Lucene search
K

6446 matches found

CVE
CVE
added 2026/04/15 8:28 a.m.7 views

CVE-2026-4011

The CVE-2026-4011 entry describes a Stored Cross-Site Scripting flaw in the Power Charts Lite WordPress plugin (versions

6.4CVSS6AI score0.00265EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/15 7:45 a.m.28 views

CVE-2026-5717 VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute

The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classcontainer' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS0.00248EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/15 1:25 a.m.6 views

CVE-2026-4812 Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...

5.3CVSS5.7AI score0.00625EPSS
Exploits0References17
NVD
NVD
added 2026/04/14 4:17 a.m.4 views

CVE-2026-1607

The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's surbma-bookingcom shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

6.4CVSS0.00152EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/14 3:37 a.m.28 views

CVE-2026-4059 ShopLentor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute

The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentorquickviewbutton shortcode's buttontext attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode...

6.4CVSS0.00296EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/04/14 3:37 a.m.2 views

CVE-2026-1607 Surbma | Booking.com <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's surbma-bookingcom shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

6.4CVSS5.9AI score0.00152EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/14 2:25 a.m.2 views

CVE-2026-6227 BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter

The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the blockname parameter of the /wp-json/backwpup/v1/getblock REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive strreplace sanitization of path traversal sequences. This makes it possible for...

7.2CVSS6.5AI score0.01312EPSS
Exploits1References6
Vulnrichment
Vulnrichment
added 2026/04/10 3:35 a.m.4 views

CVE-2026-2305 AddFunc Head & Footer Code <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields

The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the aFhfcheadcode, aFhfcbodycode, and aFhfcfootercode post meta values in all versions up to, and including, 2.3. This is due to the plugin outputting these meta values without any sanitization or...

6.4CVSS6AI score0.002EPSS
Exploits0References8
EUVD
EUVD
added 2026/04/08 9:32 p.m.6 views

EUVD-2024-33399

The Beds24 Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's beds24-link shortcode in all versions up to, and including, 2.0.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS7.4AI score0.00563EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/08 9:32 p.m.3 views

EUVD-2024-46836

The Ultimate Post Kit Addons For Elementor – Post Grid, Post Carousel, Post Slider, Category List, Post Tabs, Timeline, Post Ticker, Tag Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the Social Count Static widget in all versions up to, and...

6.4CVSS6.1AI score0.004EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/08 9:32 p.m.4 views

EUVD-2024-47007

The Easy Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eaflresetsettings AJAX action in all versions up to, and including, 3.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and...

4.3CVSS5.9AI score0.00395EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/08 6:33 p.m.5 views

EUVD-2024-50273

The Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...

6.4CVSS7.4AI score0.00519EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/08 6:33 p.m.4 views

EUVD-2024-33448

The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg and removequeryarg without appropriate escaping on the URL in all versions up to, and including, 3.11.7. This makes it possible for unauthenticated...

6.1CVSS7.4AI score0.00588EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/04/08 5:25 p.m.24 views

CVE-2026-0811 Advanced CF7 DB <= 2.0.9 - Cross-Site Request Forgery to Form Entry Deletion

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vszcf7savesettingcallback' function. This makes it possible for unauthenticated attackers to...

5.4CVSS0.00136EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.8 views

WordPress plugin ProSolution WP Client 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

9.8CVSS6.3AI score0.00578EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/04 7:41 a.m.23 views

CVE-2026-0738 Shortcodes Ultimate <= 7.4.8 - authenticated (Contributor+) Stored Cross-Site Scripting via 'su_carousel' Shortcode

The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sucarousel shortcode in all versions up to, and including, 7.4.8. This is due to insufficient input sanitization and output escaping in the 'suslidelink' attachment meta field...

6.4CVSS0.00346EPSS
Exploits0References3
CVE
CVE
added 2026/04/04 1:24 a.m.16 views

CVE-2026-3571

The Pie Register – User Registration, Profiles & Content Restriction plugin for WordPress is affected by an authorization flaw in which the pie_main() function lacks a capability check across all versions up to 3.8.4.8. This allows unauthenticated attackers to modify the registration form status,...

6.5CVSS5.9AI score0.00284EPSS
Exploits0References2
NVD
NVD
added 2026/03/31 11:17 p.m.4 views

CVE-2026-2480

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'maxwidth' attribute of the subox shortcode in all versions up to, and including, 7.4.10 due to insufficient input sanitization and output escaping on user supplied attributes...

6.4CVSS0.00197EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/03/27 5:9 p.m.4 views

CVE-2026-2389

The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.4.2. This is due to the revertdivstosummary function replacing " HTML entities with literal double-quote characters " in post content without...

4.9CVSS6AI score0.00222EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/27 4:59 a.m.6 views

CVE-2026-4335

The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment posttitle in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup function and its corresponding media-popup.php template...

5.4CVSS6AI score0.00176EPSS
Exploits0References1
Rows per page
Query Builder