Total
41597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-2470 | 1 Plugin-planet | 1 Simple Ajax Chat | 2026-01-09 | N/A | 5.4 MEDIUM |
| The Simple Ajax Chat WordPress plugin before 20240412 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-10709 | 1 Antongorodezkiy | 1 Yadisk Files | 2026-01-09 | N/A | 6.8 MEDIUM |
| The YaDisk Files WordPress plugin through 1.2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2025-9978 | 2026-01-09 | N/A | 6.8 MEDIUM | ||
| The Jeg Kit for Elementor WordPress plugin before 2.7.0 does not sanitize SVG file contents when uploaded via xmlrpc.php, leading to a cross site scripting vulnerability. | |||||
| CVE-2025-6200 | 1 Ayecode | 1 Geodirectory | 2026-01-09 | N/A | 5.9 MEDIUM |
| The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2025-2561 | 1 Ninjaforms | 1 Ninja Forms | 2026-01-09 | N/A | 4.8 MEDIUM |
| The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-2560 | 1 Ninjaforms | 1 Ninja Forms | 2026-01-09 | N/A | 4.8 MEDIUM |
| The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-2524 | 1 Ninjaforms | 1 Ninja Forms | 2026-01-09 | N/A | 4.8 MEDIUM |
| The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-1627 | 1 Qodeinteractive | 1 Qi Blocks | 2026-01-09 | N/A | 5.4 MEDIUM |
| The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2025-1626 | 1 Qodeinteractive | 1 Qi Blocks | 2026-01-09 | N/A | 5.4 MEDIUM |
| The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its Countdown block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2025-1625 | 1 Qodeinteractive | 1 Qi Blocks | 2026-01-09 | N/A | 5.4 MEDIUM |
| The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its Counter block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2025-1382 | 1 Lordlinus | 1 Contact Us | 2026-01-09 | N/A | 6.1 MEDIUM |
| The Contact Us By Lord Linus WordPress plugin through 2.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2024-9458 | 1 Reservit | 1 Reservit Hotel | 2026-01-09 | N/A | 4.8 MEDIUM |
| The Reservit Hotel WordPress plugin before 3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-13669 | 1 Margiov | 1 Calendapp | 2026-01-09 | N/A | 6.1 MEDIUM |
| The CalendApp WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-13352 | 1 Alwayscurious | 1 Legull | 2026-01-09 | N/A | 7.1 HIGH |
| The Legull WordPress plugin through 1.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-13219 | 1 Waelhassan | 1 Privacy Policy Genius | 2026-01-09 | N/A | 6.1 MEDIUM |
| The Privacy Policy Genius WordPress plugin through 2.0.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-10710 | 1 Antongorodezkiy | 1 Yadisk Files | 2026-01-09 | N/A | 3.5 LOW |
| The YaDisk Files WordPress plugin through 1.2.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-5971 | 1 Pdfcrowd | 1 Save As Pdf | 2026-01-09 | N/A | 4.8 MEDIUM |
| The Save as PDF Plugin by Pdfcrowd WordPress plugin before 3.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2025-13071 | 2026-01-09 | N/A | 7.1 HIGH | ||
| The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-11846 | 1 Goodlayers | 1 Travel Tour | 2026-01-09 | N/A | 6.1 MEDIUM |
| The does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-47356 | 1 Catchthemes | 1 Create | 2026-01-09 | N/A | 5.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Catch Themes Create allows Stored XSS.This issue affects Create: from n/a through 2.9.1. | |||||