Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-58674

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-23 Sep, 2025 | 18:47
Updated At-28 Apr, 2026 | 16:13
Rejected At-
Credits

WordPress <= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:23 Sep, 2025 | 18:47
Updated At:28 Apr, 2026 | 16:13
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress <= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.

Affected Products
Vendor
WordPress.orgWordPress
Product
WordPress
Repo
https://github.com/WordPress/WordPress
Default Status
unaffected
Versions
Affected
  • From 6.8 through 6.8.2 (custom)
    • -> unaffectedfrom6.8.3
  • From 6.7 through 6.7.3 (custom)
    • -> unaffectedfrom6.7.4
  • From 6.6 through 6.6.3 (custom)
    • -> unaffectedfrom6.6.4
  • From 6.5 through 6.5.6 (custom)
    • -> unaffectedfrom6.5.7
  • From 6.4 through 6.4.6 (custom)
    • -> unaffectedfrom6.4.7
  • From 6.3 through 6.3.6 (custom)
    • -> unaffectedfrom6.3.7
  • From 6.2 through 6.2.7 (custom)
    • -> unaffectedfrom6.2.8
  • From 6.1 through 6.1.8 (custom)
    • -> unaffectedfrom6.1.9
  • From 6.0 through 6.0.10 (custom)
    • -> unaffectedfrom6.0.11
  • From 5.9 through 5.9.11 (custom)
    • -> unaffectedfrom5.9.12
  • From 5.8 through 5.8.11 (custom)
    • -> unaffectedfrom5.8.12
  • From 5.7 through 5.7.13 (custom)
    • -> unaffectedfrom5.7.14
  • From 5.6 through 5.6.15 (custom)
    • -> unaffectedfrom5.6.16
  • From 5.5 through 5.5.16 (custom)
    • -> unaffectedfrom5.5.17
  • From 5.4 through 5.4.17 (custom)
    • -> unaffectedfrom5.4.18
  • From 5.3 through 5.3.19 (custom)
    • -> unaffectedfrom5.3.20
  • From 5.2 through 5.2.22 (custom)
    • -> unaffectedfrom5.2.23
  • From 5.1 through 5.1.20 (custom)
    • -> unaffectedfrom5.1.21
  • From 5.0 through 5.0.23 (custom)
    • -> unaffectedfrom5.0.24
  • From 4.9 through 4.9.27 (custom)
    • -> unaffectedfrom4.9.28
  • From 4.8 through 4.8.26 (custom)
    • -> unaffectedfrom4.8.27
  • From 4.7 through 4.7.30 (custom)
    • -> unaffectedfrom4.7.31
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.15.9MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-592CAPEC-592 Stored XSS
CAPEC ID: CAPEC-592
Description: CAPEC-592 Stored XSS
Solutions

Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31.

Configurations
Workarounds
Exploits
Credits
finder
savphill (Patchstack Bug Bounty Program)
coordinator
John Blackbourn (WordPress core security team lead)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve
vdb-entry
https://wordpress.org/news/2025/09/wordpress-6-8-3-release/
release-notes
Hyperlink: https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve
Resource:
vdb-entry
Hyperlink: https://wordpress.org/news/2025/09/wordpress-6-8-3-release/
Resource:
release-notes
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:23 Sep, 2025 | 19:15
Updated At:23 Apr, 2026 | 15:33

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress WordPress wordpress allows Stored XSS.This issue affects WordPress: from n/a through <= 6.8.2.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.9MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Type: Secondary
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Secondaryaudit@patchstack.com
CWE ID: CWE-79
Type: Secondary
Source: audit@patchstack.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://patchstack.com/database/Wordpress/Wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cveaudit@patchstack.com
N/A
Hyperlink: https://patchstack.com/database/Wordpress/Wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1272Records found
CVE-2020-11030
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.4||MEDIUM
EPSS-1.04% / 77.62%
||
7 Day CHG~0.00%
Published-30 Apr, 2020 | 22:15
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site scripting (XSS) in Search block in WordPress

