Lucene search
K

36694 matches found

CVE
CVE
added 11 hours ago11 views

CVE-2026-61876

LuCI DHCPv6 lease hostnames are not properly encoded before rendering in status pages, enabling stored cross-site scripting. An adjacent attacker can deliver a DHCPv6 Client FQDN containing script tags that execute in the administrator’s browser when viewing DHCP lease pages. Affected: LuCI web i...

9.4CVSS6.2AI score
Exploits0References2
CVE
CVE
added 11 hours ago12 views

CVE-2026-61875

The vulnerability is in luci-app-upnp (OpenWrt LuCI) and is a stored cross-site scripting (XSS) flaw in the UPnP IGD AddPortMapping SOAP request. An unauthenticated LAN client can submit malicious HTML in the NewPortMappingDescription field; miniupnpd stores it and luci-app-upnp renders it withou...

8.8CVSS6.1AI score
Exploits0References2
Nuclei
Nuclei
added 20 hours ago6 views

WPBot <= 8.4.9 - Cross-Site Scripting

WPBot = 8.4.9 is vulnerable to stored cross-site scripting via the conversation parameter in the qcldwbchatbotconversationsave AJAX action. The AJAX nonce qcsecretbotnonceval123qc is publicly emitted on every frontend page via wplocalizescript under the ajaxnonce key, making it freely obtainable ...

7.2CVSS6.1AI score0.00524EPSS
Exploits0References2
Nuclei
Nuclei
added 20 hours ago136 views

Limit Login Attempts - Stored Cross-Site Scripting

Limit Login Attempts WordPress plugin 4.0.72 contains a stored cross-site scripting caused by unsanitized and unescaped settings, letting malicious administrators inject Javascript code, exploit requires administrator privileges. id: CVE-2022-1029 info: name: Limit Login Attempts - Stored...

4.8CVSS6AI score0.00848EPSS
Exploits2References1
Nuclei
Nuclei
added 20 hours ago21 views

The Events Calendar < 6.4.0.1 - Cross-site Scripting

The Events Calendar WordPress plugin 6.4.0.1 contains a stored XSS caused by improper sanitization of user-submitted content when rendering views via AJAX, letting attackers execute scripts in the context of the affected site. Exploitation requires user interaction. id: CVE-2024-4180 info: name:...

9.1CVSS6.2AI score0.01834EPSS
Exploits2References3
Nuclei
Nuclei
added 20 hours ago52 views

Limit Login Attempts WordPress - Stored Cross-site Scripting

Limit Login Attempts WordPress plugin 4.0.50 contains a stored cross-site scripting caused by not escaping IP addresses controlled via headers like X-Forwarded-For before outputting them in reports, letting unauthenticated attackers execute scripts in admin context. id: CVE-2021-24657 info: name:...

6.1CVSS6.4AI score0.0157EPSS
Exploits2References2
Nuclei
Nuclei
added 20 hours ago80 views

ChurchCRM 4.5.3 - Cross-Site Scripting

A stored Cross-site scripting XSS vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. id: CVE-2023-26843 info: name: ChurchCRM 4.5.3 - Cross-Site Scripting author: Harsh severity: medium description: | A stored Cross-site scripti...

5.4CVSS6.3AI score0.0142EPSS
Exploits1References5
Nuclei
Nuclei
added 20 hours ago63 views

Microweber <1.2.12 - Stored Cross-Site Scripting

Microweber prior to 1.2.12 contains a stored cross-site scripting vulnerability. It allows unrestricted upload of XML files,. id: CVE-2022-0963 info: name: Microweber 1.2.12 - Stored Cross-Site Scripting author: amit-jd severity: medium description: | Microweber prior to 1.2.12 contains a stored...

