Search Results (83870 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-13137 3 Delabon, Woocommerce, Wordpress 3 Woomotiv, Woocommerce, Wordpress 2026-04-22 6.1 Medium
The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'woomotiv_limit' parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2025-13896 2 Wordpress, Wpdiscover 2 Wordpress, Social Feed Gallery Portfolio 2026-04-22 6.4 Medium
The Social Feed Gallery Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [igp-wp] shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-13604 2 Cleantalk, Wordpress 2 Security & Malware Scan, Wordpress 2026-04-22 7.2 High
The Login Security, FireWall, Malware removal by CleanTalk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the page URL in all versions up to, and including, 2.168 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-14467 2 Wordpress, Wpjobportal 2 Wordpress, Wp Job Portal 2026-04-22 4.4 Medium
The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.4. This is due to the plugin explicitly whitelisting the `<script>` tag in its `WPJOBPORTAL_ALLOWED_TAGS` configuration and using insufficient input sanitization when saving job descriptions. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts into job description fields via the job creation/editing interface. These scripts will execute whenever a user accesses an injected page, enabling session hijacking, credential theft, and other malicious activities.This only impacts multi-site installations, or those with unfiltered_html disabled.
CVE-2025-13989 1 Wordpress 1 Wordpress 2026-04-22 6.4 Medium
The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callback' shortcode attribute in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied 'callback' attributes, which are evaluated as JavaScript code via the `new Function()` constructor. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-12570 2 Radykal, Wordpress 2 Fancy Product Designer, Wordpress 2026-04-22 7.2 High
The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
CVE-2025-11876 1 Wordpress 1 Wordpress 2026-04-22 6.4 Medium
The Mailgun Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mailgun_subscription_form' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-14378 1 Wordpress 1 Wordpress 2026-04-22 4.4 Medium
The Quick Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2025-13367 2 Wordpress, Wpeverest 3 Wordpress, User Registration, User Registration & Membership 2026-04-22 6.4 Medium
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-11496 2 Rustaurius, Wordpress 2 Five Star Restaurant Reservations, Wordpress 2026-04-22 6.1 Medium
The Five Star Restaurant Reservations – WordPress Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rtb-name' parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-14875 2 Hblpay, Wordpress 2 Payment Gateway For Woocommerce, Wordpress 2026-04-22 6.1 Medium
The HBLPAY Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cusdata’ parameter in all versions up to, and including, 5.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2025-13531 1 Wordpress 1 Wordpress 2026-04-22 6.4 Medium
The Stylish Order Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_name' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-14127 1 Wordpress 1 Wordpress 2026-04-22 6.1 Medium
The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2026-1607 2 Surbma, Wordpress 2 Surbma | Booking.com Shortcode, Wordpress 2026-04-22 6.4 Medium
The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-2396 2 Kimipooh, Wordpress 2 List View Google Calendar, Wordpress 2026-04-22 4.4 Medium
The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2026-4388 2 10web, Wordpress 2 Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder, Wordpress 2026-04-22 7.2 High
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.
CVE-2026-6190 1 Itsourcecode 1 Construction Management System 2026-04-22 6.3 Medium
A vulnerability was found in itsourcecode Construction Management System 1.0. The impacted element is an unknown function of the file /employees.php. Performing a manipulation of the argument Name results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
CVE-2026-6183 1 Code-projects 1 Simple Content Management System 2026-04-22 7.3 High
A security flaw has been discovered in code-projects Simple Content Management System 1.0. Affected by this issue is some unknown functionality of the file /web/index.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.
CVE-2026-3643 2 Onthemapmarketing, Wordpress 2 Accessibly – Wordpress Website Accessibility, Wordpress 2026-04-22 7.2 High
The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with the `permission_callback` set to `__return_true`, which means no authentication or authorization check is performed. The `updateWidgetOptions()` function in `AdminApi.php` accepts user-supplied JSON data and passes it directly to `AccessiblyOptions::updateAppConfig()`, which saves it to the WordPress options table via `update_option()` without any sanitization or validation. The stored `widgetSrc` value is later retrieved by `AssetsManager::enqueueFrontendScripts()` and passed directly to `wp_enqueue_script()` as the script URL, causing it to be rendered as a `<script>` tag on every front-end page. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript that executes for all site visitors by changing the `widgetSrc` option to point to a malicious external script.
CVE-2026-3551 2 Rafasashi, Wordpress 2 Custom New User Notification, Wordpress 2026-04-22 4.4 Medium
The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on multiple settings fields including 'User Mail Subject', 'User From Name', 'User From Email', 'Admin Mail Subject', 'Admin From Name', and 'Admin From Email'. The settings are registered via register_setting() without sanitize callbacks, and the values retrieved via get_option() are echoed directly into HTML input value attributes without esc_attr(). This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever a user accesses that page. This could be used in multi-site installations where administrators of subsites could target super administrators.