Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-7147

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-16 Aug, 2024 | 10:59
Updated At-08 Apr, 2026 | 16:41
Rejected At-
Credits

JetBlocks <= 1.3.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

The JetBlocks for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple placeholder parameters in all versions up to, and including, 1.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:16 Aug, 2024 | 10:59
Updated At:08 Apr, 2026 | 16:41
Rejected At:
▼CVE Numbering Authority (CNA)
JetBlocks <= 1.3.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

The JetBlocks for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple placeholder parameters in all versions up to, and including, 1.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected Products
Vendor
Crocoblock
Product
JetBlocks for Elementor
Default Status
unaffected
Versions
Affected
  • From 0 through 1.3.12 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Matthew Rollings
Timeline
EventDate
Disclosed2024-08-15 00:00:00
Event: Disclosed
Date: 2024-08-15 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/21f8908c-bcfc-4ca1-bc8b-80a80c4a5a4f?source=cve
N/A
https://crocoblock.com/plugins/jetblocks/
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/21f8908c-bcfc-4ca1-bc8b-80a80c4a5a4f?source=cve
Resource: N/A
Hyperlink: https://crocoblock.com/plugins/jetblocks/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:16 Aug, 2024 | 11:15
Updated At:15 Apr, 2026 | 00:35

The JetBlocks for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple placeholder parameters in all versions up to, and including, 1.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Secondarysecurity@wordfence.com
CWE ID: CWE-79
Type: Secondary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://crocoblock.com/plugins/jetblocks/security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/21f8908c-bcfc-4ca1-bc8b-80a80c4a5a4f?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://crocoblock.com/plugins/jetblocks/
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/21f8908c-bcfc-4ca1-bc8b-80a80c4a5a4f?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2868Records found
CVE-2025-0371
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 23.65%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 08:21
Updated-08 Apr, 2026 | 17:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jet Elements <= 2.7.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The JetElements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.7.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-crocoblockCrocoblock
Product-jetelementsJetElements
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-0369
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.13% / 32.37%
||
7 Day CHG~0.00%
Published-18 Jan, 2025 | 07:05
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jet Engine <= 3.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via list_tag Parameter

The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘list_tag’ parameter in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Crocoblock
Product-JetEngine
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-7144
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 44.44%
||
7 Day CHG~0.00%
Published-16 Aug, 2024 | 13:48
Updated-08 Apr, 2026 | 17:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JetElements <= 2.6.20 - Authenticated (Contributor+) Stored Cross-Site Scripting

The JetElements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' and 'slide_id' parameters in all versions up to, and including, 2.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-crocoblockCrocoblock
Product-jetelementsJetElements
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-7136
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 44.32%
||
7 Day CHG~0.00%
Published-16 Aug, 2024 | 10:59
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JetSearch <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The JetSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Crocoblock
Product-JetSearch
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-39450
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.21%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 17:32
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetTabs plugin <= 2.2.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs jet-tabs allows DOM-Based XSS.This issue affects JetTabs: from n/a through <= 2.2.7.

Action-Not Available
Vendor-Crocoblock
Product-JetTabs
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-24958
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 13.90%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 14:08
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetElements For Elementor plugin <= 2.7.12.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.12.2.

Action-Not Available
Vendor-Crocoblock
Product-JetElements For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-26870
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.21%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 21:53
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetEngine plugin <= 3.6.4.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows DOM-Based XSS.This issue affects JetEngine: from n/a through <= 3.6.4.1.

Action-Not Available
Vendor-Crocoblock
Product-JetEngine
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31043
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 42.36%
||
7 Day CHG+0.06%
Published-31 Mar, 2025 | 06:06
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetSearch plugin <= 3.5.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows DOM-Based XSS.This issue affects JetSearch: from n/a through <= 3.5.7.

Action-Not Available
Vendor-Crocoblock
Product-JetSearch
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31412
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 42.36%
||
7 Day CHG+0.06%
Published-31 Mar, 2025 | 06:07
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetProductGallery plugin <= 2.1.22 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetProductGallery jet-woo-product-gallery allows DOM-Based XSS.This issue affects JetProductGallery: from n/a through <= 2.1.22.

