CVE-2025-4224 wpForo + wpForo Advanced Attachments <= 3.1.3 - Unauthenticated Stored Cross-Site Scripting

The wpForo + wpForo Advanced Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via media upload names in all versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-4943 LA-Studio Element Kit for Elementor <= 1.5.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via data-lakit-element-link Parameter

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-lakit-element-link’ parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-10055

The Click to Chat – WP Support All-in-One Floating Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsaiosnapchat shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes...

CVE-2024-32341

Multiple cross-site scripting XSS vulnerabilities in the Home page of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into any of the parameters...

CVE-2024-7122

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-25292

Cross-site scripting XSS vulnerability in RenderTune v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Upload Title parameter...

CVE-2024-25434

A cross-site scripting XSS vulnerability in Pkp Ojs v3.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Publicname parameter...

CVE-2024-22492

A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save contact parameter, which allows remote attackers to inject arbitrary web script or HTML...

CVE-2024-22493

A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save content parameter, which allows remote attackers to inject arbitrary web script or HTML...

CVE-2024-41515

A reflected cross-site scripting XSS vulnerability in "ccHandlerResource.ashx" in CADClick = 1.11.0 allows remote attackers to inject arbitrary web script or HTML via the "resurl" parameter...

CVE-2024-5041

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ha-ia-content-button’ parameter in all versions up to, and including, 3.10.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

CVE-2025-5096

The CVE-2025-5096 entry describes a DOM-based stored XSS vulnerability in the TablePress WordPress plugin, affecting all versions up to 3.1.2. The issue stems from insufficient input sanitization and output escaping in the data-caption, data-s-content-padding, data-s-title, and data-footer attrib...

CVE-2024-10374

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmemloginout shortcode in all versions up to, and including, 3.4.9.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

CVE-2024-42904

A cross-site scripting XSS vulnerability in SysPass 3.2.x allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter at /Controllers/ClientController.php...

CVE-2024-55227

A cross-site scripting XSS vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter...

CVE-2024-40734

A cross-site scripting XSS vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/front-ports/add/...

CVE-2024-8861

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.9.3.2 due to incorrect use of the wpksesallowedhtml function, which allows the 'onclick' attribute for certain HTML elements without...

CVE-2024-8804

The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's script embed functionality in all versions up to, and including, 2.4 due to insufficient restrictions on who can utilize the functionality. This makes it possible for authenticated attackers, with...

CVE-2024-8714

The WordPress Affiliates Plugin — SliceWP Affiliates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of removequeryarg without appropriate escaping on the URL in all versions up to, and including, 1.1.20. This makes it possible for unauthenticated attackers to...

CVE-2024-8547

The Simple Popup Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's popup shortcode in all versions up to, and including, 4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...