CVE-2025-7644

The Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in all widgets in all versions up to, and including, 1.6.7 due to insufficient input...

CVE-2025-5240 CRM and Lead Management by vcita <= 2.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via type Parameter

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-7661

The Partnerský systém Martinus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'martinus' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-30955

CVE-2025-30955 concerns GT3themes ListingEasy WordPress theme with a Reflected XSS in versions up to 1.9.2, caused by improper input neutralization during web page generation. Affected software: ListingEasy (theme)

CVE-2025-54051

CVE-2025-54051 describes a Stored XSS in the LightBox Block (Gutenberg block) for WordPress. Affected: LightBox Block versions up to 1.1.30. Root cause: Improper neutralization of input during web page generation. Impact: Stored cross-site scripting as indicated by the vulnerability entry. Remedi...

CVE-2025-54013 WordPress Welcart e-Commerce plugin <= 2.11.16 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Stored XSS.This issue affects Welcart e-Commerce: from n/a through = 2.11.16...

CVE-2025-53994

CVE-2025-53994 : Crocoblock JetPopup is affected up to version 2.0.15. The issue is a DOM-based Cross-Site Scripting (XSS) caused by improper neutralization of input during web page generation. Remediation: update to a version later than 2.0.15 (per PT-2025-29738).

CVE-2025-53989 WordPress JetBlocks For Elementor plugin <= 1.3.19 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Stored XSS.This issue affects JetBlocks For Elementor: from n/a through = 1.3.19...

CVE-2025-6200

CVE-2025-6200 affects the GeoDirectory WordPress plugin (versions prior to 2.8.120). The issue arises from insufficient validation/escaping of shortcode attributes, allowing users with contributor role or higher to perform a Stored Cross-Site Scripting (XSS) attack on pages/posts where the shortc...

CVE-2025-6975

CVE-2025-6975 concerns the WordPress plugin Events Manager – Calendar, Bookings, Tickets, and more! Affected versions up to 7.0.3 are vulnerable to Reflected Cross‑Site Scripting via the calendar_header parameter due to insufficient input sanitization and output escaping. Exploitation requires no...

CVE-2025-31037 WordPress Homey theme <= 2.4.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in favethemes Homey homey allows Reflected XSS.This issue affects Homey: from n/a through = 2.4.5...

CVE-2025-53321 WordPress Raise The Money plugin <= 5.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Raise The Money Raise The Money allows DOM-Based XSS. This issue affects Raise The Money: from n/a through 5.2...

CVE-2025-28960

CVE-2025-28960 : The Evangelische Termine WordPress plugin (regibaer) has a reflected XSS due to improper input neutralization during web page generation. Affected versions are n/a through 3.3. CVSS v3.1 base score 7.1 (HIGH). Exploitation status and patch availability are not detailed in the pro...

CVE-2025-39488 WordPress MagOne theme <= 8.8 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Sneeit MagOne magone allows Reflected XSS.This issue affects MagOne: from n/a through = 8.8...

CVE-2025-6212 Ultra Addons for Contact Form 7 3.5.11 - 3.5.19 - Unauthenticated Stored Cross-Site Scripting via Database module

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Database module in versions 3.5.11 to 3.5.19 due to insufficient input sanitization and output escaping. The unfiltered field names are stored alongside the sanitized values. Later, the...

CVE-2025-5842

The CVE-2025-5842 affects the WordPress Modern Design Library plugin (mdl-shortcodes) up to version 1.1.4. It exposes a Stored XSS in the class parameter due to insufficient input sanitization and output escaping, enabling authenticated attackers with Contributor-level access or higher to inject ...

CVE-2025-49873

CVE-2025-49873 refers to a Cross-Site Scripting flaw in WordPress Theme Elessi (versions n/a through 6.3.9). The root cause is improper neutralization of input during web page generation, enabling reflected XSS. Patch data indicates the issue is fixed in version 6.4.1 of Elessi (update to at leas...

CVE-2025-50024 WordPress ATP Call Now plugin <= 1.0.3 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Truong Thanh ATP Call Now atp-call-now allows Stored XSS.This issue affects ATP Call Now: from n/a through = 1.0.3...

CVE-2025-50042 WordPress WP Register Profile With Shortcode plugin <= 3.6.3 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in aviplugins.com WP Register Profile With Shortcode wp-register-profile-with-shortcode allows Stored XSS.This issue affects WP Register Profile With Shortcode: from n/a through = 3.6.3...

CVE-2025-50043 WordPress Code Engine plugin <= 0.3.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Jordy Meow Code Engine allows Stored XSS. This issue affects Code Engine: from n/a through 0.3.2...