CVE-2024-13839 Company Directory <= 4.3 - Reflected Cross-Site Scripting via add_query_arg Function

The Staff Directory Plugin: Company Directory plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to inject...

CVE-2024-13827

The Razorpay Subscription Button Elementor Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg and removequeryarg functions without appropriate escaping on the URL in all versions up to, and including, 1.0.3. This makes it possible for...

CVE-2024-13827 Razorpay Subscription Button Elementor Plugin <= 1.0.3 - Reflected Cross-Site Scripting via add_query_arg and remove_query_arg Functions

The Razorpay Subscription Button Elementor Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg and removequeryarg functions without appropriate escaping on the URL in all versions up to, and including, 1.0.3. This makes it possible for...

Linux Distros Unpatched Vulnerability : CVE-2023-43377

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A cross-site scripting XSS vulnerability in /hoteldruid/visualizzacontratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML v...

CVE-2024-9618

CVE-2024-9618: Master Addons for Elementor (WordPress) is affected by a Stored Cross-Site Scripting vulnerability in multiple widgets, present in all versions up to 2.0.7.2. Root cause is insufficient input sanitization and output escaping on user-supplied attributes. Exploitation requires authen...

CVE-2024-9212

The SKU Generator for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2025-27585

A stored cross-site scripting XSS vulnerability in Serosoft Solutions Pvt Ltd Academia Student Information System SIS EagleR v1.0.118 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Print Name parameter at /rest/staffResource/update...

CVE-2025-27585

A stored cross-site scripting XSS vulnerability in Serosoft Solutions Pvt Ltd Academia Student Information System SIS EagleR v1.0.118 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Print Name parameter at /rest/staffResource/update...

CVE-2025-25949

CVE-2025-25949 affects the Serosoft Solutions Academia Student Information System (SIS) EagleR, v1.0.118. The vulnerability is a stored cross-site scripting (XSS) flaw in the web interface, reported to occur via unsanitized input in the User ID parameter (noted also as related fields in variants ...

CVE-2025-27585

A stored cross-site scripting XSS vulnerability in Serosoft Solutions Pvt Ltd Academia Student Information System SIS EagleR v1.0.118 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Print Name parameter at /rest/staffResource/update...

CVE-2025-25949

A stored cross-site scripting XSS vulnerability in Serosoft Solutions Pvt Ltd Academia Student Information System SIS EagleR v1.0.118 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the User ID parameter at /rest/staffResource/update...

CVE-2024-13851

The Modal Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject...

CVE-2024-13402

The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘linktitle’ parameter in all versions up to, and including, 2.7.70 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-1491

CVE-2025-1491 — WP Posts Carousel (WordPress) is vulnerable to Stored Cross-Site Scripting via the auto_play_timeout parameter in all versions up to 1.3.7. The issue arises from insufficient input sanitization and output escaping, enabling authenticated users with Contributor+ privileges to injec...

CVE-2025-1291 Gutenberg Blocks by Kadence Blocks <= 3.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'icon'

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘icon’ parameter in all versions up to, and including, 3.4.9 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-6261

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'FinalTilesGallery' shortcode in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

CVE-2024-9217

The Currency Switcher for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 2.16.2. This makes it possible for unauthenticated attackers to inject arbitrary w...

CVE-2024-13559

The TemplatesNext ToolKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'txwoowishlisttable' shortcode in all versions up to, and including, 3.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

CVE-2024-9217 Currency Switcher for WooCommerce <= 2.16.2 - Reflected Cross-Site Scripting

The Currency Switcher for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 2.16.2. This makes it possible for unauthenticated attackers to inject arbitrary w...

CVE-2024-6810

The Quiz Organizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web...