PT-2026-47125

The Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jtlma custom js' Page Setting Custom JS Extension in all versions up to, and including, 3.1.0 due to insufficient input...

RHEL 10 : php8.4 (RHSA-2026:22649)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:22649 advisory. PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also...

PT-2026-47133

The EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block 'url' attribute in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping...

PT-2026-47136

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag n drop text' and 'drag n drop browse text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This...

PT-2026-47122

The All-In-One Security AIOS – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get rest route function and missing output escaping in the column default method of t...

RHEL 8 : php:8.2 (RHSA-2026:22305)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:22305 advisory. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fixes: PHP: PHP: Denial of Service via...

RHEL 9 : php:8.2 (RHSA-2026:22143)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:22143 advisory. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fixes: PHP: PHP: Denial of Service via...

PT-2026-47138

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL Parameters in iframe Mode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

PT-2026-47143

The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location messages' parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping...

CVE-2026-8900 Simple SEO Slideshow <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2026-8900

The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2026-8900

The CVE-2026-8900 entry concerns the WordPress plugin Simple SEO Slideshow (versions up to and including 1.2.8). The vulnerability is a Stored Cross-Site Scripting (XSS) via shortcode attributes , caused by insufficient input sanitization and output escaping. An authenticated attacker with contri...

CVE-2026-8900 Simple SEO Slideshow <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2026-8893 Express Payment For Stripe <= 1.28.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the stripe-express shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value,...

CVE-2026-8893

The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the stripe-express shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value,...

CVE-2026-8893

The CVE-2026-8893 entry concerns the Express Payment For Stripe WordPress plugin. Affected: the [stripe-express] shortcode’s type attribute in versions up to and including 1.28.0. Root cause: insufficient input sanitization and output escaping, with the attribute value concatenated into an HTML a...

Exploit for CVE-2024-34070

CVE-2024-34070 Froxlor PoC Python proof of concept for CVE-20...

GHSA-2G2G-8P8H-FGWM Twig: XSS in profiler HtmlDumper via unescaped template and profile names

Description Twig\Profiler\Dumper\HtmlDumper writes Profile::getTemplate and Profile::getName straight into its HTML output without escaping: php protected function formatTemplateProfile $profile, $prefix: string return \sprintf'%s└ %s', $prefix, self::$colors'template', $profile-getTemplate; The...

Shopper: Multiple data integrity and disclosure issues in admin Livewire components

Impact Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS: - IDOR via unlocked properties. Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the Locked attribute. An...

GHSA-HR9V-R8R2-HG7J Shopper: Multiple data integrity and disclosure issues in admin Livewire components

Impact Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS: - IDOR via unlocked properties. Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the Locked attribute. An...