Export limit exceeded: 45715 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45715 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-2576 | 2026-04-22 | 6.4 Medium | ||
| The Ayyash Studio — The kick-start kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2025-1784 | 2026-04-22 | 6.4 Medium | ||
| The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uagb block in all versions up to, and including, 2.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-3670 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 6.4 Medium |
| The KiwiChat NextClient plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-5286 | 2026-04-22 | 6.4 Medium | ||
| The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘additional_settings’ parameter in all versions up to, and including, 5.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-5535 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 6.4 Medium |
| The e.nigma buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-5929 | 2 Wordpress, Zourbuth | 2 Wordpress, The Countdown | 2026-04-22 | 6.4 Medium |
| The The Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘clientId’ parameter in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-6537 | 2 Mdezign, Wordpress | 2 Namasha, Wordpress | 2026-04-22 | 6.4 Medium |
| The Namasha By Mdesign plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘playicon_title’ parameter in all versions up to, and including, 1.2.00 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-6987 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 6.4 Medium |
| The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2025.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-5587 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 6.4 Medium |
| The Appzend theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘progressbarLayout’ parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8314 | 2 Emarket-design, Wordpress | 2 Software Issue Manager Plugin, Wordpress | 2026-04-22 | 6.4 Medium |
| The Software Issue Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg parameter in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12580 | 2 Stanleychoi, Wordpress | 2 Sms For Wordpress, Wordpress | 2026-04-22 | 6.1 Medium |
| The SMS for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-13622 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 6.1 Medium |
| The Jabbernotification plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.99-RC2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-13308 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 5.4 Medium |
| The Application Passwords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'reject_url' parameter in all versions up to, and including, 0.1.3. This is due to insufficient input sanitization and output escaping on user supplied URLs, which allows javascript: URI schemes to be embedded in the reject_url parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when a user clicks the "No, I do not approve of this connection" button, granted they can successfully trick the victim into performing an action such as clicking on a link. | ||||
| CVE-2025-12715 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 6.4 Medium |
| The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'percentage' field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12705 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 7.2 High |
| The Social Reviews & Recommendations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in the 'trim_text' function in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.5. | ||||
| CVE-2025-15378 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 7.2 High |
| The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to update plugin settings and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-14554 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 7.2 High |
| The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5. | ||||
| CVE-2025-0918 | 1 Yaycommerce | 1 Yaysmtp | 2026-04-22 | 7.2 High |
| The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-0953 | 1 Yaycommerce | 1 Yaysmtp | 2026-04-22 | 7.2 High |
| The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-0957 | 2026-04-22 | 7.2 High | ||
| The SMTP for Amazon SES – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||