ByteOS Network

Vulnerability Details :

CVE-2025-24657

Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3

Published At-24 Jan, 2025 | 17:24

Updated At-24 Jan, 2025 | 18:57

WordPress Wishlist for WooCommerce plugin <=2.1.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebToffee Wishlist for WooCommerce allows Stored XSS. This issue affects Wishlist for WooCommerce: from n/a through 2.1.2.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:Patchstack

Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3

Published At:24 Jan, 2025 | 17:24

Updated At:24 Jan, 2025 | 18:57

▼CVE Numbering Authority (CNA)

WordPress Wishlist for WooCommerce plugin <=2.1.2 - Cross Site Scripting (XSS) vulnerability

Affected Products

Vendor

WebToffee

Product

Wishlist for WooCommerce

Collection URL

https://wordpress.org/plugins

Package Name

wt-woocommerce-wishlist

Default Status

unaffected

Versions

Affected

From n/a through 2.1.2 (custom)
- -> unaffectedfrom2.1.3

Problem Types

Type	CWE ID	Description
CWE	CWE-79	CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Type: CWE

CWE ID: CWE-79

Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Metrics

Version	Base score	Base severity	Vector
3.1	5.9	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Version: 3.1

Base score: 5.9

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Impacts

CAPEC ID	Description
CAPEC-592	CAPEC-592 Stored XSS

CAPEC ID: CAPEC-592

Description: CAPEC-592 Stored XSS

Solutions

Update the WordPress Wishlist for WooCommerce wordpress plugin to the latest available version (at least 2.1.3).

Credits

finder

b4orvn (Patchstack Alliance)

References

Hyperlink	Resource
https://patchstack.com/database/wordpress/plugin/wt-woocommerce-wishlist/vulnerability/wordpress-wishlist-for-woocommerce-plugin-2-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve	vdb-entry

Hyperlink: https://patchstack.com/database/wordpress/plugin/wt-woocommerce-wishlist/vulnerability/wordpress-wishlist-for-woocommerce-plugin-2-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve

Resource:

vdb-entry

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:audit@patchstack.com

Published At:24 Jan, 2025 | 18:15

Updated At:24 Jan, 2025 | 18:15

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	5.9	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Type: Secondary

Version: 3.1

Base score: 5.9

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Weaknesses

CWE ID	Type	Source
CWE-79	Primary	audit@patchstack.com

CWE ID: CWE-79

Type: Primary

Source: audit@patchstack.com

References

Hyperlink	Source	Resource
https://patchstack.com/database/wordpress/plugin/wt-woocommerce-wishlist/vulnerability/wordpress-wishlist-for-woocommerce-plugin-2-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve	audit@patchstack.com	N/A

Hyperlink: https://patchstack.com/database/wordpress/plugin/wt-woocommerce-wishlist/vulnerability/wordpress-wishlist-for-woocommerce-plugin-2-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve

Source: audit@patchstack.com

Resource: N/A

Similar CVEs

1205Records found

CVE-2023-41734

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 17.96%

7 Day CHG~0.00%

Published-02 Oct, 2023 | 07:54

Updated-20 Sep, 2024 | 15:17

WordPress Insert Estimated Reading Time Plugin <= 1.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in nigauri Insert Estimated Reading Time plugin <= 1.2 versions.

Vendor-nigauri nigauri

Product-insert_estimated_reading_time Insert Estimated Reading Time

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-41655

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 17.96%

7 Day CHG~0.00%

Published-29 Sep, 2023 | 13:24

Updated-20 Sep, 2024 | 16:01

WordPress authLdap Plugin <= 2.5.9 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Andreas Heigl authLdap plugin <= 2.5.9 versions.

Vendor-andreas.heigl Andreas Heigl

Product-authldap authLdap

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-41661

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.08% / 23.72%

7 Day CHG~0.00%

Published-29 Sep, 2023 | 13:36

Updated-02 Aug, 2024 | 19:01

WordPress Smarty for WordPress Plugin <= 3.1.35 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PressPage Entertainment Inc. Smarty for WordPress plugin <= 3.1.35 versions.

Vendor-smarty PressPage Entertainment Inc.

