Lucene search
K

6985 matches found

Nuclei
Nuclei
added 5 hours ago173 views

PHPJabbers Callback Widget v1.0 - Cross-Site Scripting

There is a Cross Site Scripting XSS vulnerability in the "theme" parameter of preview.php in PHPJabbers Callback Widget v1.0. id: CVE-2023-40755 info: name: PHPJabbers Callback Widget v1.0 - Cross-Site Scripting author: ritikchaddha severity: medium description: | There is a Cross Site Scripting...

6.1CVSS6.4AI score0.01202EPSS
Exploits0References2
Nuclei
Nuclei
added 5 hours ago20 views

PHPJabbers Make an Offer Widget v1.0 - Cross-Site Scripting

There is a Cross Site Scripting XSS vulnerability in the "action" parameter of index.php in PHPJabbers Make an Offer Widget v1.0. id: CVE-2023-40752 info: name: PHPJabbers Make an Offer Widget v1.0 - Cross-Site Scripting author: ritikchaddha severity: medium description: | There is a Cross Site...

6.1CVSS6.4AI score0.00974EPSS
Exploits0References2
Nuclei
Nuclei
added 5 hours ago49 views

Advanced Text Widget < 2.0.2 - Cross-Site Scripting

A cross-site scripting XSS vulnerability in advancedtext.php in Advanced Text Widget plugin before 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. id: CVE-2011-4618 info: name: Advanced Text Widget 2.0.2 - Cross-Site Scripting author:...

4.3CVSS6.2AI score0.10083EPSS
Exploits1References5
Nuclei
Nuclei
added 5 hours ago83 views

Wordpress Polls Widget < 1.5.3 - SQL Injection

The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the dateanswers POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks id: CVE-2021-24442 inf...

9.8CVSS7.1AI score0.46921EPSS
Exploits2References3
CVE
CVE
added 6 hours ago6 views

CVE-2025-15665

The vulnerability affects the WordPress plugin Ultimate Before After Image Slider & Gallery prior to version 4.7.1 . The BEAF Slider widget shortcode field is not escaped before output, as its value is passed to do_shortcode and may echo non-shortcode content. This enables Admin+ Stored XSS : an ...

6.1AI score
Exploits0References1
EUVD
EUVD
added 6 hours ago4 views

EUVD-2025-210458

The Ultimate Before After Image Slider & Gallery WordPress plugin before 4.7.1 does not escape the value of the BEAF Slider widget's shortcode field before outputting it on the front end the value is passed through doshortcode, which echoes non-shortcode content verbatim, allowing users with...

6.1AI score
Exploits0References1
CVE
CVE
added 3 days ago14 views

CVE-2026-11591

CVE-2026-11591 affects the WordPress plugin Widgets for Google Reviews up to version 13.3. It is a Stored Cross‑Site Scripting (XSS) vulnerability triggered via admin settings, caused by insufficient input sanitization and output escaping in the parameters fomo-title and fomo-text . Exploitation ...

4.4CVSS6.2AI score0.00251EPSS
Exploits0References10
NVD
NVD
added 4 days ago6 views

CVE-2026-55664

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the document's access rules and did not check that the requested section was actually a form. A user with only partial read access, includin...

4.3CVSS0.00243EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago30 views

CVE-2026-55880 OpenReplay: Cross-user IDOR in notes and dashboard widgets

OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on note id and project id, while dashboards.updatewidget an...

7.1CVSS0.00195EPSS
Exploits0References1
CVE
CVE
added 4 days ago9 views

CVE-2026-13710

The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress is affected by a Stored Cross-Site Scripting vulnerability in the Image Box widget’s sg_body_description parameter, affecting versions up to 3.2.6. The issue stems from insufficient input sanitization and...

6.4CVSS6.2AI score0.00206EPSS
Exploits0References8
EUVD
EUVD
added 4 days ago9 views

EUVD-2026-42861

The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Box widget's 'sgbodydescription' parameter in versions up to, and including, 3.2.6. This is due to insufficient input...

6.4CVSS6.2AI score0.00206EPSS
Exploits0References8
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-13710 Jeg Kit for Elementor <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sg_body_description' Parameter via 'jkit_image_box' Shortcode/Widget

The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Box widget's 'sgbodydescription' parameter in versions up to, and including, 3.2.6. This is due to insufficient input...

6.4CVSS0.00206EPSS
Exploits0References8
NVD
NVD
added 4 days ago10 views

CVE-2026-15299

The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'weatherstyle' and 'movedirection' parameters of the Weather widget in all versions up to, and including, 2.6.3. This is due to insufficient output escaping in the Weather widget's render...

6.4CVSS0.00193EPSS
Exploits0References4
NVD
NVD
added 4 days ago7 views

CVE-2026-15285

The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated Contributor+ Stored Cross-Site Scripting via the Button widget's customattributes setting in versions up to and including 6.4.11. The render function in modules/widgets/tpbutton.php passed the raw customattributes...

6.4CVSS0.00261EPSS
Exploits0References5
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42806

The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'weatherstyle' and 'movedirection' parameters of the Weather widget in all versions up to, and including, 2.6.3. This is due to insufficient output escaping in the Weather widget's render...

6.4CVSS6AI score0.00193EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 4 days ago6 views

CVE-2026-15299

The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'weatherstyle' and 'movedirection' parameters of the Weather widget in all versions up to, and including, 2.6.3. This is due to insufficient output escaping in the Weather widget's render...

6.4CVSS6AI score0.00193EPSS
Exploits0References5
CVE
CVE
added 4 days ago10 views

CVE-2026-15299

CVE-2026-15299 : The Animation Addons for Elementor WordPress plugin is vulnerable to Stored Cross-Site Scripting in all versions up to 2.6.3 via the Weather widget’s weather_style and move_direction parameters. The root cause is insufficient output escaping in Weather widget render() (widgets/we...

6.4CVSS6AI score0.00193EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-15299 Animation Addons for Elementor <= 2.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Weather Widget

The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'weatherstyle' and 'movedirection' parameters of the Weather widget in all versions up to, and including, 2.6.3. This is due to insufficient output escaping in the Weather widget's render...

6.4CVSS0.00193EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago30 views

CVE-2026-15285 The Plus Addons for Elementor <= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes

The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated Contributor+ Stored Cross-Site Scripting via the Button widget's customattributes setting in versions up to and including 6.4.11. The render function in modules/widgets/tpbutton.php passed the raw customattributes...

6.4CVSS0.00261EPSS
Exploits0References5
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-42794

The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated Contributor+ Stored Cross-Site Scripting via the Button widget's customattributes setting in versions up to and including 6.4.11. The render function in modules/widgets/tpbutton.php passed the raw customattributes...

6.4CVSS5.9AI score0.00261EPSS
Exploits0References5
Rows per page
Query Builder