Export limit exceeded: 44465 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44465 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1247 | 2 Seosbg, Wordpress | 2 Survey, Wordpress | 2026-03-23 | 4.4 Medium |
| The Survey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-1911 | 2 Viaviwebtech, Wordpress | 2 Twitter Feeds, Wordpress | 2026-03-23 | 6.4 Medium |
| The Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tweet_title' parameter in the 'TwitterFeeds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-3617 | 2 Swergroup, Wordpress | 2 Paypal Shortcodes, Wordpress | 2026-03-23 | 6.4 Medium |
| The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The swer_paypal_shortcode() function extracts shortcode attributes using extract() and shortcode_atts() at line 89, then directly concatenates the $name and $amount values into HTML input element value attributes at lines 105-106 without applying esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-3997 | 2 Hoosierdragon, Wordpress | 2 Text Toggle, Wordpress | 2026-03-23 | 6.4 Medium |
| The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the avp_texttoggle_part_shortcode() function, the 'title' attribute is extracted from shortcode attributes and concatenated directly into HTML output without any escaping — both within an HTML attribute context (title="...") on line 116 and in HTML content on line 119. While the 'class' attribute is properly validated using ctype_alnum(), the 'title' attribute has no sanitization whatsoever. An attacker can inject double-quote characters to break out of the title attribute and inject arbitrary HTML attributes including event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4544 | 1 Wavlink | 2 Wl-wn578w2, Wl-wn578w2 Firmware | 2026-03-23 | 2.4 Low |
| A vulnerability was determined in Wavlink WL-WN578W2 221110. This affects an unknown function of the file /cgi-bin/login.cgi of the component POST Request Handler. Executing a manipulation of the argument homepage/hostname/login_page can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-13910 | 2 Axton, Wordpress | 2 Wp-webauthn, Wordpress | 2026-03-23 | 6.1 Medium |
| The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the `wwa_auth` AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes logged by the plugin. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's log page, provided that the logging option is enabled in the plugin settings. | ||||
| CVE-2026-4576 | 1 Code-projects | 1 Exam Form Submission | 2026-03-23 | 2.4 Low |
| A vulnerability has been found in code-projects Exam Form Submission 1.0. Impacted is an unknown function of the file /admin/update_s5.php. Such manipulation of the argument sname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-3577 | 2 Fahadmahmood, Wordpress | 2 Keep Backup Daily, Wordpress | 2026-03-23 | 4.4 Medium |
| The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the backup title alias (`val` parameter) in the `update_kbd_bkup_alias` AJAX action in all versions up to, and including, 2.1.2. This is due to insufficient input sanitization and output escaping. While `sanitize_text_field()` strips HTML tags on save, it does not encode double quotes. The backup titles are output in HTML attribute contexts without `esc_attr()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via attribute injection that will execute whenever another administrator views the backup list page. | ||||
| CVE-2026-3350 | 2 Wordpress, Wpsaad | 2 Wordpress, Image Alt Text Manager – Bulk & Dynamic Alt Tags For Image Seo Optimization + Ai | 2026-03-23 | 6.4 Medium |
| The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.2. This is due to insufficient input sanitization and output escaping when dynamically generating image alt and title attributes using a DOM parser. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1822 | 2 Tonysamperi, Wordpress | 2 Wp Ng Weather, Wordpress | 2026-03-23 | 6.4 Medium |
| The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-2277 | 2 Larsdrasmussen, Wordpress | 2 Rexcrawler, Wordpress | 2026-03-23 | 6.1 Medium |
| The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-2424 | 2 Applixir, Wordpress | 2 Reward Video Ad For Wordpress, Wordpress | 2026-03-23 | 4.4 Medium |
| The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sanitization and output escaping on plugin settings such as the 'Account ID', 'Message before the video', and color fields. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4069 | 2 Pftool, Wordpress | 2 Alfie – Feed Plugin, Wordpress | 2026-03-23 | 6.1 Medium |
| The Alfie – Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'naam' parameter in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_option_page() function combined with insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject malicious web scripts that will be stored in the plugin's database and execute whenever a user accesses the page displaying the injected data, granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1899 | 2 Itpathsolutions, Wordpress | 2 Any Post Slider, Wordpress | 2026-03-23 | 6.4 Medium |
| The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'post_type' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-0609 | 2 Logichunt, Wordpress | 2 Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin, Wordpress | 2026-03-23 | 6.4 Medium |
| The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping in the 'logo-slider' shortcode. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-3353 | 2 Intermod, Wordpress | 2 Comment Spam Wiper, Wordpress | 2026-03-23 | 4.4 Medium |
| The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' setting in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-3554 | 2 Sherkspear, Wordpress | 2 Sherk Custom Post Type Displays, Wordpress | 2026-03-23 | 6.4 Medium |
| The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the 'title' attribute of the 'sherkcptdisplays' shortcode. Specifically, in the sherkcptdisplays_func() function in includes/SherkCPTDisplaysShortcode.php, the 'title' attribute value is extracted from shortcode_atts() on line 19 and directly concatenated into an HTML <h2> tag on line 31 without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-33072 | 2 Error311, Filerise | 2 Filerise, Filerise | 2026-03-23 | 8.2 High |
| FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations — HMAC token generation, AES config encryption, and session tokens — allowing any unauthenticated attacker to forge upload tokens for arbitrary file upload to shared folders, and to decrypt admin configuration secrets including OIDC client secrets and SMTP passwords. FileRise uses a single key (PERSISTENT_TOKENS_KEY) for all crypto operations. The default value default_please_change_this_key is hardcoded in two places and used unless the deployer explicitly overrides the environment variable. This issue is fixed in version 3.9.0. | ||||
| CVE-2026-1914 | 2 Jeremyshapiro, Wordpress | 2 Fusedesk, Wordpress | 2026-03-23 | 6.4 Medium |
| The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusedesk_newcase shortcode in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping on the 'emailtext' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-3427 | 2 Wordpress, Yoast | 2 Wordpress, Yoast Seo – Advanced Seo With Real-time Guidance And Built-in Ai | 2026-03-23 | 6.4 Medium |
| The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `jsonText` block attribute in all versions up to, and including, 27.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||