CVE-2025-1622

The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6888

The Secure Copy Content Protection and Content Locking WordPress plugin before 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2024-9227

The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.9.18 does not sanitise and escape some of its settings when adding a podcast, which could allow admin users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

CVE-2024-9182

The Maspik WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

CVE-2024-10143 MB Custom Post Types & Custom Taxonomies < 2.7.7 - Admin+ Stored XSS

The MB Custom Post Types & Custom Taxonomies WordPress plugin before 2.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-9600

The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks...

CVE-2024-8758 Quiz and Survey Master (QSM) < 9.1.3 - Author+ Stored XSS

The Quiz and Survey Master QSM WordPress plugin before 9.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6536

The Zephyr Project Manager WordPress plugin before 3.3.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors and admins to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

PT-2024-21597 · WordPress · Socialdriver-Framework

Name of the Vulnerable Software and Affected Versions: socialdriver-framework WordPress plugin versions prior to 2024.04.30 Description: The issue concerns the socialdriver-framework WordPress plugin, which does not properly sanitise and escape some of its settings. This could allow high-privileg...

CVE-2024-3992

The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2024-28472 · WordPress · Playlist For Youtube Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: Playlist for Youtube WordPress plugin versions 1.32 and earlier Description: The issue concerns a Stored Cross-Site Scripting attack. High privilege users, such as admins, can exploit this even when the unfiltered html capability is disallowe...

CVE-2024-3630

CVE-2024-3630 concerns the HL Twitter WordPress plugin (versions up to 2014.1.18). It arises from insufficient sanitization and escaping of certain plugin settings, which could allow Stored XSS by high-privilege users (e.g., admins), even when unfiltered_html is disabled (such as in multisite set...

CVE-2024-2404

The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow low privilege users such as Subscribers to perform Stored Cross-Site Scripting attacks...

CVE-2023-5943

The Wp-Adv-Quiz WordPress plugin before 1.0.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

CVE-2023-6290

The SEOPress WordPress plugin before 7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

PT-2024-15133 · WordPress · Keap Official Opt-In Forms

Name of the Vulnerable Software and Affected Versions: Keap Official Opt-in Forms WordPress plugin versions 1.0.11 and earlier Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks due to the plugin's failure to sanitise and escape some...

Cross site scripting

The All-in-one Floating Contact Form WordPress plugin before 2.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

Flo Forms <= 1.0.40 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-0605 Auto Rename Media On Upload < 1.1.0 - Admin+ Stored XSS

The Auto Rename Media On Upload WordPress plugin before 1.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2022-25663 · WordPress · The Quizlord

Name of the Vulnerable Software and Affected Versions: The Quizlord WordPress plugin versions through 2.0 Description: The issue allows high privilege users, such as admin, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in...