Lucene search
K

1443 matches found

Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.18 views

PT-2026-41152

Name of the Vulnerable Software and Affected Versions sanitize-html version 2.17.3 Description A sanitizer bypass exists in the default configuration where the disallowedTagsMode: 'discard' path fails to properly handle the xmp element. Because xmp is not included in the nonTextTags list, its...

9.3CVSS5.7AI score0.00397EPSS
Exploits0References9
GithubExploit
GithubExploit
added 2026/05/13 3:25 p.m.109 views

Stored-XSS-Vulnerability-Lab-Detection-Mitigation-

Stored Cross-Site Scripting XSS Vulnerability Report Exe...

6AI score
Exploits0
CVE
CVE
added 2026/05/13 4:26 a.m.14 views

CVE-2026-6962

CVE-2026-6962 affects the WordPress plugin “Cost of Goods: Product Cost & Profit Calculator for WooCommerce.” Vulnerable component: the shortcodes alg_wc_cog_product_cost and alg_wc_cog_product_profit in all versions up to 4.1.0. Root cause: insufficient input sanitization and output escaping on ...

6.4CVSS6AI score0.00193EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/12 9:31 a.m.15 views

EUVD-2026-29411

The Shortcodely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'widgetarea' parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acces...

6.4CVSS6AI score0.00201EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/05/12 2:27 a.m.10 views

CVE-2026-40038

Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, commentbody, articlecontent, description, and message parameters...

7.2CVSS6AI score0.00161EPSS
Exploits1References1
Patchstack
Patchstack
added 2026/05/11 7:5 p.m.9 views

WordPress Tm – WordPress Redirection plugin <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Tm – WordPress Redirection versions = 1.2...

6.1CVSS5.8AI score0.0012EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/05/10 1:16 p.m.15 views

CVE-2021-47910

AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon title' field. Attackers can store XSS payloads like image tags with onerror event handlers that execut...

6.4CVSS0.00239EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/10 12:43 p.m.5 views

CVE-2021-47927

WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization of the forum name parameter. Attackers can submit POST requests to the admin setup page with...

6.4CVSS5.6AI score0.00193EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/05/10 12:43 p.m.13 views

CVE-2021-47924

The CVE-2021-47924 entry concerns the WordPress plugin Ultimate Product Catalog, version 5.8.2. The vulnerability is a stored cross-site scripting (XSS) flaw in which authenticated attackers can inject HTML/JavaScript into the price parameter via POST to post.php, leading to code execution when a...

6.4CVSS6AI score0.00282EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/10 12:12 p.m.39 views

CVE-2022-50949 WordPress Plugin Videos sync PDF 1.7.4 Stored XSS

WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized mov, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers throug...

6.4CVSS0.00191EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/10 12:12 p.m.6 views

CVE-2022-50947

WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the posttitle parameter. Attackers with editor privileges can inject JavaScript payloads through the...

6.4CVSS5.7AI score0.00197EPSS
Exploits0References4Affected Software1
CNNVD
CNNVD
added 2026/05/10 12:0 a.m.10 views

MotoPress Hotel Booking Lite 跨站脚本漏洞

MotoPress Hotel Booking Lite is a hotel booking software developed by MotoPress. Version 4.2.4 of MotoPress Hotel Booking Lite contains a cross-site scripting vulnerability. This vulnerability stems from a stored-cross-site scripting flaw in the accommodation type field, which may allow...

6.4CVSS5.6AI score0.00191EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/10 12:0 a.m.24 views

PT-2026-39501

CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file...

6.4CVSS5.8AI score0.00239EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/08 9:26 a.m.11 views

CVE-2026-7475 Sky Addons <= 3.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Script

The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sky-custom-scripts custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with capabilitytype = 'post' and showinrest = true, combined with...

6.4CVSS6AI score0.00244EPSS
Exploits0References7
GithubExploit
GithubExploit
added 2026/05/05 10:15 p.m.106 views

xss-lab

xss-lab Simple xss...

5.9AI score
Exploits0
CVE
CVE
added 2026/05/05 2:26 a.m.14 views

CVE-2026-6701

The WordPress addfreespace plugin (versions ≤ 0.1.3) is vulnerable to Cross-Site Request Forgery due to missing/incorrect nonce validation, allowing unauthenticated attackers to modify settings and inject stored scripts via a forged request, by convincing an admin to perform an action. Root cause...

4.3CVSS5.7AI score0.00158EPSS
Exploits0References11
Cvelist
Cvelist
added 2026/05/05 2:26 a.m.55 views

CVE-2026-4730 Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'chartid' Shortcode Attribute

The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. Th...

6.4CVSS0.00188EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/02 11:16 a.m.4 views

CVE-2026-6817

The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ratereason' parameter in all versions up to, and including, 6.7.1.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

5.8CVSS6AI score0.00228EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/02 9:26 a.m.36 views

CVE-2026-5077 Total <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title in Blog Section Image alt Attribute

The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering thetitle inside HTML attribute context in the home blog section template. This makes it possible for authenticated...

5.4CVSS0.00194EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/27 3:11 p.m.24 views

CVE-2026-41467 ProjeQtor < 12.4.4 Stored XSS via checkValidFileName()

ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the...

5.4CVSS0.00181EPSS
Exploits0References4
Rows per page
Query Builder