CVE-2024-5647 Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library version 1.1.0 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

CVE-2024-5647

The CVE-2024-5647 entry documents a Stored DOM‑Based Cross‑Site Scripting vulnerability arising from the Magnific Popup JavaScript library (version 1.1.0) bundled in multiple WordPress plugins (e.g., Robo Gallery, Gutentor, Shortcodes Ultimate, Happy Addons, Divi, etc.). The issue requires authen...

PT-2025-27796 · WordPress +1 · Wordpress +1

Name of the Vulnerable Software and Affected Versions: WordPress plugins affected versions not specified Description: The issue is related to Stored Cross-Site Scripting via the plugin's bundled ThickBox JavaScript library. Insufficient input sanitization and output escaping on user-supplied...

CVE-2025-53206 WordPress HT Mega – Absolute Addons for WPBakery Page Builder plugin <= 1.0.8 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in HT Plugins HT Mega – Absolute Addons for WPBakery Page Builder ht-mega-for-wpbakery allows Stored XSS.This issue affects HT Mega – Absolute Addons for WPBakery Page Builder: from n/a through = 1.0....

PT-2025-26424 · WordPress · Import Youtube Videos As Wp Posts

Name of the Vulnerable Software and Affected Versions: Import YouTube videos as WP Posts versions n/a through 2.1 Description: The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control security levels. This can be used to gain...

CVE-2025-5303

The LTL Freight Quotes – Freightview Edition, LTL Freight Quotes – Daylight Edition and LTL Freight Quotes – Day & Ross Edition plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the expirydate parameter in all versions up to, and including, 1.0.11, 2.2.6 and 2.1.10...

CVE-2025-5303

The LTL Freight Quotes – Freightview Edition, LTL Freight Quotes – Daylight Edition and LTL Freight Quotes – Day & Ross Edition plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the expirydate parameter in all versions up to, and including, 1.0.11, 2.2.6 and 2.1.10...

WordPress WordPress Comments Import & Export plugin <= 2.4.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Jorgson in WordPress Plugin Comments Import & Export versions = 2.4.3...

CVE-2025-4659

The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to retrieve the full path of the web...

CVE-2025-4659 Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.4 - Unauthenticated Full Path Disclosure

The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to retrieve the full path of the web...

CVE-2025-4659

The CVE-2025-4659 entry concerns the WordPress plugin integrating Salesforce with Contact Form 7, WPForms, Elementor, Formidable, and Ninja Forms. It exposes a Full Path Disclosure vulnerability in all versions up to and including 1.4.4, enabling unauthenticated attackers to retrieve the web appl...

CVE-2024-49593

In Advanced Custom Fields ACF before 6.3.9 and Secure Custom Fields before 6.3.6.3 plugins for WordPress, using the Field Group editor to edit one of the plugin's fields can result in execution of a stored XSS payload. NOTE: if you wish to use the WP Engine alternative update mechanism for the fr...

CVE-2024-0881

The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel WordPress plugin before 2.2.76 does not have proper authorization, resulting in password protected posts to be displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to rea...

CVE-2024-12077

The Booking Calendar and Booking Calendar Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the ‘calendarid’ parameter in all versions up to, and including, 3.2.19 and 11.2.19 respectively, due to insufficient input sanitization and output escaping. This makes it...

CVE-2024-10048

The Post Status Notifier Lite and Premium plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.11.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

CVE-2024-6158

The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Posts" widget settings before outputting them back in a page/post where the Widget is embed, which could allow high...

CVE-2024-11202

Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cmindsfreeguide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

CVE-2024-10636

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 8.8.0 Business, up to, and including, 21.8.0 Developer, and up to, and including, 31.8.0 Agency due to insufficien...

CVE-2024-11362

The Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.112.0. This makes it...

CVE-2024-12260

The Ultimate Endpoints With Rest Api plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...