In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Action-Not Available
Vendor-WordPressDebian GNU/LinuxWordPress.org
Product-wordpressdebian_linuxWordPress
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-16781
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.8||MEDIUM
EPSS-3.49% / 87.71%
||
7 Day CHG~0.00%
Published-26 Dec, 2019 | 17:00
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored cross-site scripting (XSS) in WordPress block editor

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

Action-Not Available
Vendor-WordPressDebian GNU/LinuxWordPress.org
Product-wordpressdebian_linuxWordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-16780
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.8||MEDIUM
EPSS-3.61% / 87.91%
||
7 Day CHG~0.00%
Published-26 Dec, 2019 | 16:50
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored cross-site scripting (XSS) in WordPress block editor

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

Action-Not Available
Vendor-WordPressDebian GNU/LinuxWordPress.org
Product-wordpressdebian_linuxWordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-21662
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8||HIGH
EPSS-14.24% / 94.46%
||
7 Day CHG~0.00%
Published-06 Jan, 2022 | 23:05
Updated-23 Apr, 2025 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in WordPress

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

Action-Not Available
Vendor-WordPressWordPress.orgDebian GNU/Linux
Product-wordpressdebian_linuxwordpress-develop
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-39201
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.6||HIGH
EPSS-0.50% / 65.97%
||
7 Day CHG~0.00%
Published-09 Sep, 2021 | 21:35
Updated-04 Aug, 2024 | 01:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated cross-site scripting (XSS) in WordPress editor

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress)

Action-Not Available
Vendor-WordPressDebian GNU/LinuxWordPress.org
Product-wordpressdebian_linuxwordpress-develop
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-39202
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.6||HIGH
EPSS-0.82% / 74.53%
||
7 Day CHG~0.00%
Published-09 Sep, 2021 | 21:55
Updated-04 Aug, 2024 | 01:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress 5.8 beta: Stored Cross-Site Scripting (XSS) vulnerability in widget

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.

Action-Not Available
Vendor-WordPressWordPress.org
Product-wordpresswordpress-develop
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-4046
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-6.85% / 91.46%
||
7 Day CHG~0.00%
Published-12 Jun, 2020 | 15:55
Updated-04 Aug, 2024 | 07:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated XSS through embed block in WordPress

In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Action-Not Available
Vendor-WordPressDebian GNU/LinuxWordPress.orgFedora Project
Product-wordpressdebian_linuxfedorawordpress-develop
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-4049
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-2.4||LOW
EPSS-5.89% / 90.68%
||
7 Day CHG~0.00%
Published-12 Jun, 2020 | 16:00
Updated-04 Aug, 2024 | 07:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated self-XSS via theme uploads in WordPress

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Action-Not Available
Vendor-WordPressDebian GNU/LinuxWordPress.orgFedora Project
Product-wordpressdebian_linuxfedorawordpress-develop
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11025
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.8||MEDIUM
EPSS-1.43% / 80.82%
||
7 Day CHG~0.00%
Published-30 Apr, 2020 | 22:10
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated cross-site scripting (XSS) in WordPress Customizer

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Action-Not Available
Vendor-WordPressDebian GNU/LinuxWordPress.org
Product-wordpressdebian_linuxWordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11026
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-4.41% / 89.12%
||
7 Day CHG~0.00%
Published-30 Apr, 2020 | 22:15
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Specially crafted filenames in WordPress leading to XSS

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Action-Not Available
Vendor-WordPressDebian GNU/LinuxWordPress.org
Product-wordpressdebian_linuxWordPress
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11029
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.8||MEDIUM
EPSS-2.65% / 85.92%
||
7 Day CHG~0.00%
Published-30 Apr, 2020 | 22:15
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site scripting in stats method (object cache) in WordPress

In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Action-Not Available
Vendor-WordPressDebian GNU/LinuxWordPress.org
Product-debian_linuxwordpressWordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-42643
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.03% / 9.84%
||
7 Day CHG~0.00%
Published-29 Apr, 2026 | 10:40
Updated-12 May, 2026 | 11:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Image Widget plugin <= 4.4.11 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through <= 4.4.11.