Product-smarty Smarty for WordPress

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2026-25343

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.03% / 9.44%

7 Day CHG~0.00%

Published-19 Feb, 2026 | 08:26

Updated-20 Feb, 2026 | 17:25

WordPress WP SMS plugin <= 7.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS wp-sms allows DOM-Based XSS.This issue affects WP SMS: from n/a through <= 7.1.

Vendor-VeronaLabs

Product-WP SMS

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2024-52489

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.05% / 15.53%

7 Day CHG~0.00%

Published-02 Dec, 2024 | 13:48

Updated-02 Dec, 2024 | 15:40

WordPress Add Chat App Button plugin <= 2.1.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Udi Dollberg Add Chat App Button allows Stored XSS.This issue affects Add Chat App Button: from n/a through 2.1.5.

Vendor-Udi Dollberg

Product-Add Chat App Button

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-41800

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 17.96%

7 Day CHG~0.00%

Published-02 Oct, 2023 | 08:24

Updated-20 Sep, 2024 | 15:22

WordPress UniConsent Cookie Consent CMP for GDPR / CCPA Plugin <= 1.4.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in UniConsent UniConsent CMP for GDPR CPRA GPP TCF plugin <= 1.4.2 versions.

Vendor-uniconsent UniConsent

Product-cmp_for_gdpr_cpra_gpp_tcf UniConsent CMP for GDPR CPRA GPP TCF

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-41948

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 17.96%

7 Day CHG~0.00%

Published-25 Sep, 2023 | 00:36

Updated-24 Sep, 2024 | 14:22

WordPress Cookie Notice & Consent Plugin <= 1.6.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Christoph Rado Cookie Notice & Consent plugin <= 1.6.0 versions.

Vendor-christophrado Christoph Rado

Product-cookie_notice_\&_consent Cookie Notice & Consent

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-41657

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 17.96%

7 Day CHG~0.00%

Published-29 Sep, 2023 | 13:29

Updated-20 Sep, 2024 | 16:01

WordPress HollerBox Plugin <= 2.3.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Groundhogg Inc. HollerBox plugin <= 2.3.2 versions.

Vendor-Groundhogg (Groundhogg Inc.)

Product-hollerbox HollerBox

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-41736

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 17.96%

7 Day CHG~0.00%

Published-02 Oct, 2023 | 08:00

Updated-20 Sep, 2024 | 15:20

WordPress Email posts to subscribers Plugin <= 6.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Email posts to subscribers plugin <= 6.2 versions.

Vendor-gopiplus Gopi Ramasamy

Product-email_posts_to_subscribers Email posts to subscribers

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-41731

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 17.96%

7 Day CHG~0.00%

Published-02 Oct, 2023 | 07:43

Updated-02 Aug, 2024 | 19:01

WordPress wordpress publish post email notification Plugin <= 1.0.2.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution WordPress publish post email notification plugin <= 1.0.2.2 versions.

Vendor-i13websolution I Thirteen Web Solution

Product-wordpress_publish_post_email_notification WordPress publish post email notification

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40681

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 17.96%

7 Day CHG~0.00%

Published-31 Oct, 2023 | 09:48

Updated-06 Sep, 2024 | 15:25

WordPress Groundhogg Plugin <= 2.7.11.10 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Groundhogg Inc. Groundhogg plugin <= 2.7.11.10 versions.

Vendor-Groundhogg (Groundhogg Inc.)

Product-groundhogg Groundhogg

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-41241

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.14% / 33.32%

7 Day CHG~0.00%

Published-27 Sep, 2023 | 12:32

Updated-02 Aug, 2024 | 18:54

WordPress SureCart Plugin <= 2.5.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SureCart WordPress Ecommerce For Creating Fast Online Stores plugin <= 2.5.0 versions.

Vendor-surecart SureCart

Product-surecart WordPress Ecommerce For Creating Fast Online Stores

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40676

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.12% / 30.49%

7 Day CHG~0.00%

Published-27 Sep, 2023 | 06:45

Updated-23 Sep, 2024 | 12:53

WordPress Slimstat Analytics Plugin <= 5.0.8 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jason Crouse, VeronaLabs Slimstat Analytics plugin <= 5.0.8 versions.