5.7CVSS6.2AI score0.01877EPSS
Exploits1References5
Nuclei
Nuclei
added 20 hours ago81 views

Duplicate Page WordPress - Stored Cross-Site Scripting

Duplicate Page WordPress plugin = 4.4.2 contains a stored cross-site scripting caused by unsanitized Duplicate Post Suffix settings in output, letting high privilege users execute malicious scripts, exploit requires high privilege user role. id: CVE-2021-24681 info: name: Duplicate Page WordPress...

4.8CVSS6.1AI score0.0087EPSS
Exploits2References3
Nuclei
Nuclei
added 20 hours ago19 views

tagDiv Composer < 4.2 - Stored Cross-Site Scripting

tagDiv Composer plugin versions before 4.2 for WordPress are vulnerable to unauthenticated stored XSS via the /wp-json/tdw/savecss endpoint. An attacker can inject malicious JavaScript code through the compiledcss parameter, which gets stored and executed when the CSS is loaded. id: CVE-2023-3169...

6.1CVSS6.8AI score0.01582EPSS
Exploits2References2
EUVD
EUVD
added yesterday8 views

EUVD-2026-43158

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'posttitle' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS6.2AI score0.0021EPSS
Exploits0References8
CVE
CVE
added yesterday12 views

CVE-2026-12126

CVE-2026-12126 affects the WCFM Marketplace plugin for WordPress (versions

6.4CVSS6.2AI score0.0021EPSS
Exploits0References8
EUVD
EUVD
added yesterday6 views

EUVD-2026-43142

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premiumtooltiptext' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes i...

4.9CVSS6.2AI score0.00193EPSS
Exploits0References5
EUVD
EUVD
added yesterday6 views

EUVD-2026-43139

The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Map Module 'bwidthmap' Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

6.4CVSS6.2AI score0.00193EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday126 views

LiteSpeed Cache <= 5.7 - Unauthenticated Stored XSS

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache- from n/a through 5.7. id: CVE-2023-40000 info: name: LiteSpeed Cache = 5.7 - Unauthenticated Stored XSS...

8.3CVSS6.8AI score0.54872EPSS
Exploits5References3
CVE
CVE
added yesterday8 views

CVE-2026-3367

The CVE-2026-3367 entry concerns the WordPress plugin Lockme Cal­endars Integration (

4.4CVSS6.2AI score0.00256EPSS
Exploits0References14
CVE
CVE
added yesterday8 views

CVE-2026-5743

The CVE concerns the SimpLy Gallery Block & Lightbox WordPress plugin. A stored XSS vulnerability exists through the sliderMaxHeight block attribute in all versions up to and including 3.3.3.2, caused by insufficient input sanitization and output escaping in pgc_sgb_render_callback(). The root ca...

6.4CVSS6.2AI score0.00241EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added yesterday10 views

PT-2026-57376

Name of the Vulnerable Software and Affected Versions Motors – Car Dealership & Classified Listings Plugin versions prior to 1.4.113 Description Insufficient input sanitization and output escaping allow unauthenticated attackers to perform Stored Cross-Site Scripting XSS. This occurs when arbitra...

7.2CVSS6.2AI score0.0023EPSS
Exploits0References10
CVE
CVE
added 2 days ago9 views

CVE-2026-13231

CVE-2026-13231 affects Drupal Advanced Content Feedback (admin_feedback) versions 0.0.0 through 2.8.0. The issue is improper neutralization of input during web page generation, enabling Stored XSS when administrator-configured response messages contain HTML or script markup that is emitted to vis...

6.1AI score0.00161EPSS
Exploits0References1
CVE
CVE
added 2 days ago13 views

CVE-2026-15295

CVE-2026-15295 affects the WordPress Infinite Scroll – Ajax Load More plugin for WordPress, vulnerable in all versions up to 7.0.1 due to insufficient input sanitization and output escaping. Stored XSS can be triggered by authenticated attackers with administrator-level permissions (and above) vi...

4.4CVSS6.2AI score0.0019EPSS
Exploits0References2
Rows per page
Query Builder