Action-Not Available
Vendor-Crocoblock
Product-JetProductGallery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-30987
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 42.36%
||
7 Day CHG+0.06%
Published-31 Mar, 2025 | 06:07
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetBlocks For Elementor plugin <= 1.3.16 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Stored XSS.This issue affects JetBlocks For Elementor: from n/a through <= 1.3.16.

Action-Not Available
Vendor-Crocoblock
Product-JetBlocks For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-26744
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.21%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 11:59
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetBlog plugin <= 2.4.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlog jet-blog allows DOM-Based XSS.This issue affects JetBlog: from n/a through <= 2.4.3.

Action-Not Available
Vendor-Crocoblock
Product-JetBlog
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-48756
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.17% / 37.37%
||
7 Day CHG~0.00%
Published-14 Dec, 2023 | 16:40
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetBlocks For Elementor Plugin <= 1.3.8 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlocks For Elementor allows Reflected XSS.This issue affects JetBlocks For Elementor: from n/a through 1.3.8.

Action-Not Available
Vendor-motopressCrocoblock
Product-jetblocks_for_elementorJetBlocks For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-68504
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 19.85%
||
7 Day CHG~0.00%
Published-29 Dec, 2025 | 21:14
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetSearch plugin <= 3.5.16 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows DOM-Based XSS.This issue affects JetSearch: from n/a through <= 3.5.16.

Action-Not Available
Vendor-Crocoblock
Product-JetSearch
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-68495
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.04% / 14.07%
||
7 Day CHG~0.00%
Published-20 Feb, 2026 | 15:46
Updated-28 Apr, 2026 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetEngine plugin <= 3.8.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.8.0.

Action-Not Available
Vendor-Crocoblock
Product-JetEngine
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-68499
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 19.85%
||
7 Day CHG~0.00%
Published-29 Dec, 2025 | 23:10
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetTabs plugin <= 2.2.12 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs jet-tabs allows DOM-Based XSS.This issue affects JetTabs: from n/a through <= 2.2.12.

Action-Not Available
Vendor-Crocoblock
Product-JetTabs
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-39448
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.21%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 17:33
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetElements For Elementor plugin <= 2.7.4.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows Stored XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.4.1.

Action-Not Available
Vendor-Crocoblock
Product-JetElements For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-67923
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.01% / 3.13%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:51
Updated-28 Apr, 2026 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetEngine plugin <= 3.7.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.7.7.

Action-Not Available
Vendor-Crocoblock
Product-JetEngine
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-64355
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 19.85%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 16:16
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetElements For Elementor plugin <= 2.7.12 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.12.

Action-Not Available
Vendor-Crocoblock
Product-JetElements For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-55714
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.48%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 18:21
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetElements For Elementor Plugin <= 2.7.9 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows Stored XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.9.

Action-Not Available
Vendor-Crocoblock
Product-JetElements For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-54687
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.48%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 10:34
Updated-12 May, 2026 | 00:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetTabs Plugin plugin <= 2.2.9.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs jet-tabs allows DOM-Based XSS.This issue affects JetTabs: from n/a through <= 2.2.9.1.

Action-Not Available
Vendor-Crocoblock
Product-JetTabs
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-54749
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.48%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 18:21
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetProductGallery Plugin <= 2.2.0.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetProductGallery jet-woo-product-gallery allows Stored XSS.This issue affects JetProductGallery: from n/a through <= 2.2.0.2.

Action-Not Available
Vendor-Crocoblock
Product-JetProductGallery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-54688
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.48%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 10:34
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetEngine Plugin plugin <= 3.7.1.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Stored XSS.This issue affects JetEngine: from n/a through <= 3.7.1.2.

Action-Not Available
Vendor-Crocoblock
Product-JetEngine
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-53996
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.21%
||
7 Day CHG+0.09%
Published-16 Jul, 2025 | 10:36
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetSearch plugin <= 3.5.10.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows Stored XSS.This issue affects JetSearch: from n/a through <= 3.5.10.1.

Action-Not Available
Vendor-Crocoblock
Product-JetSearch
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-53995
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.21%
||
7 Day CHG+0.09%
Published-16 Jul, 2025 | 10:36
Updated-13 May, 2026 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetPopup plugin <= 2.0.15.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetPopup jet-popup allows Stored XSS.This issue affects JetPopup: from n/a through <= 2.0.15.1.

