36694 matches found
CVE-2026-61876
LuCI DHCPv6 lease hostnames are not properly encoded before rendering in status pages, enabling stored cross-site scripting. An adjacent attacker can deliver a DHCPv6 Client FQDN containing script tags that execute in the administrator’s browser when viewing DHCP lease pages. Affected: LuCI web i...
CVE-2026-61875
The vulnerability is in luci-app-upnp (OpenWrt LuCI) and is a stored cross-site scripting (XSS) flaw in the UPnP IGD AddPortMapping SOAP request. An unauthenticated LAN client can submit malicious HTML in the NewPortMappingDescription field; miniupnpd stores it and luci-app-upnp renders it withou...
WPBot <= 8.4.9 - Cross-Site Scripting
WPBot = 8.4.9 is vulnerable to stored cross-site scripting via the conversation parameter in the qcldwbchatbotconversationsave AJAX action. The AJAX nonce qcsecretbotnonceval123qc is publicly emitted on every frontend page via wplocalizescript under the ajaxnonce key, making it freely obtainable ...
Limit Login Attempts - Stored Cross-Site Scripting
Limit Login Attempts WordPress plugin 4.0.72 contains a stored cross-site scripting caused by unsanitized and unescaped settings, letting malicious administrators inject Javascript code, exploit requires administrator privileges. id: CVE-2022-1029 info: name: Limit Login Attempts - Stored...
The Events Calendar < 6.4.0.1 - Cross-site Scripting
The Events Calendar WordPress plugin 6.4.0.1 contains a stored XSS caused by improper sanitization of user-submitted content when rendering views via AJAX, letting attackers execute scripts in the context of the affected site. Exploitation requires user interaction. id: CVE-2024-4180 info: name:...
Limit Login Attempts WordPress - Stored Cross-site Scripting
Limit Login Attempts WordPress plugin 4.0.50 contains a stored cross-site scripting caused by not escaping IP addresses controlled via headers like X-Forwarded-For before outputting them in reports, letting unauthenticated attackers execute scripts in admin context. id: CVE-2021-24657 info: name:...
ChurchCRM 4.5.3 - Cross-Site Scripting
A stored Cross-site scripting XSS vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. id: CVE-2023-26843 info: name: ChurchCRM 4.5.3 - Cross-Site Scripting author: Harsh severity: medium description: | A stored Cross-site scripti...
Microweber <1.2.12 - Stored Cross-Site Scripting
Microweber prior to 1.2.12 contains a stored cross-site scripting vulnerability. It allows unrestricted upload of XML files,. id: CVE-2022-0963 info: name: Microweber 1.2.12 - Stored Cross-Site Scripting author: amit-jd severity: medium description: | Microweber prior to 1.2.12 contains a stored...
Duplicate Page WordPress - Stored Cross-Site Scripting
Duplicate Page WordPress plugin = 4.4.2 contains a stored cross-site scripting caused by unsanitized Duplicate Post Suffix settings in output, letting high privilege users execute malicious scripts, exploit requires high privilege user role. id: CVE-2021-24681 info: name: Duplicate Page WordPress...
tagDiv Composer < 4.2 - Stored Cross-Site Scripting
tagDiv Composer plugin versions before 4.2 for WordPress are vulnerable to unauthenticated stored XSS via the /wp-json/tdw/savecss endpoint. An attacker can inject malicious JavaScript code through the compiledcss parameter, which gets stored and executed when the CSS is loaded. id: CVE-2023-3169...
EUVD-2026-43158
The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'posttitle' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2026-12126
CVE-2026-12126 affects the WCFM Marketplace plugin for WordPress (versions
EUVD-2026-43142
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premiumtooltiptext' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes i...
EUVD-2026-43139
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Map Module 'bwidthmap' Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...
LiteSpeed Cache <= 5.7 - Unauthenticated Stored XSS
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache- from n/a through 5.7. id: CVE-2023-40000 info: name: LiteSpeed Cache = 5.7 - Unauthenticated Stored XSS...
CVE-2026-3367
The CVE-2026-3367 entry concerns the WordPress plugin Lockme Calendars Integration (
CVE-2026-5743
The CVE concerns the SimpLy Gallery Block & Lightbox WordPress plugin. A stored XSS vulnerability exists through the sliderMaxHeight block attribute in all versions up to and including 3.3.3.2, caused by insufficient input sanitization and output escaping in pgc_sgb_render_callback(). The root ca...
PT-2026-57376
Name of the Vulnerable Software and Affected Versions Motors – Car Dealership & Classified Listings Plugin versions prior to 1.4.113 Description Insufficient input sanitization and output escaping allow unauthenticated attackers to perform Stored Cross-Site Scripting XSS. This occurs when arbitra...
CVE-2026-13231
CVE-2026-13231 affects Drupal Advanced Content Feedback (admin_feedback) versions 0.0.0 through 2.8.0. The issue is improper neutralization of input during web page generation, enabling Stored XSS when administrator-configured response messages contain HTML or script markup that is emitted to vis...
CVE-2026-15295
CVE-2026-15295 affects the WordPress Infinite Scroll – Ajax Load More plugin for WordPress, vulnerable in all versions up to 7.0.1 due to insufficient input sanitization and output escaping. Stored XSS can be triggered by authenticated attackers with administrator-level permissions (and above) vi...