Vendor-wp-slimstat Jason Crouse, VeronaLabs

Product-slimstat_analytics Slimstat Analytics

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40665

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.14% / 33.32%

7 Day CHG~0.00%

Published-27 Sep, 2023 | 06:24

Updated-23 Sep, 2024 | 13:28

WordPress Save as Image plugin by Pdfcrowd Plugin <= 2.16.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Pdfcrowd Save as Image plugin by Pdfcrowd plugin <= 2.16.0 versions.

Vendor-pdfcrowd Pdfcrowd

Product-save_as_image Save as Image plugin by Pdfcrowd

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-41136

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.14% / 33.32%

7 Day CHG~0.00%

Published-30 Nov, 2023 | 12:13

Updated-02 Aug, 2024 | 18:54

WordPress Simple Long Form Plugin <= 2.2.2 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Laurence/OhMyBox.Info Simple Long Form allows Stored XSS.This issue affects Simple Long Form: from n/a through 2.2.2.

Vendor-ohmybox Laurence/OhMyBox.info

Product-simple_long_form Simple Long Form

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40552

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.12% / 30.49%

7 Day CHG~0.00%

Published-06 Sep, 2023 | 08:11

Updated-24 Sep, 2024 | 18:49

WordPress Fitness calculators plugin Plugin <= 2.0.7 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gurcharan Singh Fitness calculators plugin plugin <= 2.0.7 versions.

Vendor-codeinitiator Gurcharan Singh

Product-fitness_calculators_plugin Fitness calculators plugin

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40604

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.12% / 30.49%

7 Day CHG~0.00%

Published-27 Sep, 2023 | 05:18

Updated-23 Sep, 2024 | 13:29

WordPress Cookies by JM Plugin <= 1.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jes Madsen Cookies by JM plugin <= 1.0 versions.

Vendor-jesmadsen Jes Madsen

Product-cookies_by_jm Cookies by JM

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2026-25362

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.03% / 9.44%

7 Day CHG~0.00%

Published-19 Feb, 2026 | 08:26

Updated-20 Feb, 2026 | 17:25

WordPress FooGallery plugin <= 3.1.11 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FooPlugins FooGallery foogallery allows Stored XSS.This issue affects FooGallery: from n/a through <= 3.1.11.

Vendor-FooPlugins

Product-FooGallery

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2026-24614

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.04% / 10.49%

7 Day CHG~0.00%

Published-23 Jan, 2026 | 14:29

Updated-26 Jan, 2026 | 15:03

WordPress Flex QR Code Generator plugin <= 1.2.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Devsbrain Flex QR Code Generator flex-qr-code-generator allows DOM-Based XSS.This issue affects Flex QR Code Generator: from n/a through <= 1.2.8.

Vendor-Devsbrain

Product-Flex QR Code Generator

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40677

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.14% / 33.32%

7 Day CHG~0.00%

Published-27 Sep, 2023 | 07:25

Updated-23 Sep, 2024 | 12:52

WordPress Vertical Marquee Plugin Plugin <= 7.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Vertical marquee plugin <= 7.1 versions.

Vendor-gopiplus Gopi Ramasamy

Product-vertical_marquee Vertical marquee plugin

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40668

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.12% / 31.43%

7 Day CHG~0.00%

Published-27 Sep, 2023 | 06:31

Updated-23 Sep, 2024 | 12:54

WordPress Save as PDF plugin by Pdfcrowd Plugin <= 2.16.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Pdfcrowd Save as PDF plugin by Pdfcrowd plugin <= 2.16.0 versions.

Vendor-pdfcrowd Pdfcrowd

Product-save_as_pdf Save as PDF plugin by Pdfcrowd

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-41128

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.14% / 33.32%

7 Day CHG~0.00%

Published-30 Nov, 2023 | 12:16

Updated-05 Jun, 2025 | 13:22

WordPress WP Roadmap Plugin <= 1.0.8 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Iqonic Design WP Roadmap – Product Feedback Board allows Stored XSS.This issue affects WP Roadmap – Product Feedback Board: from n/a through 1.0.8.

