PT-2025-30113 · WordPress · Avishi Wp Paypal Payment Button

Name of the Vulnerable Software and Affected Versions: Avishi WP PayPal Payment Button versions prior to 2.1 Description: The Avishi WP PayPal Payment Button plugin for WordPress is susceptible to Cross-Site Request Forgery due to missing or incorrect nonce validation on the...

CVE-2025-5767

The Crowdfunding for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 3.1.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-6977 ProfileGrid – User Profiles, Groups and Communities <= 5.9.5.4 - Reflected Cross-Site Scripting via 'pm_get_messenger_notification' function

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘pmgetmessengernotification’ function in all versions up to, and including, 5.9.5.4 due to insufficient input sanitization and output escaping. This makes it possib...

CVE-2024-42912

A cross-site scripting XSS vulnerability in META-INF Kft. Email This Issue Data Center before 9.13.0-GA allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the recipient field of an e-mail message...

CVE-2025-6716 Contest Gallery <= 26.0.8 - Authenticated (Author+) Stored Cross-Site Scripting

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'upload1title' parameter in all versions up to, and including, 26.0.8...

PT-2025-28967 · WordPress · Events Manager

Name of the Vulnerable Software and Affected Versions: Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress versions prior to 7.0.4 Description: The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is susceptible to Stored Cross-Site Scripting...

CVE-2025-6743

CVE-2025-6743 : WoodMart WordPress theme (vulnerable up to 8.2.3) suffers Stored Cross-Site Scripting via the plugin’s multiple_markers attribute due to insufficient input sanitization and output escaping. Exploitation requires contributor-level authentication or higher and can cause arbitrary sc...

CVE-2025-6041

The yContributors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the 'yContributors' page. This makes it possible for unauthenticated attackers to update settings and inject...

CVE-2025-2540

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled prettyPhoto library version 3.1.6 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

CVE-2024-5647

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library version 1.1.0 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

CVE-2025-5944

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-caption’ attribute in all versions up to, and including, 8.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-6740 Contact Form 7 Database Addon <= 1.3.1 - Unauthenticated Stored Cross-Site Scripting via tmpD Parameter

The Contact Form 7 Database Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tmpD’ parameter in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-6041

CVE-2025-6041 concerns the WordPress plugin yContributors (versions up to and including 0.5). The Wordfence record describes a CSRF flaw on the yContributors page that allows unauthenticated attackers to trigger actions on behalf of an administrator and inject web scripts via forged requests, eff...

PT-2025-27775 · Unknown +1 · Prettyphoto +1

Name of the Vulnerable Software and Affected Versions: WordPress plugins affected versions not specified Description: The issue is related to Stored Cross-Site Scripting via the plugin's bundled prettyPhoto library, specifically version 3.1.6, due to insufficient input sanitization and output...

CVE-2024-11405 WP Front-end login and register <= 2.1.0 - Reflected Cross-Site Scripting

The WP Front-end login and register plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the email and wpmpresetpasswordtoken parameters in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-6290

The Tournament Bracket Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bracket' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-6550

The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slideroptions’ parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-6550

CVE-2025-6550 concerns The Pack Elementor addon for WordPress (v

CVE-2025-5338

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.7.1028 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-6378

The Responsive Food and Drink Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's displaypdfmenus shortcode in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...