CVE-2025-2164

CVE-2025-2164 affects the WordPress plugin pixelstats (

CVE-2025-2163 Zoorum Comments <= 0.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Zoorum Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the zoorumsetoptions function. This makes it possible for unauthenticated attackers to update settings and inject...

CVE-2025-25908

A stored cross-site scripting XSS vulnerability in tianti v2.3 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the coverImageURL parameter at /article/ajax/save...

CVE-2025-2166

CVE-2025-2166 affects the WordPress plugin CM FAQ – Simplify support with an intuitive FAQ management tool, with a Reflected Cross‑Site Scripting vulnerability caused by insufficient URL escaping in remove_query_arg. Affected versions are all up to and including 1.2.5. An unauthenticated attacker...

CVE-2025-1503 WP Recipe Maker <= 9.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Roundup Recipe Name field in all versions up to, and including, 9.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-leve...

CVE-2024-55060

A cross-site scripting XSS vulnerability in the component index.php of Rafed CMS Website v1.44 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

CVE-2025-2078

The BlogBuzzTime for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissio...

CVE-2025-2077

The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

4 author cheer up donate <= 1.3 - Reflected Cross-Site Scripting

Description The 4 author cheer up donate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts ...

CVE-2025-25925

A stored cross-scripting XSS vulnerability in Openmrs v2.4.3 Build 0ff0ed allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the personName.middleName parameter at /openmrs/admin/patients/shortPatientForm.form...

CVE-2024-13413

The ProductDyno plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘res’ parameter in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web script...

CVE-2025-25925

CVE-2025-25925 refers to a stored cross-site scripting (XSS) vulnerability in OpenMRS v2.4.3 Build 0ff0ed. The issue allows attackers to inject arbitrary web scripts or HTML via the personName.middleName field on the page /openmrs/admin/patients/shortPatientForm.form, enabling script execution in...

CVE-2024-13649

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.4.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2024-13649 140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.4.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2025-1287

The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown, Syntax Highlighter, and Page Scroll widgets in all versions up to, and including, 6.2.2 due to insufficient...

CVE-2024-13774

CVE-2024-13774 (Wishlist for WooCommerce: Multi Wishlists Per Customer) is a CSRF vulnerability in versions up to 3.1.7 caused by missing/incorrect nonce validation in save_to_multiple_wishlist, enabling unauthenticated attackers to trigger settings updates and inject scripts. Connected sources c...

CVE-2024-12634

CVE-2024-12634 concerns the WordPress plugin Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins. The vulnerability is a Cross‑Site Request Forgery (CSRF) due to missing nonce validation on a function, allowing unauthenticated attackers to inject maliciou...

CVE-2024-12634 Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins <= 2.0.59 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including 2.0.59. This is due to missing nonce validation on a function. This makes it possible for...

CVE-2025-0370

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘src’ parameter in all versions up to, and including, 7.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-13839

The Staff Directory Plugin: Company Directory plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to inject...