EUVD-2026-30732

The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks...

Weblate vulnerable to XSS via crafted Markdown

Impact The Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. Patches https://github.com/WeblateOrg/weblate/pull/19259 Workarounds Even though the attacker might be able to inject code into the HTML, the Weblate's strict CSP should...

CVE-2025-34281

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...

DNN affected by Stored Cross-Site Scripting (XSS) in Profile Biography field

Summary Users can use special syntax to inject javascript code in their profile biography field. Although there was sanitization in place, it did not cover all possible scenarios Description When embedding information in the Biography field, even if that field is not rich-text, users could inject...

CVE-2025-7496

CVE-2025-7496 describes a DOM-based Stored XSS vulnerability in the WordPress plugin WPC Smart Compare for WooCommerce, affecting all versions up to 6.4.7. Exploitation requires authenticated access at Contributor level or higher, enabling injection of scripts that run when users load injected pa...

PT-2025-32621 · WordPress · Inline Stock Quotes

Name of the Vulnerable Software and Affected Versions: Inline Stock Quotes plugin for WordPress versions up to and including 0.2 Description: The Inline Stock Quotes plugin for WordPress is susceptible to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on...

CVE-2025-7726

The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description'...

The vulnerability of the Command Execution function in the file manager for managing files and directories in the File Browser allows a hacker to gain access to read and modify files.

The vulnerability of the Command Execution function in the file manager and File Browser web manager is related to the lack of measures taken to clean data at the management level. Exploiting this vulnerability can allow an attacker, operating remotely, to gain access to read and modify files...

PT-2025-2143 · WordPress · Alex Reservations

Name of the Vulnerable Software and Affected Versions: Alex Reservations: Smart Restaurant Booking plugin for WordPress versions up to, and including, 2.0.5 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'rr form' shortcode due to insufficient input sanitization...

PT-2024-37642 · WordPress · Woocommerce Product Table Lite

Name of the Vulnerable Software and Affected Versions: WooCommerce Product Table Lite plugin for WordPress versions up to, and including, 3.5.1 Description: The issue allows authenticated attackers with subscriber access and above to modify post titles of arbitrary posts due to a missing capabili...

PT-2024-21374 · WordPress · Watu Quiz

Name of the Vulnerable Software and Affected Versions: Watu Quiz WordPress plugin versions prior to 3.4.1.2 Description: The issue allows users, such as authors authorized by admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, due to the...

CVE-2024-3814

The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'single' module in all versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

PT-2024-26791 · WordPress · Idonate

Name of the Vulnerable Software and Affected Versions: IDonate WordPress plugin versions 1.9.0 and earlier Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a...

The vulnerability in the web interface of the Aruba EdgeConnect Enterprise network management platform allows a attacker to execute arbitrary code.

The vulnerability of the web interface for managing the Aruba EdgeConnect Enterprise network management platform exists due to the lack of measures taken to neutralize specific elements. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

The vulnerability of the D-LINK GO-RT-AC750 router’s microprogramming software lies in the lack of measures to neutralize special elements, allowing a hacker to execute arbitrary commands.

The vulnerability of the D-LINK GO-RT-AC750 router’s microprogramming software is related to the lack of measures taken to neutralize special elements. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands using the genacgimain parameter...

The vulnerability of the Honeywell OneWireless Wireless Device Manager (WDM) lies in the lack of measures taken to clean data at the control level, allowing attackers to execute arbitrary commands.

The vulnerability of the Honeywell OneWireless Wireless Device Manager WDM lies in the lack of measures taken to clean data at the management level. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands...

The vulnerability of the Delta Electronics InfraSuite Device Master software in monitoring devices in real time, related to the lack of measures taken to clean data at the management level, allows a perpetrator to execute arbitrary codes.

The vulnerability of the Delta Electronics InfraSuite Device Master software for real-time device monitoring is related to the lack of measures taken to clean data at the management level. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

The vulnerability of the command-line interface of ArubaOS systems allows a hacker to execute arbitrary commands.

The vulnerability of the command-line interface of ArubaOS exists because measures to neutralize the special elements used in the operating system’s command are not taken. Exploiting this vulnerability allows a malicious actor to execute arbitrary commands using specially created arguments remote...

Mozilla: Malicious command could be hidden in devtools output

The Mozilla Foundation Security Advisory describes this flaw as: When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within...

CVE-2022-3609

The GetYourGuide Ticketing WordPress plugin before 1.0.4 does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...