Total
41753 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6270 | 1 Community Events Project | 1 Community Events | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Community Events WordPress plugin before 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-12736 | 1 Bu | 1 Bu Section Editing | 2025-06-12 | N/A | 6.1 MEDIUM |
| The BU Section Editing WordPress plugin through 0.9.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-11606 | 1 Tabs Shortcode Project | 1 Tabs Shortcode | 2025-06-12 | N/A | 5.3 MEDIUM |
| The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2025-43926 | 1 Znuny | 1 Znuny | 2025-06-12 | N/A | 6.1 MEDIUM |
| An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings. | |||||
| CVE-2024-9236 | 1 Radiustheme | 1 Team - Wordpress Team Members Showcase | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-47786 | 1 Emlog | 1 Emlog | 2025-06-12 | N/A | 4.8 MEDIUM |
| Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In `/admin/comment.php`, the parameter `perpage_num` is not validated and is directly stored in the `admin_commend_perpage_num` field of the `emlog_options` table in the database. Moreover, the output is not filtered, resulting in the direct output of malicious code. As of time of publication, it is unclear if a patch exists. | |||||
| CVE-2025-1454 | 1 Ninja Pages Project | 1 Ninja Pages | 2025-06-12 | N/A | 5.4 MEDIUM |
| The Ninja Pages WordPress plugin through 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-1286 | 1 Sfarbota | 1 Download Html Tinymce Button | 2025-06-12 | N/A | 6.1 MEDIUM |
| The Download HTML TinyMCE Button WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-9182 | 1 Wpmaspik | 1 Maspik | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Maspik WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2025-1033 | 1 Danielpowney | 1 Badgearoo | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-0329 | 1 Quantumcloud | 1 Wpbot | 2025-06-12 | N/A | 4.8 MEDIUM |
| The AI ChatBot for WordPress WordPress plugin before 6.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-9882 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-8759 | 1 Kylephillips | 1 Nested Pages | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Nested Pages WordPress plugin before 3.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-9663 | 1 Toolstack | 1 Cyan Backup | 2025-06-12 | N/A | 5.4 MEDIUM |
| The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-9662 | 1 Toolstack | 1 Cyan Backup | 2025-06-12 | N/A | 5.4 MEDIUM |
| The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-9238 | 1 Grandplugins | 1 Avif Uploader | 2025-06-12 | N/A | 5.4 MEDIUM |
| The AVIF Uploader WordPress plugin before 1.1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | |||||
| CVE-2024-8702 | 1 Wpproking | 1 Backup Database | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Backup Database WordPress plugin through 4.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-44108 | 1 Flatpress | 1 Flatpress | 2025-06-12 | N/A | 4.8 MEDIUM |
| A stored Cross-Site Scripting (XSS) vulnerability exists in the administration panel of Flatpress CMS before 1.4 via the gallery captions component. An attacker with admin privileges can inject a malicious JavaScript payload into the system, which is then stored persistently. | |||||
| CVE-2025-2929 | 1 Tychesoftwares | 1 Order Delivery Date For Woocommerce | 2025-06-12 | N/A | 7.1 HIGH |
| The Order Delivery Date WordPress plugin before 12.4.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2025-3582 | 1 Thenewsletterplugin | 1 Newsletter | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||