Action-Not Available
Vendor-The Events Calendar (StellarWP)
Product-Image Widget
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-25105
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.10%
||
7 Day CHG~0.00%
Published-07 Feb, 2025 | 10:11
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Pop Up Plugin <= 0.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in coffeestudios Pop Up popup-seo-optimized allows Stored XSS.This issue affects Pop Up: from n/a through <= 0.1.

Action-Not Available
Vendor-coffeestudios
Product-Pop Up
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-25073
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.10%
||
7 Day CHG~0.00%
Published-07 Feb, 2025 | 10:11
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy WP Tiles plugin <= 1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vasilis Triantafyllou Easy WP Tiles easy-wp-tiles allows Stored XSS.This issue affects Easy WP Tiles: from n/a through <= 1.

Action-Not Available
Vendor-Vasilis Triantafyllou
Product-Easy WP Tiles
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24634
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.21% / 43.63%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Orbisius Simple Notice plugin <= 1.1.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Svetoslav Marinov Orbisius Simple Notice orbisius-simple-notice allows Stored XSS.This issue affects Orbisius Simple Notice: from n/a through <= 1.1.3.

Action-Not Available
Vendor-Svetoslav Marinov
Product-Orbisius Simple Notice
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24658
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.32% / 54.88%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-12 May, 2026 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Auction Nudge – Your eBay on Your Site plugin <= 7.2.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Auction Nudge – Your eBay on Your Site auction-nudge allows Stored XSS.This issue affects Auction Nudge – Your eBay on Your Site: from n/a through <= 7.2.0.

Action-Not Available
Vendor-Joe
Product-Auction Nudge – Your eBay on Your Site
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24668
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.22% / 44.44%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PPOM for WooCommerce plugin <= 33.0.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle PPOM for WooCommerce woocommerce-product-addon allows Stored XSS.This issue affects PPOM for WooCommerce: from n/a through <= 33.0.8.

Action-Not Available
Vendor-Themeisle
Product-PPOM for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24722
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.09% / 25.30%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:25
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FAQ Builder AYS Plugin <= 1.7.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro FAQ Builder AYS faq-builder-ays allows Stored XSS.This issue affects FAQ Builder AYS: from n/a through <= 1.7.3.

Action-Not Available
Vendor-AYS Pro Extensions
Product-FAQ Builder AYS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24674
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 17.91%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ShMapper by Teplitsa Plugin <= 1.5.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Denis Cherniatev ShMapper by Teplitsa shmapper-by-teplitsa allows Stored XSS.This issue affects ShMapper by Teplitsa: from n/a through <= 1.5.0.

Action-Not Available
Vendor-Denis Cherniatev
Product-ShMapper by Teplitsa
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23878
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.33% / 55.63%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 20:07
Updated-12 May, 2026 | 23:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Post-to-Post Links plugin <= 4.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Reilly Post-to-Post Links easy-post-to-post-links allows Stored XSS.This issue affects Post-to-Post Links: from n/a through <= 4.2.

Action-Not Available
Vendor-Scott Reilly
Product-Post-to-Post Links
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23854
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.33% / 55.63%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 20:07
Updated-11 May, 2026 | 22:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com plugin <= 3.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yesstreamingdev Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com shoutcast-and-icecast-html5-web-radio-player-by-yesstreaming-com allows Stored XSS.This issue affects Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com: from n/a through <= 3.3.

Action-Not Available
Vendor-yesstreamingdev
Product-Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22578
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.14% / 34.30%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 14:57
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Cookie plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aazztech WP Cookie wp-cookie allows Stored XSS.This issue affects WP Cookie: from n/a through <= 1.0.0.

Action-Not Available
Vendor-aazztech
Product-WP Cookie
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22640
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.09% / 25.55%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 15:12
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Paytm Payment Donation Plugin <= 2.3.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in integrationdevpaytm Paytm Payment Donation paytm-donation allows Stored XSS.This issue affects Paytm Payment Donation: from n/a through <= 2.3.3.

