Export limit exceeded: 47053 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47053 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-13731 | 2026-07-01 | 7.2 High | ||
| The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'conversation' parameter in all versions up to, and including, 8.4.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The AJAX nonce required to authenticate the save request is publicly emitted on every frontend page via wp_localize_script, making it freely obtainable by any anonymous visitor and removing any practical barrier to exploitation. | ||||
| CVE-2026-13966 | 1 Google | 1 Chrome | 2026-07-01 | N/A |
| Inappropriate implementation in History in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-2387 | 2026-07-01 | 6.4 Medium | ||
| The Event Organiser plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.12.9. This is due to the 'eo_events' shortcode accepting attacker-controlled 'no_events' content and rendering it in event list templates without output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-12560 | 2 Wordpress, Wpqode | 2 Wordpress, Editorial Rating – Product Review & Rating System | 2026-07-01 | 4.4 Medium |
| The Editorial Rating – Product Review & Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'Link URL' Field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The WordPress unfiltered_html capability exemption does not apply here because the payload is stored in post meta (_wpas_er_options via update_post_meta) rather than in post_content or post_excerpt, meaning the restriction affects all administrators regardless of their unfiltered_html status. | ||||
| CVE-2026-10513 | 2 Pfefferle, Wordpress | 2 Webmention, Wordpress | 2026-07-01 | 7.2 High |
| The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the unauthenticated webmention REST endpoint and rendered directly into HTML 'value' attributes by the edit-comment-form template without esc_attr() or esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a privileged user (moderator or administrator) opens the affected comment edit screen. | ||||
| CVE-2026-7517 | 2026-07-01 | 7.2 High | ||
| The Custom Payment Gateways for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alg_wc_cpg_input_fields' parameter in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability is exploitable by unauthenticated guest users submitting a crafted checkout POST request, requiring no custom input fields to be configured in the plugin. | ||||
| CVE-2026-13733 | 2026-07-01 | 6.4 Medium | ||
| The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'no_data_msg' Shortcode Attribute in all versions up to, and including, 3.3.60 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Although wp_kses_post is applied to post content on save, it only strips HTML tokens and does not neutralize C-style escape sequences embedded within shortcode attribute values, meaning contributors can craft a payload that survives the kses filter and is silently reconstructed into a raw script tag at render time. | ||||
| CVE-2026-12754 | 2026-07-01 | 6.1 Medium | ||
| The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires the targeted page to render the [vikbooking view="roomslist"] shortcode, as the vulnerable layoutstyle parameter is only processed in that view context. | ||||
| CVE-2026-57329 | 2 Woocommerce Designer Pro, Wordpress | 2 Woocommerce Designer Pro, Wordpress | 2026-07-01 | 6.5 Medium |
| Subscriber Cross Site Scripting (XSS) in WooCommerce Designer Pro <= 1.9.34 versions. | ||||
| CVE-2026-57326 | 2 Strategy11team, Wordpress | 2 Business Directory Plugin, Wordpress | 2026-07-01 | 6.5 Medium |
| Unauthenticated Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions. | ||||
| CVE-2026-57328 | 2 Strategy11team, Wordpress | 2 Business Directory Plugin, Wordpress | 2026-07-01 | 6.5 Medium |
| Subscriber Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions. | ||||
| CVE-2026-57330 | 2 Stylemixthemes, Wordpress | 2 Masterstudy Lms, Wordpress | 2026-07-01 | 6.5 Medium |
| Subscriber Cross Site Scripting (XSS) in MasterStudy LMS <= 3.7.27 versions. | ||||
| CVE-2026-57958 | 1 Inovector | 1 Mixpost | 2026-07-01 | 6.1 Medium |
| Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth callback controller's failure to sanitize error parameters before rendering them through Laravel flash messages via the Vue v-html directive to hijack authenticated user sessions or perform unauthorized actions. | ||||
| CVE-2026-12114 | 2 Wordpress, Wpmart | 2 Wordpress, Team Members – Multi Language Supported Team Plugin | 2026-07-01 | 4.4 Medium |
| The Team Members – Multi Language Supported Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-6953 | 1 Intermark It | 1 Webcontrol Cms | 2026-07-01 | N/A |
| HTML injection vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to send an email containing malicious HTML code to a victim via the contact form. To exploit this vulnerability, the attacker must send a request using the 'nombreApellidos', 'dirección ', and 'comentarios ' parameters to '/processContact.do'. | ||||
| CVE-2026-6954 | 1 Intermark It | 1 Webcontrol Cms | 2026-07-01 | N/A |
| Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to execute JavaScript code or inject a dynamic iframe into the victim’s browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, display phishing interfaces, or perform actions on the user’s behalf. | ||||
| CVE-2026-8141 | 2 Connekt Media, Wordpress | 2 Ajax Load More - Filters, Wordpress | 2026-07-01 | 7.2 High |
| The Ajax Load More - Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'taxonomy_include_children' parameter in all versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-52760 | 1 Apache | 2 Activemq, Activemq Web Console | 2026-07-01 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console. The browse page in the web console renders a message Id directly without sanitization. This allows an authenticated producer to send a message with a JMS message ID that has been crafted to contain HTML/JavaScript such that when an administrator browses the queue in the Web Console, the payload executes in their browser. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Web Console: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue. | ||||
| CVE-2026-8403 | 1 Eksagate | 1 Sysguard 6001 | 2026-07-01 | 6.1 Medium |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. SYSGUARD 6001 allows Stored XSS. This issue affects SYSGUARD 6001: from 2.0.2 before 6.1.4.0. NOTE: The vendor was contacted and it was learned that the product is not supported. | ||||
| CVE-2026-11581 | 2 Wordpress, Wpchill | 2 Wordpress, Kali Forms — Contact Form & Drag-and-drop Builder | 2026-07-01 | 5.9 Medium |
| The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes in an administrator's session. A missing capability check in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13's post-duplication action additionally lets the Contributor publish the malicious form so an administrator renders it. | ||||