CVE-2025-1571

CVE-2025-1571 — The WordPress plugin “Exclusive Addons for Elementor” is vulnerable to Stored Cross-Site Scripting via the Animated Text and Image Comparison Widgets in all versions up to and including 2.7.6. The issue arises from insufficient input sanitization and output escaping on user-suppli...

CVE-2025-1513

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Name and Comment field when commenting on photo gallery entries in all versio...

CVE-2025-25823

A cross-site scripting XSS vulnerability in Emlog Pro v2.5.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the article header at /admin/article.php...

CVE-2024-13402

The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘linktitle’ parameter in all versions up to, and including, 2.7.70 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-0469

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider template data in all versions up to, and including, 1.39.2 due to insufficient input sanitization and output escaping. This makes it possible fo...

CVE-2025-25823

CVE-2025-25823 is an XSS in Emlog Pro v2.5.4. An attacker can inject a crafted payload into the article header at /admin/article.php to execute arbitrary web scripts/HTML. Reported impact per sources: arbitrary script execution, with CVSSv3.1 vector indicating local access, user interaction requi...

CVE-2025-0918

CVE-2025-0918 — SMTP for SendGrid – YaySMTP (WordPress) is affected by a Stored XSS in versions

CVE-2024-13455

The igumbi Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'igumbicalendar' shortcode in all versions up to, and including, 1.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-12069

The Lexicata plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute i...

CVE-2024-13363

The Raptive Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'poc' parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts...

CVE-2025-1328

The Typed JS: A typewriter style animation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘typespeed’ parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

CVE-2025-1328 Typed JS: A typewriter style animation <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via typespeed Parameter

The Typed JS: A typewriter style animation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘typespeed’ parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

CVE-2024-12069

The Lexicata plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute i...

CVE-2024-13462

CVE-2024-13462 (WP Wiki Tooltip, WordPress) : Stored XSS via the wiki shortcode in all versions up to 2.0.2; requires authenticated access at contributor level or higher to inject scripts, which execute when users load the affected pages. Connected data indicates a potential fix in 2.0.3, but ini...

CVE-2024-12069 Lexicata <= 1.0.16 - Reflected Cross-Site Scripting

The Lexicata plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute i...

CVE-2024-13390

The CVE CVE-2024-13390 affects the WordPress plugin 'ADFO – Custom data in admin dashboard' (versions

CVE-2025-1441 Royal Elementor Addons and Templates <= 1.7.1007 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1007. This is due to missing or incorrect nonce validation on the 'wprfilterwooproducts' function. This makes it possible for unauthenticated attacke...

CVE-2025-0521

The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2024-13704

CVE-2024-13704 relates to the WordPress plugin Super Testimonials (also listed in Wordfence). It is a stored cross-site scripting (XSS) vulnerability via the st_user_title parameter in all versions up to 4.0.1, caused by insufficient input sanitization and output escaping. The impact is unauthent...

CVE-2024-11376 s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions <= 241216 - Reflected Cross-Site Scripting

The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 241114...