Action-Not Available
Vendor-integrationdevpaytm
Product-Paytm Payment Donation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22579
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.13% / 32.02%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 14:57
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Header Notification plugin <= 1.2.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arefly WP Header Notification wp-header-notification allows Stored XSS.This issue affects WP Header Notification: from n/a through <= 1.2.7.

Action-Not Available
Vendor-Arefly
Product-WP Header Notification
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22496
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.09% / 25.16%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 15:32
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Notif Bell Plugin <= 0.9.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MarMar8x Notif Bell notif-bell allows Stored XSS.This issue affects Notif Bell: from n/a through <= 0.9.8.

Action-Not Available
Vendor-MarMar8x
Product-Notif Bell
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22788
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.13% / 32.02%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 15:23
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CoDesigner plugin <= 4.29 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codexpert, Inc CoDesigner woolementor allows Stored XSS.This issue affects CoDesigner: from n/a through <= 4.29.

Action-Not Available
Vendor-Codexpert, Inc
Product-CoDesigner
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39654
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-13 May, 2026 | 00:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Simple HTML Sitemap plugin <= 3.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani WP Simple HTML Sitemap wp-simple-html-sitemap allows DOM-Based XSS.This issue affects WP Simple HTML Sitemap: from n/a through <= 3.8.

Action-Not Available
Vendor-Ashish Ajani
Product-WP Simple HTML Sitemap
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22738
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 22.78%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 15:23
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP ULike plugin <= 4.7.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alimir WP ULike wp-ulike allows Stored XSS.This issue affects WP ULike: from n/a through <= 4.7.6.

Action-Not Available
Vendor-wpulikeAlimir
Product-wp_ulikeWP ULike
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22316
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.07% / 20.67%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 10:48
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPBITS Addons For Elementor Page Builder plugin <= 1.5.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.5.1.

Action-Not Available
Vendor-wpbitswpbits
Product-wpbits_addons_for_elementor_page_builderWPBITS Addons For Elementor Page Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39604
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MyBookTable Bookstore plugin <= 3.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through <= 3.6.0.

Action-Not Available
Vendor-zookatron
Product-MyBookTable Bookstore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-15363
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-18 Mar, 2026 | 06:00
Updated-18 Mar, 2026 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Get Use APIs < 2.0.10 - Contributor+ Stored XSS

The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks under certain server configurations.

Action-Not Available
Vendor-Unknown
Product-Get Use APIs
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10105
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.04%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-02 Apr, 2025 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jobs for WordPress < 2.7.11 - Contributor+ Stored XSS

The Job Postings WordPress plugin before 2.7.11 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-blueglassUnknown
Product-jobs_for_wordpressJob Postings
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39693
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FSM Custom Featured Image Caption plugin <= 1.25.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1.

Action-Not Available
Vendor-fesomia
Product-FSM Custom Featured Image Caption
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10104
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.24% / 46.51%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 06:00
Updated-11 Apr, 2025 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jobs for WordPress < 2.7.8 - Contributor+ Stored XSS

The Jobs for WordPress plugin before 2.7.8 does not sanitise and escape some of its Job settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks

Action-Not Available
Vendor-blueglassUnknown
Product-jobs_for_wordpressJobs for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39667
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Korea SNS plugin <= 1.7.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a through <= 1.7.0.

Action-Not Available
Vendor-Jongmyoung Kim
Product-Korea SNS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39615
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Download Manager plugin <= 3.3.53 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Download Manager download-manager allows Stored XSS.This issue affects Download Manager: from n/a through <= 3.3.53.

Action-Not Available
Vendor-Shahjada
Product-Download Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39638
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Qubely plugin <= 1.8.14 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14.

