is susceptible to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on...

CVE-2025-7726

The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description'...

PT-2025-2143 · WordPress · Alex Reservations

Name of the Vulnerable Software and Affected Versions: Alex Reservations: Smart Restaurant Booking plugin for WordPress versions up to, and including, 2.0.5 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'rr form' shortcode due to insufficient input sanitization...

PT-2024-37642 · WordPress · Woocommerce Product Table Lite

Name of the Vulnerable Software and Affected Versions: WooCommerce Product Table Lite plugin for WordPress versions up to, and including, 3.5.1 Description: The issue allows authenticated attackers with subscriber access and above to modify post titles of arbitrary posts due to a missing capabili...

PT-2024-21374 · WordPress · Watu Quiz

Name of the Vulnerable Software and Affected Versions: Watu Quiz WordPress plugin versions prior to 3.4.1.2 Description: The issue allows users, such as authors authorized by admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, due to the...

CVE-2024-3814

The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'single' module in all versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

PT-2024-26791 · WordPress · Idonate

Name of the Vulnerable Software and Affected Versions: IDonate WordPress plugin versions 1.9.0 and earlier Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a...

Mozilla: Malicious command could be hidden in devtools output

The Mozilla Foundation Security Advisory describes this flaw as: When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within...

CVE-2022-3609

The GetYourGuide Ticketing WordPress plugin before 1.0.4 does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...