Lucene search
K

1183 matches found

Vulnrichment
Vulnrichment
added 2026/04/18 11:16 a.m.7 views

CVE-2026-2986 Contextual Related Posts <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'other_attributes'

The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'otherattributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00304EPSS
Exploits0References2
CVE
CVE
added 2026/04/17 8:16 p.m.9 views

CVE-2026-40282

WeGIA web manager (used by charitable institutions) contains a Stored XSS vulnerability in versions prior to 3.6.10, exploitable by an authenticated user on the Intercorrências notification page. The attack injects JavaScript that runs when the page is accessed, enabling session hijacking and pot...

6.4CVSS5.7AI score0.00258EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2026/04/17 12:0 a.m.13 views

VulnCheck KEV: CVE-2026-5231

The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utmsource' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utmsource value into the...

7.2CVSS5.9AI score0.00476EPSS
In wildExploits0References2
RedhatCVE
RedhatCVE
added 2026/04/16 7:22 p.m.6 views

CVE-2026-6293

The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all...

4.3CVSS5.9AI score0.00219EPSS
Exploits0References1
NVD
NVD
added 2026/04/16 7:16 a.m.5 views

CVE-2026-3995

The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitizetextfield which strips HTML tags but does not...

4.4CVSS0.00345EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/04/16 3:36 a.m.39 views

CVE-2026-5070 Vantage <= 1.20.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Block Text Content

The Vantage theme for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery block text content in versions up to, and including, 1.20.32 due to insufficient output escaping in the gallery template. This makes it possible for authenticated attackers, with contributor-level access and...

6.4CVSS0.00194EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/16 3:36 a.m.6 views

CVE-2026-3878 WP Docs <= 2.2.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'wpdocs_options[icon_size]'

The WP Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpdocsoptionsiconsize' parameter in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level...

6.4CVSS5.9AI score0.00209EPSS
Exploits0References2
CVE
CVE
added 2026/04/16 3:36 a.m.12 views

CVE-2026-4032

CodeColorer for WordPress is affected by a stored cross-site scripting vulnerability in the cc shortcode’s class attribute, affecting versions up to and including 0.10.1 due to insufficient input sanitization and output escaping. Exploitation requires comments to be enabled on the target post and...

6.1CVSS5.9AI score0.00232EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/16 12:0 a.m.8 views

PT-2026-33262

Name of the Vulnerable Software and Affected Versions Custom New User Notification plugin for WordPress versions prior to 1.2.1 Description Stored Cross-Site Scripting is possible via the admin settings due to insufficient input sanitization and output escaping on multiple settings fields. The...

4.4CVSS5.4AI score0.00361EPSS
Exploits0References20
NVD
NVD
added 2026/04/15 5:17 p.m.4 views

CVE-2026-20132

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine ISE could allow an authenticated, remote attacker with administrative write privileges to conduct a stored cross-site scripting XSS attack or a reflected XSS attack against a user of the web-based...

4.8CVSS0.00173EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/15 11:30 a.m.4 views

CVE-2026-1852 Product Pricing Table by WooBeWoo <= 1.1.0 - Cross-Site Request Forgery to Stored XSS and Pricing Table Deletion

The Product Pricing Table by WooBeWoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the updateLabel and remove functions. This makes it possible for unauthenticated attackers to...

6.1CVSS5.8AI score0.00126EPSS
Exploits0References2
CVE
CVE
added 2026/04/15 8:28 a.m.7 views

CVE-2026-4011

The CVE-2026-4011 entry describes a Stored Cross-Site Scripting flaw in the Power Charts Lite WordPress plugin (versions

6.4CVSS6AI score0.00265EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/15 7:45 a.m.30 views

CVE-2026-5717 VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute

The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classcontainer' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS0.00248EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/14 11:26 p.m.3 views

CVE-2026-2396 List View Google Calendar <= 7.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via Event Description

The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS5.9AI score0.00221EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/14 9:42 p.m.28 views

CVE-2026-34212 Docmost page content has stored XSS via unsanitized attachment URLs

Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious javascript: URL inside an attachment node in page content. When another user vie...

5.4CVSS0.00197EPSS
Exploits3References1
Vulnrichment
Vulnrichment
added 2026/04/14 9:42 p.m.6 views

CVE-2026-34212 Docmost page content has stored XSS via unsanitized attachment URLs

Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious javascript: URL inside an attachment node in page content. When another user vie...

5.4CVSS5.8AI score0.00197EPSS
Exploits3References1
Cvelist
Cvelist
added 2026/04/11 1:24 a.m.28 views

CVE-2026-4895 Greenshift <= 12.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via disablelazy Attribute

The GreenShift - Animation and Page Builder Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 12.8.9 This is due to insufficient input sanitization and output escaping in the gspbgreenShiftblockscriptassets function. The function uses...

6.4CVSS0.0042EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/04/11 1:24 a.m.6 views

CVE-2026-5217

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's'...

7.2CVSS6AI score0.00438EPSS
Exploits0References8
EUVD
EUVD
added 2026/04/09 3:35 p.m.3 views

EUVD-2026-20892

The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.94.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS6.1AI score0.00271EPSS
Exploits0References4
NVD
NVD
added 2026/04/09 1:16 p.m.4 views

CVE-2026-3005

The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.94.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS0.00271EPSS
Exploits0References3
Rows per page
Query Builder