Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-13657

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-19 Feb, 2025 | 07:32
Updated At-19 Feb, 2025 | 14:36
Rejected At-
Credits

Store Locator Widget <= 20200131 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Store Locator Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'storelocatorwidget' shortcode in all versions up to, and including, 20200131 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:19 Feb, 2025 | 07:32
Updated At:19 Feb, 2025 | 14:36
Rejected At:
▼CVE Numbering Authority (CNA)
Store Locator Widget <= 20200131 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Store Locator Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'storelocatorwidget' shortcode in all versions up to, and including, 20200131 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected Products
Vendor
store-locator-pro
Product
Store Locator Widget
Default Status
unaffected
Versions
Affected
  • From * through 20200131 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Peter Thaleikis
Timeline
EventDate
Disclosed2025-02-18 19:26:05
Event: Disclosed
Date: 2025-02-18 19:26:05
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/c65b6793-42e3-40cb-a6fe-b000c879d41f?source=cve
N/A
https://plugins.trac.wordpress.org/browser/store-locator-widget/trunk/store-locator-widget.php#L118
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/c65b6793-42e3-40cb-a6fe-b000c879d41f?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/store-locator-widget/trunk/store-locator-widget.php#L118
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:19 Feb, 2025 | 08:15
Updated At:19 Feb, 2025 | 08:15

The Store Locator Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'storelocatorwidget' shortcode in all versions up to, and including, 20200131 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Primarysecurity@wordfence.com
CWE ID: CWE-79
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/store-locator-widget/trunk/store-locator-widget.php#L118security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/c65b6793-42e3-40cb-a6fe-b000c879d41f?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/store-locator-widget/trunk/store-locator-widget.php#L118
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/c65b6793-42e3-40cb-a6fe-b000c879d41f?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2354Records found
CVE-2024-4452
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.23% / 45.97%
||
7 Day CHG~0.00%
Published-21 May, 2024 | 13:51
Updated-09 Jan, 2025 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ElementsKit Pro <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wpmetwpmet
Product-elementskitElementsKit Pro
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4383
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.25% / 47.84%
||
7 Day CHG~0.00%
Published-09 May, 2024 | 20:03
Updated-05 Feb, 2025 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Membership <= 4.4.5 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-simple-membership-pluginmra13
Product-simple_membershipSimple Membership
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4401
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.38% / 58.98%
||
7 Day CHG~0.00%
Published-30 Aug, 2024 | 03:24
Updated-20 Aug, 2025 | 12:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elementor Addon Elements <= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id and eae_slider_animation Parameters

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ and 'eae_slider_animation' parameters in all versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-webtechstreetwebtechstreet
Product-elementor_addon_elementsElementor Addon Elements
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4366
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.15% / 35.84%
||
7 Day CHG~0.00%
Published-24 May, 2024 | 07:30
Updated-07 Feb, 2025 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spectra – WordPress Gutenberg Blocks <= 2.13.0 - Authenticated (Author+) Stored Cross-Site Scripting

The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘block_id’ parameter in versions up to, and including, 2.13.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Brainstorm Force
Product-spectraSpectra – WordPress Gutenberg Blocks
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4360
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 46.05%
||
7 Day CHG~0.00%
Published-09 Aug, 2024 | 04:29
Updated-29 Jan, 2025 | 15:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 5.7.2 due to insufficient input sanitization and output escaping on user supplied attributes like 'title_tag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-BdThemes
Product-element_packElement Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9858
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 16.35%
||
7 Day CHG~0.00%
Published-03 Oct, 2025 | 11:17
Updated-06 Oct, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Auto Bulb Finder for WordPress <= 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Auto Bulb Finder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'abf_vehicle' shortcode in all versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-mtoolstec
Product-Auto Bulb Finder for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4361
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.36% / 57.69%
||
7 Day CHG~0.00%
Published-21 May, 2024 | 11:02
Updated-12 Aug, 2025 | 01:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Page Builder by SiteOrigin <= 2.29.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'siteorigin_widget' Shortcode

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 2.29.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-siteorigingpridaysiteorigin
Product-page_builderPage Builder by SiteOriginpage_builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4392
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.43% / 62.36%
||
7 Day CHG~0.00%
Published-14 May, 2024 | 08:32
Updated-22 Jan, 2026 | 13:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jetpack – WP Security, Backup, Speed, & Growth <= 13.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpvideo Shortcode

The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpvideo shortcode in all versions up to, and including, 13.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Automattic Inc.
Product-jetpackJetpack – WP Security, Backup, Speed, & Growth
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5161
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 44.92%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 03:53
Updated-01 Aug, 2024 | 21:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Magical Addons For Elementor <= 1.1.39 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 1.1.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wpthemespacenalam-1
Product-magical_addons_for_elementorMagical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4400
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 46.09%
||
7 Day CHG~0.00%
Published-16 May, 2024 | 11:05
Updated-20 Mar, 2025 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.26.4 - Authenticated (Contributer+) Stored Cross-Site Scripting