Action-Not Available
Vendor-Crocoblock
Product-JetPopup
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-53991
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.21%
||
7 Day CHG+0.09%
Published-16 Jul, 2025 | 10:36
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetTricks plugin <= 1.5.4.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTricks jet-tricks allows Stored XSS.This issue affects JetTricks: from n/a through <= 1.5.4.1.

Action-Not Available
Vendor-Crocoblock
Product-JetTricks
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-54009
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.21%
||
7 Day CHG+0.09%
Published-16 Jul, 2025 | 10:36
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetSmartFilters plugin <= 3.6.8 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSmartFilters jet-smart-filters allows Stored XSS.This issue affects JetSmartFilters: from n/a through <= 3.6.8.

Action-Not Available
Vendor-Crocoblock
Product-JetSmartFilters
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-53989
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.21%
||
7 Day CHG+0.09%
Published-16 Jul, 2025 | 10:36
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetBlocks For Elementor plugin <= 1.3.19 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Stored XSS.This issue affects JetBlocks For Elementor: from n/a through <= 1.3.19.

Action-Not Available
Vendor-Crocoblock
Product-JetBlocks For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-53984
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.21%
||
7 Day CHG+0.09%
Published-16 Jul, 2025 | 10:36
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetTabs plugin <= 2.2.9 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs jet-tabs allows Stored XSS.This issue affects JetTabs: from n/a through <= 2.2.9.

Action-Not Available
Vendor-Crocoblock
Product-JetTabs
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-53982
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.21%
||
7 Day CHG+0.09%
Published-16 Jul, 2025 | 10:36
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetElements For Elementor plugin <= 2.7.7 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows Stored XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.7.

Action-Not Available
Vendor-Crocoblock
Product-JetElements For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-53994
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.21%
||
7 Day CHG+0.09%
Published-16 Jul, 2025 | 10:36
Updated-13 May, 2026 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetPopup plugin <= 2.0.15 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetPopup jet-popup allows DOM-Based XSS.This issue affects JetPopup: from n/a through <= 2.0.15.

Action-Not Available
Vendor-Crocoblock
Product-JetPopup
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-53195
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 12.84%
||
7 Day CHG~0.00%
Published-20 Aug, 2025 | 08:03
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetEngine plugin <= 3.7.0 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Stored XSS.This issue affects JetEngine: from n/a through <= 3.7.0.

Action-Not Available
Vendor-Crocoblock
Product-JetEngine
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-49927
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 22.06%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetWooBuilder plugin <= 2.1.20.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetWooBuilder jet-woo-builder allows Stored XSS.This issue affects JetWooBuilder: from n/a through <= 2.1.20.1.

Action-Not Available
Vendor-Crocoblock
Product-JetWooBuilder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-49938
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 22.06%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetEngine plugin <= 3.7.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Stored XSS.This issue affects JetEngine: from n/a through <= 3.7.3.

Action-Not Available
Vendor-Crocoblock
Product-JetEngine
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-49939
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 22.06%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetElements For Elementor plugin <= 2.7.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows Stored XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.8.

Action-Not Available
Vendor-Crocoblock
Product-JetElements For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-49930
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.07% / 22.19%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetSearch plugin <= 3.5.10 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows Reflected XSS.This issue affects JetSearch: from n/a through <= 3.5.10.

Action-Not Available
Vendor-Crocoblock
Product-JetSearch
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-49928
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 22.06%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetWooBuilder plugin <= 2.1.20 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetWooBuilder jet-woo-builder allows DOM-Based XSS.This issue affects JetWooBuilder: from n/a through <= 2.1.20.

Action-Not Available
Vendor-Crocoblock
Product-JetWooBuilder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-49932
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 22.06%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetBlog plugin <= 2.4.4.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlog jet-blog allows Stored XSS.This issue affects JetBlog: from n/a through <= 2.4.4.1.

Action-Not Available
Vendor-Crocoblock
Product-JetBlog
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-49933
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 22.06%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetBlog plugin <= 2.4.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlog jet-blog allows Reflected XSS.This issue affects JetBlog: from n/a through <= 2.4.4.

