CVE-2024-12189

The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom widgets in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This...

CVE-2025-2804

The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the 'accountid' and 'accountusername' parameters in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping. This makes it possible...

CVE-2025-1312

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttonTextColor’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-2167

The Event post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eventslist' shortcodes in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-1705 tagDiv Composer <= 5.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The tagDiv Composer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3. This is due to missing or incorrect nonce validation within the tdajaxgetviews AJAX action. This makes it possible for unauthenticated attackers to inject malicious web...

CVE-2025-2302

The Advanced Woo Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's awssearchterms shortcode in all versions up to, and including, 3.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-2167

The Event post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eventslist' shortcodes in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-2167

CVE-2025-2167 pertains to the WordPress plugin Event post. It enables a Stored Cross-Site Scripting (XSS) via the plugin’s events_list shortcode in all versions up to and including 5.9.9, due to insufficient input sanitization and output escaping on user-supplied attributes. The vulnerability req...

CVE-2025-2165

The SH Email Alert plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web script...

CVE-2025-2635

The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of removequeryarg function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary...

CVE-2025-2108

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Site Title’ widget's 'titletag' and 'htmltag' parameters in all versions up to, and including, 1.4.6.8 due to insufficient input sanitization and output escaping. This...

CVE-2025-2484 Multi Video Box <= 1.5.2 - Reflected Cross-Site Scripting via video_id and group_id Parameters

The Multi Video Box plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'videoid' and 'groupid' parameters in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

CVE-2025-2479

CVE-2025-2479 affects the WordPress plugin Easy Custom Admin Bar . It is a Reflected Cross‑Site Scripting vulnerability via the msg parameter in versions

CVE-2025-2477 CryoKey <= 2.4 - Reflected Cross-Site Scripting via 'ckemail' Parameter

The CryoKey plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ckemail’ parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts i...

CVE-2025-2477 CryoKey <= 2.4 - Reflected Cross-Site Scripting via 'ckemail' Parameter

The CryoKey plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ckemail’ parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts i...

CVE-2024-13739

CVE-2024-13739 concerns the WordPress Newsletters plugin. Affected: Newsletters plugin for WordPress, all versions up to and including 4.9.9.7. Issue: Reflected Cross-Site Scripting via the to parameter caused by insufficient input sanitization and output escaping. Impact: unauthenticated attacke...

CVE-2025-29410

A cross-site scripting XSS vulnerability in the component /contact.php of Hospital Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the txtEmail parameter...

CVE-2025-26127

A stored cross-site scripting XSS vulnerability in the Send for Approval function of FileCloud v23.241.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

CVE-2025-2163

The Zoorum Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the zoorumsetoptions function. This makes it possible for unauthenticated attackers to update settings and inject...

CVE-2025-1526

The DethemeKit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the De Product Display Widget countdown feature in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...