The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plguin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 1.26.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-BoldGrid (InMotion Hosting, Inc.)
Product-post_and_page_builderPost and Page Builder by BoldGrid – Visual Drag and Drop Editor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9875
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 16.23%
||
7 Day CHG~0.00%
Published-03 Oct, 2025 | 11:17
Updated-06 Oct, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Event Tickets, RSVPs, Calendar <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Event Tickets, RSVPs, Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticket_spot' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-ticketspot
Product-Event Tickets, RSVPs, Calendar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9204
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 16.35%
||
7 Day CHG~0.00%
Published-03 Oct, 2025 | 11:17
Updated-06 Oct, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
X Addons for Elementor <= 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Youtube Video ID Field

The X Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Youtube Video ID field in all versions up to, and including, 1.0.14. This is due to insufficient input sanitization and output escaping on the Youtube Video ID parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an affected page.

Action-Not Available
Vendor-pencilwp
Product-X Addons for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5252
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 44.59%
||
7 Day CHG~0.00%
Published-17 Jul, 2024 | 06:45
Updated-01 Aug, 2024 | 21:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Addons for WPBakery Page Builder <= 3.19.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_info_table shortcode in all versions up to, and including, 3.19.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Brainstorm Force
Product-ultimate_addons_for_wpbakery_page_builderUltimate Addons for WPBakeryultimate_addons_for_wpbakery_page_builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-4074
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.15% / 36.22%
||
7 Day CHG~0.00%
Published-18 Jan, 2022 | 16:52
Updated-14 Feb, 2025 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WHMCS Bridge <= 6.1 Subscriber+ Stored Cross-Site Scripting

The WHMCS Bridge WordPress plugin is vulnerable to Stored Cross-Site Scripting via the cc_whmcs_bridge_url parameter found in the ~/whmcs-bridge/bridge_cp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.1. Due to missing authorization checks on the cc_whmcs_bridge_add_admin function, low-level authenticated users such as subscribers can exploit this vulnerability.

Action-Not Available
Vendor-i-pluginsWHMCS Bridge
Product-whmcs_bridgeWHMCS Bridge
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-862
Missing Authorization
CVE-2024-4342
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.46% / 63.41%
||
7 Day CHG~0.00%
Published-01 Jun, 2024 | 05:38
Updated-08 Jan, 2025 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Royal Elementor Addons and Templates <= 1.3.975 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's image hotspot, image accordion, off canvas, woogrid, and product mini cart widgets in all versions up to, and including, 1.3.975 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Royal Elementor Addons
Product-royal_elementor_addonsRoyal Elementor Addons and Templatesroyal_elementor_addons_and_templates
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4277
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 41.44%
||
7 Day CHG~0.00%
Published-10 May, 2024 | 09:32
Updated-15 Jan, 2025 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnPress – WordPress LMS Plugin <= 4.2.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via layout_html Parameter

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘layout_html’ parameter in all versions up to, and including, 4.2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-LearnPress – WordPress LMS Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9496
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 17.33%
||
7 Day CHG~0.00%
Published-11 Oct, 2025 | 07:25
Updated-14 Oct, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Enable Media Replace <= 4.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via file_modified Shortcode

The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file_modified shortcode in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-shortpixel
Product-Enable Media Replace
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4333
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.16% / 36.51%
||
7 Day CHG~0.00%
Published-14 May, 2024 | 12:50
Updated-04 Feb, 2025 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) <= 3.5.3 - Authenticated (Contributor+) DOM-Based Cross-Site Scripting

The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via several parameters in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-sinaextrashaonsina
Product-sina_extension_for_elementorSina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4265
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 41.99%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-03 Feb, 2025 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 2.0.5.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-master-addonslitonice13
Product-master_addonsMaster Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4339
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.18% / 39.14%
||
7 Day CHG~0.00%
Published-09 May, 2024 | 20:03
Updated-03 Feb, 2025 | 18:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) <= 3.14.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the General widget in all versions up to, and including, 3.14.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-BdThemes
Product-prime_sliderPrime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4335
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 38.49%
||
7 Day CHG~0.00%
Published-09 May, 2024 | 20:03
Updated-15 Oct, 2025 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rank Math SEO with AI Best SEO Tools <= 1.0.217 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Rank Math SEO with AI Best SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textAlign’ parameter in versions up to, and including, 1.0.217 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-rankmathrankmath
Product-seoRank Math SEO with AI Best SEO Tools
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9560
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 16.23%
||
7 Day CHG~0.00%
Published-11 Oct, 2025 | 02:24
Updated-14 Oct, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Colibri Page Builder <= 1.0.334 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_newsletter Shortcode

