CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

7 matches found

Cvelist•added 2026/04/04 7:41 a.m.•20 views

CVE-2026-0737 Shortcodes Ultimate <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' Shortcode

The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.7. This is due to insufficient input sanitization and output escaping in the 'src' attribute of the sulightbox shortcode. This makes it possib...

6.4CVSS0.00012EPSS

Exploits0References3

Positive Technologies•added 2026/03/31 12:0 a.m.•2 views

PT-2026-29193

The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update href’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

6.1CVSS6AI score0.00032EPSS

Exploits0References5

CVE•added 2026/02/19 9:26 a.m.•9 views

CVE-2026-2718

CVE-2026-2718 — Dealia for WordPress stores cross-site scripting via Gutenberg block attributes in all versions up to 1.0.8. Root cause: escaping in HTML attribute contexts relies on wp_kses() where esc_attr() is required, allowing authenticated attackers with Contributor+ access to inject script...

6.4CVSS6.1AI score0.00048EPSS

Exploits0References5

Cvelist•added 2025/12/12 3:20 a.m.•27 views

CVE-2025-14035 DebateMaster <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Color Options via 'debate' Shortcode

The DebateMaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color options in the plugin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS0.00032EPSS

Exploits0References6

OSV•added 2025/03/07 10:15 a.m.•0 views

CVE-2024-13805

The Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.2.14 due to insufficient input sanitization and output escaping. This makes it...

5.4CVSS7.4AI score

Exploits0References3

OSV•added 2025/02/28 5:15 a.m.•0 views

CVE-2025-1505

The Advanced AJAX Product Filters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 1.6.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS5.9AI score0.00411EPSS

Exploits0References2

Positive Technologies•added 2024/09/07 12:0 a.m.•2 views

PT-2024-18158 · WordPress · Ninja Forms - File Uploads

Name of the Vulnerable Software and Affected Versions: Ninja Forms - File Uploads plugin for WordPress versions up to, and including, 3.3.16 Description: The issue is a Stored Cross-Site Scripting vulnerability via an uploaded file, such as an RTX file, due to insufficient input sanitization and...

7.2CVSS6.6AI score0.03227EPSS

Exploits0References13

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by