Action-Not Available
Vendor-Crocoblock
Product-JetBlog
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-49934
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 22.06%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetBlocks For Elementor plugin <= 1.3.18 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Stored XSS.This issue affects JetBlocks For Elementor: from n/a through <= 1.3.18.

Action-Not Available
Vendor-Crocoblock
Product-JetBlocks For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-30963
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 42.36%
||
7 Day CHG+0.06%
Published-31 Mar, 2025 | 10:47
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetSmartFilters plugin <= 3.6.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSmartFilters jet-smart-filters allows DOM-Based XSS.This issue affects JetSmartFilters: from n/a through <= 3.6.3.

Action-Not Available
Vendor-Crocoblock
Product-JetSmartFilters
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4943
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 41.96%
||
7 Day CHG~0.00%
Published-21 May, 2024 | 02:32
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Blocksy <= 2.0.46 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘has_field_link_rel’ parameter in all versions up to, and including, 2.0.46 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-creativethemescreativethemeshq
Product-blocksyBlocksy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4983
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.42% / 62.05%
||
7 Day CHG~0.00%
Published-27 Jun, 2024 | 08:34
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.6.0- Authenticated (Contributor+) Stored Cross-Site Scripting

The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘video_color’ parameter in all versions up to, and including, 5.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-posimythposimyththemes
Product-the_plus_addons_for_elementorThe Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4980
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.36% / 58.34%
||
7 Day CHG~0.00%
Published-22 May, 2024 | 04:30
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPKoi Templates for Elementor <= 2.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters

The WPKoi Templates for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'id', 'mixColor', 'backgroundColor', 'saveInCookies', and 'autoMatchOsTheme' parameters in all versions up to, and including, 2.5.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wpkoithemes
Product-WPKoi Templates for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4891
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.40% / 61.10%
||
7 Day CHG~0.00%
Published-18 May, 2024 | 04:30
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.5.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tagName’ parameter in versions up to, and including, 4.5.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-WPDeveloper
Product-essential_blocksGutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-49791
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.4||MEDIUM
EPSS-0.14% / 33.02%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 23:26
Updated-22 Feb, 2025 | 22:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM ApplinX Cross-Site Scripting

IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Action-Not Available
Vendor-IBM Corporation
Product-applinxApplinX
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-49339
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.4||MEDIUM
EPSS-0.14% / 33.88%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 16:13
Updated-13 Aug, 2025 | 17:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Financial Transaction Manager cross-site scripting

IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4.0 through 3.2.4.1 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Action-Not Available
Vendor-Linux Kernel Organization, IncIBM Corporation
Product-linux_kernellinux_on_ibm_zaixfinancial_transaction_manager_for_multiplatformFinancial Transaction Manager for SWIFT Services for Multiplatforms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4984
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.47% / 64.95%
||
7 Day CHG~0.00%
Published-16 May, 2024 | 02:02
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Yoast SEO <= 22.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ author meta in all versions up to, and including, 22.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-yoast
Product-Yoast SEO – Advanced SEO with real-time guidance and built-in AI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4892
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.53% / 67.63%
||
7 Day CHG~0.00%
Published-12 Jun, 2024 | 01:55
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BuddyPress <= 12.4.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ parameter in versions up to, and including, 12.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-buddypressbuddypress
Product-buddypressBuddyPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4971
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.63% / 70.42%
||
7 Day CHG~0.00%
Published-22 May, 2024 | 05:32
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnPress – WordPress LMS Plugin <= 4.2.6.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.2.6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-learnpressLearnPress – WordPress LMS Plugin for Create and Sell Online Courseslearnpress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-37018
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.04% / 13.09%
||
7 Day CHG~0.00%
Published-29 Jan, 2026 | 14:28
Updated-05 Mar, 2026 | 01:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GOautodial 4.0 - Persistent Cross-Site Scripting

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through message subjects. Attackers can craft messages with embedded JavaScript that will execute when an administrator reads the message, potentially stealing session cookies or executing client-side attacks.

Action-Not Available
Vendor-Goautodial
Product-GOautodial
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 57
  • 58
  • Next
Details not found