The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's colibri_newsletter shortcode in all versions up to, and including, 1.0.334 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-extendthemes
Product-Colibri Page Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-0555
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.01% / 1.62%
||
7 Day CHG-0.02%
Published-07 Feb, 2026 | 08:26
Updated-11 Feb, 2026 | 15:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Premmerce <= 1.3.20 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'premmerce_wizard_actions' AJAX Endpoint

The Premmerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premmerce_wizard_actions' AJAX endpoint in all versions up to, and including, 1.3.20. This is due to missing capability checks and insufficient input sanitization and output escaping on the `state` parameter. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the Premmerce Wizard admin page).

Action-Not Available
Vendor-premmerce
Product-Premmerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4273
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.31% / 53.84%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 05:32
Updated-29 May, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Essential Real Estate <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ere_property_map' shortcode in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-g5plusg5theme
Product-essential_real_estateEssential Real Estate
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5255
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 44.59%
||
7 Day CHG~0.00%
Published-17 Jul, 2024 | 06:45
Updated-01 Aug, 2024 | 21:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Addons for WPBakery Page Builder <= 3.19.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_dual_color shortcode in all versions up to, and including, 3.19.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Brainstorm Force
Product-ultimate_addons_for_wpbakery_page_builderUltimate Addons for WPBakery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4268
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.27% / 49.92%
||
7 Day CHG~0.00%
Published-02 Jul, 2024 | 11:01
Updated-01 Aug, 2024 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Blocks – WordPress Blocks Plugin <= 3.1.9 - Authenticated(Contributor+) Stored Cross-Site Scripting via Multiple Blocks

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-dotcampultimateblocks
Product-ultimate_blocksUltimate Blocks – WordPress Blocks Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4316
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.23% / 45.44%
||
7 Day CHG~0.00%
Published-09 May, 2024 | 20:03
Updated-07 Jan, 2025 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EmbedPress Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 3.9.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-WPDeveloper
Product-embedpressEmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9128
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.03% / 9.02%
||
7 Day CHG+0.01%
Published-11 Sep, 2025 | 07:25
Updated-11 Sep, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
eID Easy <= 4.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

The eID Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-eideasy
Product-eID Easy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9075
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.07% / 20.36%
||
7 Day CHG~0.00%
Published-01 Oct, 2025 | 03:25
Updated-02 Oct, 2025 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns <= 2.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-BdThemes
Product-ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9850
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.03% / 9.09%
||
7 Day CHG+0.01%
Published-11 Sep, 2025 | 07:24
Updated-11 Sep, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Evenium <= 1.3.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Evenium plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'evenium_single_event' shortcode in all versions up to, and including, 1.3.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-evenium
Product-Evenium
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9500
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 12.46%
||
7 Day CHG~0.00%
Published-30 Aug, 2025 | 04:25
Updated-02 Sep, 2025 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TablePress <= 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode_debug Parameter

The TablePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘shortcode_debug’ parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-tobiasbg
Product-TablePress – Tables in WordPress made easy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9080
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 16.23%
||
7 Day CHG~0.00%
Published-03 Oct, 2025 | 11:17
Updated-06 Oct, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Generic Elements <= 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Generic Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget fields in version 1.2.4 and earlier. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-bdevs
Product-Generic Elements
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-0627
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 11.77%
||
7 Day CHG~0.00%
Published-09 Jan, 2026 | 08:20
Updated-13 Jan, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload

The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file.

Action-Not Available
Vendor-Mohammed & Ahmed Kaludi (Magazine3)
Product-AMP for WP – Accelerated Mobile Pages
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9854
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 16.35%
||
7 Day CHG~0.00%
Published-03 Oct, 2025 | 11:17
Updated-06 Oct, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A Simple Multilanguage Plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The A Simple Multilanguage Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'asmp-switcher' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-piupiiu
Product-A Simple Multilanguage Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4107
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.18% / 40.08%
||
7 Day CHG~0.00%
Published-09 May, 2024 | 20:03
Updated-21 Mar, 2025 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elementor Website Builder Pro <= 3.21.0 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

The Elementor Website Builder – More than Just a Page Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in versions up to, and including, 3.21.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-elementorhttps://elementor.com/
Product-website_builderElementor Website Builder Pro
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4160
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.29% / 51.50%
||
7 Day CHG~0.00%
Published-31 May, 2024 | 09:31
Updated-21 Mar, 2025 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Manager <= 3.2.90 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm-all-packages Shortcode

