Lucene search
K

54 matches found

euvd
euvd
added 2026/03/04 3:31 a.m.6 views

EUVD-2026-9353

The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.4CVSS5.9AI score0.00254EPSS
Exploits0References7
euvd
euvd
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-50445

Malicious code in bioql PyPI...

6.4CVSS8.7AI score0.00315EPSS
Exploits0References3
cve
cve
added 2025/06/19 9:23 a.m.22 views

CVE-2025-5234

CVE-2025-5234 affects the Gutenverse News WordPress plugin (versions up to 1.0.4). It is a Stored Cross-Site Scripting vulnerability via the elementId parameter, exploitable by authenticated attackers with Contributor-level access or higher. The payload can cause arbitrary scripts to run on pages...

6.4CVSS5.7AI score0.00211EPSS
Exploits0References5Affected Software1
redhatcve
redhatcve
added 2025/05/23 10:38 a.m.20 views

CVE-2024-8282

The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ attribute within the 'wp:ive/ive-productscarousel' Gutenberg block in all versions up to, and including, 1.2.4.4 due to insufficient input sanitization and output escaping. Thi...

6.4CVSS5.8AI score0.00311EPSS
Exploits0References1
redhatcve
redhatcve
added 2025/05/23 4:31 a.m.14 views

CVE-2023-5243

The Login Screen Manager WordPress plugin through 3.5.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.8CVSS5.7AI score0.00379EPSS
Exploits2
redhatcve
redhatcve
added 2025/05/23 12:3 a.m.6 views

CVE-2022-4362

The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...

5.4CVSS5.9AI score0.00562EPSS
Exploits2References1
nvd
nvd
added 2025/05/15 8:15 p.m.13 views

CVE-2024-13486

The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.8CVSS0.00266EPSS
Exploits1References1
nvd
nvd
added 2025/02/18 11:15 a.m.38 views

CVE-2024-13667

The Uncode theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mle-description’ parameter in all versions up to, and including, 2.9.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level acces...

5.4CVSS0.00227EPSS
Exploits0References2
cvelist
cvelist
added 2024/12/04 8:22 a.m.24 views

CVE-2024-5020 Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library versions 1.3.4 to 3.5.7 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS0.00421EPSS
Exploits0References15
cvelist
cvelist
added 2024/12/04 7:32 a.m.16 views

CVE-2024-11903 WP eCards <= 1.3.904 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP eCards plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ecard' shortcode in all versions up to, and including, 1.3.904 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS0.00254EPSS
Exploits0References2
cve
cve
added 2024/12/03 7:34 a.m.47 views

CVE-2024-11853

CVE-2024-11853: The jAlbum Bridge plugin for WordPress (versions up to and including 2.0.15) is vulnerable to Stored Cross-Site Scripting via the ar parameter. An authenticated attacker with Contributor-level access can inject scripts that execute in pages viewed by users. A patch/upgrade to a ve...

6.4CVSS7.4AI score0.00325EPSS
Exploits0References5
cvelist
cvelist
added 2024/11/28 8:47 a.m.14 views

CVE-2024-11761 LegalWeb Cloud <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The LegalWeb Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'legalweb-popup' shortcode in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS0.0031EPSS
Exploits0References2
cvelist
cvelist
added 2024/11/26 8:31 a.m.14 views

CVE-2024-11091 Support SVG – Upload svg files in wordpress without hassle <= 1.1.0 - Authenticated (Author+) Stored Cross-site Scripting via SVG File Upload

The Support SVG – Upload svg files in wordpress without hassle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.00391EPSS
Exploits0References3
vulnrichment
vulnrichment
added 2024/11/26 8:31 a.m.11 views

CVE-2024-11091 Support SVG – Upload svg files in wordpress without hassle <= 1.1.0 - Authenticated (Author+) Stored Cross-site Scripting via SVG File Upload

The Support SVG – Upload svg files in wordpress without hassle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS6AI score0.00391EPSS
Exploits0References3
vulnrichment
vulnrichment
added 2024/11/26 8:31 a.m.9 views

CVE-2024-11119 BNE Gallery Extended <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via gallery Shortcode

The BNE Gallery Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.9AI score0.00408EPSS
Exploits0References4
nvd
nvd
added 2024/11/21 11:15 a.m.26 views

CVE-2024-9768

The Formidable Forms WordPress plugin before 6.14.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.8CVSS0.00418EPSS
Exploits1References1
cvelist
cvelist
added 2024/11/21 2:6 a.m.29 views

CVE-2024-10177 Beds24 Online Booking <= 2.0.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via beds24-link Shortcode

The Beds24 Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's beds24-link shortcode in all versions up to, and including, 2.0.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS0.00563EPSS
Exploits0References4
cve
cve
added 2024/11/21 2:6 a.m.43 views

CVE-2024-11412

CVE-2024-11412 affects the Shine PDF Embeder WordPress plugin. The vulnerability is a Stored Cross-Site Scripting (XSS) in the plugin’s shortcodes (shinepdf) present in all versions up to and including 1.0, caused by insufficient input sanitization and output escaping for user-supplied attributes...

6.4CVSS5.7AI score0.00906EPSS
Exploits0References2
cvelist
cvelist
added 2024/11/08 6:39 a.m.27 views

CVE-2024-10269 Easy SVG Support <= 3.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access a...

6.4CVSS0.00288EPSS
Exploits0References3
cvelist
cvelist
added 2024/10/25 8:34 a.m.22 views

CVE-2024-8666 Shoutcast Icecast HTML5 Radio Player <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Shoutcast Icecast HTML5 Radio Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'html5radio' shortcode in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS0.00282EPSS
Exploits0References2
Rows per page
Query Builder