Export limit exceeded: 47241 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47241 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-0834 | 1 Wpamelia | 1 Amelia | 2026-04-08 | 7.2 High |
| The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the ~/src/Application/Controller/User/Customer/AddCustomerController.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user accesses the booking calendar with the date the attacker has injected the malicious payload into. This affects versions up to and including 1.0.46. | ||||
| CVE-2022-0750 | 1 Thriveweb | 1 Photoswipe Masonry Gallery | 2026-04-08 | 6.4 Medium |
| The Photoswipe Masonry Gallery WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the thumbnail_width, thumbnail_height, max_image_width, and max_image_height parameters found in the ~/photoswipe-masonry.php file which allows authenticated attackers to inject arbitrary web scripts into galleries created by the plugin and on the PhotoSwipe Options page. This affects versions up to and including 1.2.14. | ||||
| CVE-2021-4367 | 1 Flothemes | 1 Flo Forms | 2026-04-08 | 6.4 Medium |
| The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Options Change by using the flo_import_forms_options AJAX action in versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping along with missing capability checks. This makes it possible for authenticated attackers, like subscribers, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2021-4363 | 1 Webdevocean | 1 Wp Quick Frontend Editor | 2026-04-08 | 6.1 Medium |
| The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.5 due to insufficient input sanitization and output escaping on the 'save_content_front' function that uses print_r on the user-supplied $_REQUEST values . This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2021-4358 | 1 Legalweb | 1 Wp Dsgvo Tools | 2026-04-08 | 7.2 High |
| The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 3.1.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2020-36711 | 1 Theme-fusion | 1 Avada | 2026-04-08 | 6.4 Medium |
| The Avada theme for WordPress is vulnerable to Stored Cross-Site Scripting via the update_layout function in versions up to, and including, 6.2.3 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers, and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2020-36709 | 1 King-theme | 1 Page Builder Kingcomposer | 2026-04-08 | 5.5 Medium |
| The Page Builder: KingComposer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via via shortcode in versions before 2.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2020-36704 | 1 Fruitfulcode | 1 Fruitful Theme | 2026-04-08 | 6.4 Medium |
| The Fruitful Theme for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters stored via the fruitful_theme_options_action AJAX action in versions up to, and including, 3.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2020-36703 | 1 Elementor | 1 Website Builder | 2026-04-08 | 6.4 Medium |
| The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in versions up to, and including 2.9.7 This makes it possible for authenticated attackers with the upload_files capability to inject arbitrary web scripts in pages that will execute whenever a user accesses the page with the stored web scripts. | ||||
| CVE-2019-25145 | 1 Wpforms | 1 Contact Form | 2026-04-08 | 7.2 High |
| The Contact Form & SMTP Plugin by PirateForms plugin for WordPress is vulnerable to HTML injection in the ‘public/class-pirateforms-public.php’ file in versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary HTML in emails that could be used to phish unsuspecting victims. | ||||
| CVE-2019-25144 | 1 Codemiq | 1 Wp Html Mail | 2026-04-08 | 5.4 Medium |
| The WP HTML Mail plugin for WordPress is vulnerable to HTML injection in versions up to, and including, 2.2.10 due to insufficient input sanitization. This makes it possible for unauthenticated attackers to inject arbitrary HTML in pages that execute if they can successfully trick a administrator into performing an action such as clicking on a link. | ||||
| CVE-2019-25140 | 1 Wpshopmart | 1 Coming Soon Page \& Maintenance Mode | 2026-04-08 | 7.2 High |
| The WordPress Coming Soon Page & Maintenance Mode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the logo_width, logo_height, rcsp_logo_url, home_sec_link_txt, rcsp_headline and rcsp_description parameters in versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-9595 | 1 Tablepress | 1 Tablepress | 2026-04-08 | 6.4 Medium |
| The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the table cell content in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-12038 | 2026-04-08 | 6.4 Medium | ||
| The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'buddyforms_nav' shortcode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-6155 | 1 Greenshiftwp | 1 Greenshift - Animation And Page Builder Blocks | 2026-04-08 | 6.4 Medium |
| The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Authenticated (Subscriber+) Server-Side Request Forgery and Stored Cross Site Scripting in all versions up to, and including, 9.0.0 due to a missing capability check in the greenshift_download_file_localy function, along with no SSRF protection and sanitization on uploaded SVG files. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application that can also be leveraged to download malicious SVG files containing Cross-Site Scripting payloads to the server. On Cloud-based servers, attackers could retrieve the instance metadata. The issue was partially patched in version 8.9.9 and fully patched in version 9.0.1. | ||||
| CVE-2024-13575 | 1 Magazine3 | 1 Web Stories Enhancer | 2026-04-08 | 6.4 Medium |
| The Web Stories Enhancer – Level Up Your Web Stories plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'web_stories_enhancer' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11930 | 1 Taskbuilder | 1 Taskbuilder | 2026-04-08 | 6.4 Medium |
| The Taskbuilder – WordPress Project & Task Management plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppm_tasks shortcode in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-10538 | 1 Leevio | 1 Happy Addons For Elementor | 2026-04-08 | 6.4 Medium |
| The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the before_label parameter in the Image Comparison widget in all versions up to, and including, 3.12.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-13340 | 1 Pluginus | 1 Meta Data And Taxonomies Filter | 2026-04-08 | 6.4 Medium |
| The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdf_results_by_ajax' shortcode in all versions up to, and including, 1.3.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-8544 | 1 Fatcatapps | 1 Pixel Cat | 2026-04-08 | 6.1 Medium |
| The Pixel Cat – Conversion Pixel Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.0.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||