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm-all-packages' shortcode in all versions up to, and including, 3.2.90 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Shahjada (codename065)W3 Eden, Inc.WordPress Download Manager Pro
Product-download_managerDownload Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-0559
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.03% / 9.30%
||
7 Day CHG~0.00%
Published-14 Feb, 2026 | 06:42
Updated-18 Feb, 2026 | 17:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'stm_lms_courses_grid_display' Shortcode

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'stm_lms_courses_grid_display' shortcode in all versions up to, and including, 3.7.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-stylemix
Product-MasterStudy LMS WordPress Plugin – for Online Courses and Education
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4209
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.28% / 51.44%
||
7 Day CHG~0.00%
Published-11 May, 2024 | 01:56
Updated-07 Feb, 2025 | 02:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown timer in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Kadence WP
Product-gutenberg_blocks_with_aiGutenberg Blocks with AI by Kadence WP – Page Builder Features
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4156
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.30% / 53.27%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:51
Updated-15 Jan, 2025 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eael_event_text_color’ parameter in versions up to, and including, 5.9.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-WPDeveloper
Product-essential_addons_for_elementorEssential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4212
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.76% / 73.01%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 03:32
Updated-13 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets

The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's TF Group Image, TF Nav Menu, TF Posts, TF Woo Product Grid, TF Accordion, and TF Image Box widgets in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-themesflatthemesflat
Product-themesflat_addons_for_elementorThemesflat Addons For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9131
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.03% / 9.02%
||
7 Day CHG~0.00%
Published-23 Aug, 2025 | 04:25
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ogulo – 360° Tour <= 1.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via slug Parameter

The Ogulo – 360° Tour plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slug’ parameter in all versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-ogulo
Product-Ogulo – 360° Tour
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9852
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 16.35%
||
7 Day CHG~0.00%
Published-30 Sep, 2025 | 03:35
Updated-02 Oct, 2025 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Yoga Schedule Momoyoga <= 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Yoga Schedule Momoyoga plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'momoyoga-schedule' shortcode in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-momostefan
Product-Yoga Schedule Momoyoga
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4003
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.27% / 50.31%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:51
Updated-15 Jan, 2025 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_team_members_image_rounded parameter in the Team Members widget in all versions up to, and including, 5.9.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-WPDeveloper
Product-essential_addons_for_elementorEssential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4092
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.21% / 43.39%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-03 Feb, 2025 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmltag’ parameter in all versions up to, and including, 6.7.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure Slider Revolution can be extended to authors.

Action-Not Available
Vendor-themepunchRevolution Slider
Product-slider_revolutionSlider Revolution
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9436
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 13.22%
||
7 Day CHG+0.01%
Published-11 Dec, 2025 | 03:27
Updated-12 Dec, 2025 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Widgets for Google Reviews <= 13.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trustindex Shortcode

The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `trustindex` shortcode in all versions up to, and including, 13.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-trustindex
Product-Widgets for Google Reviews
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-3990
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 44.29%
||
7 Day CHG~0.00%
Published-09 May, 2024 | 20:03
Updated-28 Jan, 2025 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HT Mega – Absolute Addons For Elementor <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Tooltip & Popover Widget

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Tooltip & Popover Widget in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-HasTech IT Limited (HasThemes)
Product-ht_megaHT Mega – Absolute Addons For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-39728
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.4||MEDIUM
EPSS-0.31% / 53.61%
||
7 Day CHG~0.00%
Published-15 Jul, 2024 | 01:34
Updated-02 Aug, 2024 | 04:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Datacap Navigator cross-site scripting

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 295967.

Action-Not Available
Vendor-IBM Corporation
Product-datacapdatacap_navigatorDatacap Navigator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9856
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 13.93%
||
7 Day CHG+0.01%
Published-13 Dec, 2025 | 08:21
Updated-15 Dec, 2025 | 18:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Popup Builder – Create highly converting, mobile friendly marketing popups. <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-popupbuilder
Product-Popup Builder – Create highly converting, mobile friendly marketing popups.
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9082
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.03% / 7.62%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 06:43
Updated-29 Jan, 2026 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPBITS Addons For Elementor <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. This makes it possible for authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wpbits
Product-WPBITS Addons For Elementor Page Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9123
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.03% / 9.09%
||
7 Day CHG+0.01%
Published-11 Sep, 2025 | 07:25
Updated-11 Sep, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CBX Map for Google Map & OpenStreetMap <= 1.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

The CBX Map for Google Map & OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the popup heading and location address parameters in all versions up to, and including, 1.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-manchumahara
Product-CBX Map for Google Map & OpenStreetMap
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • ...
  • 5
  • 6
  • 7
  • ...
  • 47
  • 48
  • Next
Details not found