Vendor-iqonic Iqonic Design

Product-wp_roadmap WP Roadmap – Product Feedback Board

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40560

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.12% / 30.49%

7 Day CHG~0.00%

Published-06 Sep, 2023 | 08:08

Updated-24 Sep, 2024 | 18:50

WordPress Schedule Posts Calendar Plugin <= 5.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Greg Ross Schedule Posts Calendar plugin <= 5.2 versions.

Vendor-toolstack Greg Ross

Product-schedule_posts_calendar Schedule Posts Calendar

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40680

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.13% / 32.85%

7 Day CHG-0.03%

Published-30 Nov, 2023 | 12:21

Updated-01 Oct, 2024 | 15:48

WordPress Yoast SEO Plugin <= 21.0 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Team Yoast Yoast SEO allows Stored XSS.This issue affects Yoast SEO: from n/a through 21.0.

Vendor-yoast Team Yoast

Product-yoast_seo Yoast SEO

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2026-24938

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.03% / 9.44%

7 Day CHG~0.00%

Published-03 Feb, 2026 | 14:08

Updated-03 Feb, 2026 | 16:44

WordPress Better Search plugin <= 4.2.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS.This issue affects Better Search: from n/a through <= 4.2.1.

Vendor-Ajay

Product-Better Search

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-41242

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.12% / 31.43%

7 Day CHG~0.00%

Published-27 Sep, 2023 | 12:36

Updated-20 Sep, 2024 | 19:55

WordPress Snap Pixel Plugin <= 1.5.7 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Hassan Ali Snap Pixel plugin <= 1.5.7 versions.

Vendor-creativehassan Hassan Ali

Product-snap_pixel Snap Pixel

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2026-24584

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.01% / 1.56%

7 Day CHG~0.00%

Published-23 Jan, 2026 | 14:28

Updated-27 Jan, 2026 | 20:16

WordPress Tutor LMS BunnyNet Integration plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS.This issue affects Tutor LMS BunnyNet Integration: from n/a through <= 1.0.0.

Vendor-Themeum

Product-Tutor LMS BunnyNet Integration

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2026-24632

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.04% / 10.49%

7 Day CHG~0.00%

Published-23 Jan, 2026 | 14:29

Updated-26 Jan, 2026 | 15:03

WordPress Delay Redirects plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jagdish1o1 Delay Redirects delay-redirects allows DOM-Based XSS.This issue affects Delay Redirects: from n/a through <= 1.0.0.

Vendor-jagdish1o1

Product-Delay Redirects

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40675

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.12% / 31.43%

7 Day CHG~0.00%

Published-27 Sep, 2023 | 07:22

Updated-23 Sep, 2024 | 12:52

WordPress Landing Page Builder Plugin <= 1.5.1.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PluginOps Landing Page Builder plugin <= 1.5.1.2 versions.

Vendor-pluginops PluginOps

Product-landing_page_builder Landing Page Builder

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-41127

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.14% / 33.32%

7 Day CHG~0.00%

Published-30 Nov, 2023 | 12:19

Updated-02 Aug, 2024 | 18:54

WordPress Evergreen Content Poster Plugin <= 1.3.6.1 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Evergreen Content Poster Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media allows Stored XSS.This issue affects Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media: from n/a through 1.3.6.1.

Vendor-evergreencontentposter Evergreen Content Poster

Product-evergreen_content_poster Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40007

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.12% / 30.49%

7 Day CHG~0.00%

Published-06 Sep, 2023 | 08:29

Updated-24 Sep, 2024 | 18:48

WordPress CT Commerce Plugin <= 2.0.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ujwol Bastakoti CT Commerce plugin <= 2.0.1 versions.

Vendor-ujwolbastakoti Ujwol Bastakoti

Product-ct_commerce CT Commerce

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2026-24392

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.03% / 9.44%

7 Day CHG~0.00%

Published-19 Feb, 2026 | 08:26

Updated-19 Feb, 2026 | 22:16

WordPress HurryTimer plugin <= 2.14.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.This issue affects HurryTimer: from n/a through <= 2.14.2.

