CVE-2025-3468

CVE-2025-3468 affects the WordPress plugin NEX-Forms – Ultimate Form Builder . It is a Stored Cross-Site Scripting flaw exploitable via the clean_html and form_fields parameters in all versions up to and including 8.9.1. The issue requires an authenticated attacker with Custom-level access and ca...

CVE-2025-3020

An low privileged remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into several fields of the configuration webpage with limited impact...

CVE-2025-4171

The WZ Followed Posts – Display what visitors are reading plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wfp' shortcode in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This mak...

CVE-2025-4171 WZ Followed Posts – Display what visitors are reading <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WZ Followed Posts – Display what visitors are reading plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wfp' shortcode in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This mak...

CVE-2025-3860

The CarDealerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘saleclass' parameter in all versions up to, and including, 6.8.2505.00 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

CVE-2025-4055 Multiple Post Type Order <= 1.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mpto Shortcode

The Multiple Post Type Order plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mpto' shortcode in all versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-3020

An low privileged remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into several fields of the configuration webpage with limited impact...

CVE-2025-3020

IBM Maximo Application Suite - IoT Component is listed as affected by CVE-2025-3020. Affected versions: 9.1, 9.0, 8.8, 8.7. Remediations in the IBM bulletin: upgrade to 9.1.4, 9.0.13, 8.8.23, or 8.7.27. The bulletin groups CVE-2025-3020 with other CVEs and provides high-level remediation guidance...

CVE-2025-3020 Wiesemann & Theis: Multiple W&T Products are vulnerable to cross-site-scripting

An low privileged remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into several fields of the configuration webpage with limited impact...

CVE-2025-3020 Wiesemann & Theis: Multiple W&T Products are vulnerable to cross-site-scripting

An low privileged remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into several fields of the configuration webpage with limited impact...

PT-2025-19900 · Wiesemann&Theis · Erp-Gateway 12X Digital Input +19

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: A remote attacker with low privileges can execute arbitrary web scripts or HTML through a crafted payload injected into several fields of the configuration webpage, resulting in limited...

CVE-2025-3890

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpcartbutton' shortcode in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

CVE-2025-4199

CVE-2025-4199 covers the WordPress plugin Abundatrade Plugin (versions

CVE-2024-13858

The BuddyBoss Platform plugin and BuddyBoss Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘inviteename’ parameter in all versions up to, and including, 2.8.50 and 2.8.41, respectively, due to insufficient input sanitization and output escaping. This makes it possible fo...

CVE-2025-3890

CVE-2025-3890 affects WordPress plugins: WordPress Simple Shopping Cart (wp-admin) versions up to and including 5.1.3. The issue is a stored cross-site scripting flaw in the shortcode wp_cart_button due to insufficient input sanitization and output escaping for user-supplied attributes. Consequen...

CVE-2023-43378

A cross-site scripting XSS vulnerability in Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the commento11 parameter...

CVE-2024-53569

A stored cross-site scripting XSS vulnerability in the New Goal Creation section of Volmarg Personal Management System v1.4.65 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the description parameter...

CVE-2025-3435

The Mang Board WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the boardheader and boardfooter parameters in all versions up to, and including, 1.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-3106

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Table of Contents widget in all versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2025-3814

The Tax Switch for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class-name’ parameter in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...