Action-Not Available
Vendor-Themeum
Product-Qubely
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13958
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.46%
||
7 Day CHG~0.00%
Published-29 Dec, 2025 | 06:00
Updated-29 Dec, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YaMaps < 0.6.40 - Contributor+ Stored XSS

The YaMaps for WordPress Plugin WordPress plugin before 0.6.40 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-Unknown
Product-YaMaps for WordPress Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10309
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.32%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 06:00
Updated-11 May, 2025 | 23:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tracking Code Manager < 2.4.0 - Contributor+ Stored XSS

The Tracking Code Manager WordPress plugin before 2.4.0 does not sanitise and escape some of its metabox settings when outputing them in the page, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

Action-Not Available
Vendor-data443Unknown
Product-tracking_code_managerTracking Code Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10076
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.17% / 37.81%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-04 Jun, 2025 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jetpack < 13.8, Boost < 3.4.8 - Contributor+ Stored XSS

The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and above users to perform Stored XSS attacks

Action-Not Available
Vendor-UnknownAutomattic Inc.
Product-jetpack_boostjetpackJetpackJetpack Boost
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13031
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.02% / 6.51%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 06:00
Updated-12 Dec, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPeMatico RSS Feed Fetcher < 2.8.13 - Contributor+ Stored XSS

The WPeMatico RSS Feed Fetcher WordPress plugin before 2.8.13 does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks

Action-Not Available
Vendor-Unknown
Product-WPeMatico RSS Feed Fetcher
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39683
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Garden Gnome Package plugin <= 2.4.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chief Gnome Garden Gnome Package garden-gnome-package allows DOM-Based XSS.This issue affects Garden Gnome Package: from n/a through <= 2.4.1.

Action-Not Available
Vendor-Chief Gnome
Product-Garden Gnome Package
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39541
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hydra Booking plugin <= 1.1.38 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Hydra Booking hydra-booking allows Stored XSS.This issue affects Hydra Booking: from n/a through <= 1.1.38.

Action-Not Available
Vendor-Themefic
Product-Hydra Booking
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-49184
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.12% / 30.28%
||
7 Day CHG~0.00%
Published-15 Dec, 2023 | 14:56
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Parallax Slider Block Plugin <= 1.2.4 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Parallax Slider Block allows Stored XSS.This issue affects Parallax Slider Block: from n/a through 1.2.4.

Action-Not Available
Vendor-WPDeveloper
Product-parallax_slider_blockParallax Slider Block
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-40328
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.13% / 31.61%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 08:26
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Carrot Plugin <= 1.1.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Carrrot plugin <= 1.1.0 versions.

Action-Not Available
Vendor-carrrotCarrrot
Product-carrrotCarrrot
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-32351
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 11:41
Updated-29 Apr, 2026 | 09:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PowerPress Podcasting plugin <= 11.15.13 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in blubrry PowerPress Podcasting powerpress allows Stored XSS.This issue affects PowerPress Podcasting: from n/a through <= 11.15.13.

Action-Not Available
Vendor-blubrry
Product-PowerPress Podcasting
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-27303
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.10%
||
7 Day CHG~0.00%
Published-24 Feb, 2025 | 14:48
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form 7 Star Rating plugin <= 1.10 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelogger Contact Form 7 Star Rating contact-form-7-star-rating allows Stored XSS.This issue affects Contact Form 7 Star Rating: from n/a through <= 1.10.

Action-Not Available
Vendor-themelogger
Product-Contact Form 7 Star Rating
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-32360
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 11:42
Updated-29 Apr, 2026 | 09:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Rich Showcase for Google Reviews plugin <= 6.9.4.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.This issue affects Rich Showcase for Google Reviews: from n/a through <= 6.9.4.3.

Action-Not Available
Vendor-richplugins
Product-Rich Showcase for Google Reviews
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-32419
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 11:42
Updated-29 Apr, 2026 | 09:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress List category posts plugin <= 0.93.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fernando Briano List category posts list-category-posts allows DOM-Based XSS.This issue affects List category posts: from n/a through <= 0.93.1.

Action-Not Available
Vendor-Fernando Briano
Product-List category posts
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-37980
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.34%
||
7 Day CHG~0.00%
Published-27 Jul, 2023 | 13:59
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Custom Field For WP Job Manager Plugin <= 1.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gravity Master Custom Field For WP Job Manager plugin <= 1.1 versions.

Action-Not Available
Vendor-custom_field_for_wp_job_manager_projectGravity Master
Product-custom_field_for_wp_job_managerCustom Field For WP Job Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 25
  • 26
  • Next
Details not found