Vendor-Nabil Lemsieh

Product-HurryTimer

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2026-24629

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.04% / 10.49%

7 Day CHG~0.00%

Published-23 Jan, 2026 | 14:29

Updated-26 Jan, 2026 | 15:03

WordPress Web Accessibility with Max Access plugin <= 2.1.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ability, Inc Web Accessibility with Max Access accessibility-toolbar allows Stored XSS.This issue affects Web Accessibility with Max Access: from n/a through <= 2.1.0.

Vendor-Ability, Inc

Product-Web Accessibility with Max Access

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-39987

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 17.96%

7 Day CHG~0.00%

Published-04 Sep, 2023 | 10:09

Updated-24 Sep, 2024 | 18:52

WordPress wSecure Lite Plugin <= 2.5 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ajay Lulia wSecure Lite plugin <= 2.5 versions.

Vendor-JoomlaServiceProvider

Product-wsecure wSecure Lite

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40206

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 17.96%

7 Day CHG~0.00%

Published-04 Sep, 2023 | 10:43

Updated-19 Feb, 2025 | 21:24

WordPress WP 404 Auto Redirect to Similar Post Plugin <= 1.0.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in hwk-fr WP 404 Auto Redirect to Similar Post plugin <= 1.0.3 versions.

Vendor-hwk hwk-fr

Product-wp_404_auto_redirect_to_similar_post WP 404 Auto Redirect to Similar Post

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40329

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.12% / 30.49%

7 Day CHG~0.00%

Published-06 Sep, 2023 | 08:24

Updated-24 Sep, 2024 | 18:49

WordPress Custom Admin Login Page | WPZest Plugin <= 1.2.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPZest Custom Admin Login Page | WPZest plugin <= 1.2.0 versions.

Vendor-wpzest WPZest

Product-custom_admin_login_page_\|_wpzest_plugin Custom Admin Login Page | WPZest

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-39921

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.14% / 33.32%

7 Day CHG~0.00%

Published-30 Nov, 2023 | 15:47

Updated-02 Aug, 2024 | 18:18

WordPress Molongui Plugin <= 4.6.19 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Molongui Author Box, Guest Author and Co-Authors for Your Posts – Molongui allows Stored XSS.This issue affects Author Box, Guest Author and Co-Authors for Your Posts – Molongui: from n/a through 4.6.19.

Vendor-amitzy Molongui

Product-molongui Author Box, Guest Author and Co-Authors for Your Posts – Molongui

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-39924

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.13% / 32.05%

7 Day CHG~0.00%

Published-24 Oct, 2023 | 11:51

Updated-09 Sep, 2024 | 14:45

WordPress Simple File List Plugin <= 6.1.9 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin <= 6.1.9 versions.

Vendor-simplefilelist Mitchell Bennis

Product-simple_file_list Simple File List

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40328

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.12% / 30.49%

7 Day CHG~0.00%

Published-06 Sep, 2023 | 08:26

Updated-24 Sep, 2024 | 18:49

WordPress Carrot Plugin <= 1.1.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Carrrot plugin <= 1.1.0 versions.

Vendor-carrrot Carrrot

Product-carrrot Carrrot

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-39919

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 19.49%

7 Day CHG~0.00%

Published-04 Sep, 2023 | 10:01

Updated-24 Sep, 2024 | 18:52

WordPress wpShopGermany – Protected Shops Plugin <= 2.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in maennchen1.De wpShopGermany – Protected Shops plugin <= 2.0 versions.

Vendor-maennchen1 maennchen1.de

Product-wpshopgermany_-_protected_shops wpShopGermany – Protected Shops

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2024-51663

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.12% / 30.49%

7 Day CHG~0.00%

Published-09 Nov, 2024 | 13:11

Updated-18 Nov, 2024 | 16:54

WordPress Bricksable for Bricks Builder plugin <= 1.6.59 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bricksable Bricksable for Bricks Builder allows Stored XSS.This issue affects Bricksable for Bricks Builder: from n/a through 1.6.59.

