Export limit exceeded: 45690 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45690 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-2365 | 2 Techjewel, Wordpress | 2 Fluent Forms Pro Add On Pack, Wordpress | 2026-04-22 | 7.2 High |
| The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry. | ||||
| CVE-2026-2583 | 2 Creativethemes, Wordpress | 2 Blocksy, Wordpress | 2026-04-22 | 6.4 Medium |
| The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-27385 | 2 Designthemes, Wordpress | 2 Designthemes Portfolio, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Portfolio designthemes-portfolio allows Reflected XSS.This issue affects DesignThemes Portfolio: from n/a through <= 1.3. | ||||
| CVE-2026-22440 | 2 Foreverpinetree, Wordpress | 2 Thecs, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree Thecs thecs allows Reflected XSS.This issue affects Thecs: from n/a through <= 1.4.7. | ||||
| CVE-2026-1945 | 2 Iqonicdesign, Wordpress | 2 Wpbookit, Wordpress | 2026-04-22 | 7.2 High |
| The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpb_user_name' and 'wpb_user_email' parameters in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-27354 | 2 Webcodingplace, Wordpress | 2 Woocommerce Coming Soon Product With Countdown, Wordpress | 2026-04-22 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product allows Stored XSS.This issue affects WooCommerce Coming Soon Product with Countdown: from n/a through <= 5.0. | ||||
| CVE-2026-27363 | 2 Kamleshyadav, Wordpress | 2 Wp Bakery Autoresponder Addon, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon allows Stored XSS.This issue affects WP Bakery Autoresponder Addon: from n/a through <= 1.0.6. | ||||
| CVE-2026-27332 | 2 Skygroup, Wordpress | 2 Agrofood, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Agrofood agrofood allows Reflected XSS.This issue affects Agrofood: from n/a through < 1.4.0. | ||||
| CVE-2026-1236 | 2 Enviragallery, Wordpress | 2 Photo Gallery, Wordpress | 2026-04-22 | 6.4 Medium |
| The Envira Gallery for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'justified_gallery_theme' parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-2355 | 2 Joedolson, Wordpress | 2 My Calendar – Accessible Event Manager, Wordpress | 2026-04-22 | 6.4 Medium |
| The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\x3c` to `<`) at render time, bypassing WordPress's `wp_kses_post()` content sanitization that runs at save time. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-22438 | 2 Foreverpinetree, Wordpress | 2 Thebi, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheBi thebi allows Reflected XSS.This issue affects TheBi: from n/a through <= 1.0.5. | ||||
| CVE-2026-22467 | 2 Mwtemplates, Wordpress | 2 Deepdigital, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mwtemplates DeepDigital deepdigital allows Reflected XSS.This issue affects DeepDigital: from n/a through <= 1.0.2. | ||||
| CVE-2025-69343 | 2 Jeroen Schmit, Wordpress | 2 Theater For Wordpress, Wordpress | 2026-04-22 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for WordPress: from n/a through <= 0.19. | ||||
| CVE-2026-22465 | 2 Seventhqueen, Wordpress | 2 Buddyapp, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SeventhQueen BuddyApp buddyapp allows Reflected XSS.This issue affects BuddyApp: from n/a through <= 1.9.2. | ||||
| CVE-2026-27359 | 2 Fox-themes, Wordpress | 2 Awa Plugins, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Awa Plugins awa-plugins allows Reflected XSS.This issue affects Awa Plugins: from n/a through <= 1.4.4. | ||||
| CVE-2026-27353 | 2 Themegoods, Wordpress | 2 Grand News, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand News grandnews allows Reflected XSS.This issue affects Grand News: from n/a through <= 3.4.3. | ||||
| CVE-2026-2568 | 2 Crmperks, Wordpress | 2 Wp Zendesk For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms, Wordpress | 2026-04-22 | 7.2 High |
| The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission data in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2018-25269 | 1 Icewarp | 1 Icewarp | 2026-04-22 | 6.1 Medium |
| ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessions and stealing sensitive information. | ||||
| CVE-2026-40451 | 1 Deepl | 1 Chrome Browser Extension | 2026-04-22 | N/A |
| DeepL Chrome browser extension versions from v1.22.0 to v.1.23.0 contain a cross-site scripting vulnerability, which allows an attacker to execute arbitrary script in a user's browser, and inject malicious HTML into web pages viewed by the user. | ||||
| CVE-2026-41456 | 1 Bludit | 1 Bludit | 2026-04-22 | N/A |
| Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit crafted URLs containing the payload, potentially stealing session cookies or performing actions on behalf of affected users. | ||||