CVE-2026-2374 Login No Captcha reCAPTCHA <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting via PHP_SELF

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $SERVER'PHPSELF' superglobal in all versions up to, and including, 1.8.0. This is due to the authenticate function storing the unsanitized output of basename$SERVER'PHPSELF' in the...

CVE-2026-8760

The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to otplloginaction was placed only inside the OTP-generation branch and is never...

CVE-2023-4549

The DoLogin Security WordPress plugin before 3.7 does not properly sanitize IP addresses coming from the X-Forwarded-For header, which can be used by attackers to conduct Stored XSS attacks via WordPress' login form...

CVE-2025-68974

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through =...

CVE-2025-49902

Missing Authorization vulnerability in A WP Life Login Page Customizer – Customizer Login Page, Admin Page, Custom Design customizer-login-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Login Page Customizer – Customizer Login Page, Admin Page,...

WordPress Login Page Customizer – Customizer Login Page, Admin Page, Custom Design plugin <= 2.1.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Login Page Customizer Customizer Login Page, Admin Page, Custom Design versions = 2.1.1...

Exploit for Authorization Bypass Through User-Controlled Key in Themewinter Eventin

CVE-2025-4796 eventin and update the speaker email to an emai...

CVE-2025-53467 WordPress Login-Logout Plugin <= 3.8 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in webvitaly Login-Logout login-logout allows Stored XSS.This issue affects Login-Logout: from n/a through = 3.8...

WWBN AVideo 跨站脚本漏洞

WWBN AVideo is a video platform builder written in PHP by the WWBN team. A cross-site scripting vulnerability exists in WWBN AVideo version 14.4, which stems from the LoginWordPress loginForm cancelUri parameter could lead to a cross-site scripting attack...

CVE-2020-6850

Utilities.php in the miniorange-saml-20-single-sign-on plugin before 4.8.84 for WordPress allows XSS via a crafted SAML XML Response to wp-login.php. This is related to the SAMLResponse and RelayState variables, and the Destination parameter of the samlp:Response XML element...

CVE-2025-2613

The Login Manager – Design Login Page, View Login Activity, Limit Login Attempts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom logo and background URLs in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes...

CVE-2025-31459 WordPress Login Alert plugin <= 0.2.1 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in PasqualePuzio Login Alert allows Stored XSS. This issue affects Login Alert: from n/a through 0.2.1...

CVE-2025-28914

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Ajay Sharma wordpress login form to anywhere wp-show-login-form allows Stored XSS.This issue affects wordpress login form to anywhere: from n/a through = 0.2...

CVE-2025-28914

CVE-2025-28914 affects the WordPress plugin “wordpress login form to anywhere” (versions

CVE-2025-28866 WordPress Login Logger plugin <= 1.2.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in smerriman Login Logger login-logger allows Cross Site Request Forgery.This issue affects Login Logger: from n/a through = 1.2.1...

WordPress plugin Login Watchdog 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in...

CVE-2025-25149 WordPress Login-box plugin <= 2.0.4 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in Danillo Nunes Login-box login-box allows Stored XSS.This issue affects Login-box: from n/a through = 2.0.4...

CVE-2024-9927

The WooCommerce Order Proposal plugin for WordPress is vulnerable to privilege escalation via order proposal in all versions up to and including 2.0.5. This is due to the improper implementation of allowpaymentwithoutlogin function. This makes it possible for authenticated attackers, with Shop...

WordPress Login Logout Shortcode Plugin <= 1.1.0 is vulnerable to Cross Site Scripting (XSS)

Software Login Logout Shortcode Type Plugin Vulnerable versions = 1.1.0 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9421 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID ffc1bb236d2a Credits theviper17y Require...

WordPress Login by Auth0 Plugin <= 4.6.0 is vulnerable to Cross Site Scripting (XSS)

Software Login by Auth0 Type Plugin Vulnerable versions = 4.6.0 Fixed in 4.6.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-6813 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 700ddc0d68f5 Credits Krzysztof Zając...