Vendor-bricksable Bricksable

Product-bricksable_for_bricks_builder Bricksable for Bricks Builder

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2024-52491

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.05% / 15.53%

7 Day CHG~0.00%

Published-02 Dec, 2024 | 13:48

Updated-02 Dec, 2024 | 15:40

WordPress Sticky Social Icons plugin <= 1.2.1 - Stored Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sanil Shakya Sticky Social Icons allows Stored XSS.This issue affects Sticky Social Icons: from n/a through 1.2.1.

Vendor-Sanil Shakya

Product-Sticky Social Icons

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2024-52494

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.05% / 15.53%

7 Day CHG~0.00%

Published-02 Dec, 2024 | 13:48

Updated-02 Dec, 2024 | 15:40

WordPress Dynamic To Top plugin <= 3.5.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matt Varone, Tim Berneman Dynamic "To Top" allows Stored XSS.This issue affects Dynamic "To Top": from 3.5.2 through n/a.

Vendor-Matt Varone, Tim Berneman

Product-Dynamic "To Top"

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-37986

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 17.96%

7 Day CHG~0.00%

Published-01 Sep, 2023 | 11:09

Updated-24 Sep, 2024 | 19:07

WordPress YourMembership Single Sign On Plugin <= 1.1.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in miniOrange YourMembership Single Sign On – YM SSO Login plugin <= 1.1.3 versions.

Vendor-minorange miniOrange

Product-wordpress_yourmembership_single_sign-on YourMembership Single Sign On – YM SSO Login

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-38397

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 19.63%

7 Day CHG~0.00%

Published-10 Aug, 2023 | 13:19

Updated-25 Sep, 2024 | 16:44

WordPress Gestion-Pymes Plugin <= 1.5.6 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Eggemplo Gestion-Pymes plugin <= 1.5.6 versions.

Vendor-eggemplo Eggemplo

Product-gestion-pymes Gestion-Pymes

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2024-50516

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.10% / 28.02%

7 Day CHG~0.00%

Published-19 Nov, 2024 | 16:32

Updated-19 Nov, 2024 | 21:57

WordPress Countdown & Clock plugin <= 2.8.0.9 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adam Skaat Countdown & Clock allows Stored XSS.This issue affects Countdown & Clock: from n/a through 2.8.0.9.

Vendor-Adam Skaat (Edmonsoft)

Product-Countdown & Clock

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2024-50430

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.12% / 31.43%

7 Day CHG~0.00%

Published-19 Nov, 2024 | 18:39

Updated-31 Jan, 2025 | 16:49

WordPress Beaver Builder plugin <= 2.8.3.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Beaver Builder Team Beaver Builder allows Stored XSS.This issue affects Beaver Builder: from n/a through 2.8.3.7.

Vendor-fastlinemedia The Beaver Builder Team

Product-beaver_builder Beaver Builder

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2024-50460

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.08% / 23.27%

7 Day CHG~0.00%

Published-28 Oct, 2024 | 17:50

Updated-13 Nov, 2024 | 19:46

WordPress Firelight Lightbox plugin <= 2.3.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in FirelightWP Firelight Lightbox allows Stored XSS.This issue affects Firelight Lightbox: from n/a through 2.3.3.

Vendor-firelightwp FirelightWP

Product-firelight_lightbox Firelight Lightbox

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-38517

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 17.96%

7 Day CHG~0.00%

Published-03 Sep, 2023 | 11:20

Updated-24 Sep, 2024 | 18:57

WordPress WRC Pricing Tables Plugin <= 2.3.7 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Realwebcare WRC Pricing Tables plugin <= 2.3.7 versions.

Vendor-realwebcare Realwebcare

Product-wrc_pricing_tables WRC Pricing Tables

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-37980

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.06% / 19.65%

7 Day CHG~0.00%

Published-27 Jul, 2023 | 13:59

Updated-19 Feb, 2025 | 21:27

WordPress Custom Field For WP Job Manager Plugin <= 1.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gravity Master Custom Field For WP Job Manager plugin <= 1.1 versions.

Vendor-custom_field_for_wp_job_manager_project Gravity Master

Product-custom_field_for_wp_job_manager Custom Field For WP Job Manager

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-24657

Credits

WordPress Wishlist for WooCommerce plugin <=2.1.2 - Cross Site Scripting (XSS) vulnerability

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs