Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-11358

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-18 Jun, 2026 | 05:34
Updated At-18 Jun, 2026 | 13:53
Rejected At-
Credits

Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:18 Jun, 2026 | 05:34
Updated At:18 Jun, 2026 | 13:53
Rejected At:
▼CVE Numbering Authority (CNA)
Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affected Products
Vendor
Themeislethemeisle
Product
Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
Default Status
unaffected
Versions
Affected
  • From 0 through 3.0.6 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.14.4MEDIUM
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 4.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Meher Sudhakar Abbireddi
Timeline
EventDate
Vendor Notified2026-06-05 11:50:11
Disclosed2026-06-17 16:48:45
Event: Vendor Notified
Date: 2026-06-05 11:50:11
Event: Disclosed
Date: 2026-06-17 16:48:45
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/beb1268c-b680-4ebe-8fe2-65f656390038?source=cve
N/A
https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.6/obfx_modules/menu-icons/init.php#L118
N/A
https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.6/obfx_modules/menu-icons/init.php#L296
N/A
https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.5/obfx_modules/menu-icons/init.php#L118
N/A
https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.5/obfx_modules/menu-icons/init.php#L296
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574306%40themeisle-companion&new=3574306%40themeisle-companion&sfp_email=&sfph_mail=
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/beb1268c-b680-4ebe-8fe2-65f656390038?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.6/obfx_modules/menu-icons/init.php#L118
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.6/obfx_modules/menu-icons/init.php#L296
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.5/obfx_modules/menu-icons/init.php#L118
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.5/obfx_modules/menu-icons/init.php#L296
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574306%40themeisle-companion&new=3574306%40themeisle-companion&sfp_email=&sfph_mail=
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:18 Jun, 2026 | 06:16
Updated At:18 Jun, 2026 | 15:23

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.4MEDIUM
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
N/A
Type: Secondary
Version: 3.1
Base score: 4.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Secondarysecurity@wordfence.com
CWE ID: CWE-79
Type: Secondary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.5/obfx_modules/menu-icons/init.php#L118security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.5/obfx_modules/menu-icons/init.php#L296security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.6/obfx_modules/menu-icons/init.php#L118security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.6/obfx_modules/menu-icons/init.php#L296security@wordfence.com
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574306%40themeisle-companion&new=3574306%40themeisle-companion&sfp_email=&sfph_mail=security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/beb1268c-b680-4ebe-8fe2-65f656390038?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.5/obfx_modules/menu-icons/init.php#L118
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.5/obfx_modules/menu-icons/init.php#L296
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.6/obfx_modules/menu-icons/init.php#L118
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.6/obfx_modules/menu-icons/init.php#L296
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574306%40themeisle-companion&new=3574306%40themeisle-companion&sfp_email=&sfph_mail=
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/beb1268c-b680-4ebe-8fe2-65f656390038?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

313Records found
CVE-2024-2226
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.36% / 27.58%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 18:58
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the id parameter in the google-map block in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access and higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-otter_blocksOtter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4667
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.51% / 39.30%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 20:31
Updated-21 Apr, 2025 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RSS Aggregator by Feedzy < 4.1.1 - Contributor+ Stored XSS

The RSS Aggregator by Feedzy WordPress plugin before 4.1.1 does not validate and escape some of its block options before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

Action-Not Available
Vendor-UnknownThemeisle
Product-rss_aggregator_by_feedzyRSS Aggregator by Feedzy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-46848
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.51% / 39.32%
||
7 Day CHG~0.00%
Published-28 Mar, 2023 | 07:50
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Visualizer Plugin <= 3.9.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Themeisle Visualizer: Tables and Charts Manager for WordPress plugin <= 3.9.1 versions.

Action-Not Available
Vendor-Themeisle
Product-visualizerVisualizer: Tables and Charts Manager for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2126
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.42% / 33.83%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orbit Fox by ThemeIsle <= 2.10.32 - Authenticated (Contributor+) Stored Cross-Site Scripiting via Registration Form Widget

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Registration Form widget in all versions up to, and including, 2.10.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-orbit_foxOrbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1497
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.53% / 40.72%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:27
Updated-08 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orbit Fox by ThemeIsle <= 2.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via form widget addr2_width attribute

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form widget addr2_width attribute in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-orbit_foxOrbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1499
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.53% / 40.72%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:27
Updated-08 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orbit Fox by ThemeIsle <= 2.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Table widget in the $settings['title_tags'] parameter in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-orbit_foxOrbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1684
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.40% / 31.60%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:27
Updated-08 Apr, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Otter Blocks PRO <= 2.6.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via File Field CSS

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form file field CSS metabox in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-ThemisleThemeisle
Product-otter_blocksOtter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-3343
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.34% / 26.07%
||
7 Day CHG~0.00%
Published-11 Apr, 2024 | 11:03
Updated-08 Apr, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 2.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-otter_blocksOtter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1323
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.49% / 38.09%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 04:32
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orbit Fox by ThemeIsle <= 2.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Type Grid Widget Title in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-orbit_foxOrbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13183
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.47% / 36.97%
||
7 Day CHG~0.00%
Published-10 Jan, 2025 | 07:21
Updated-08 Apr, 2026 | 17:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag Parameter

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_tag’ parameter in all versions up to, and including, 2.10.43 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-orbit_foxOrbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1065
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 15.35%
||
7 Day CHG~0.00%
Published-19 Feb, 2025 | 05:22
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Visualizer: Tables and Charts Manager for WordPress <= 3.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Import Data From File

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Import Data From File feature in all versions up to, and including, 3.11.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-Visualizer: Tables and Charts Manager for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-0311
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.34% / 25.38%
||
7 Day CHG~0.00%
Published-10 Jan, 2025 | 06:43
Updated-08 Apr, 2026 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Table widget in all versions up to, and including, 2.10.43 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-orbit_foxOrbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-0508
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.53% / 40.36%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 21:22
Updated-08 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orbit Fox by ThemeIsle <= 2.10.27 - Authenticated(Contributor+) Stored Cross-site Scripting via Pricing Table Elementor Widget

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Table Elementor Widget in all versions up to, and including, 2.10.27 due to insufficient input sanitization and output escaping on the user supplied link URL. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-orbit_foxOrbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10367
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.35% / 26.34%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 11:01
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 3.0.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Action-Not Available
Vendor-Themeisle
Product-Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6801
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.32% / 23.12%
||
7 Day CHG~0.00%
Published-06 Jan, 2024 | 09:38
Updated-08 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.3.2 - Authenticated (Author+) Stored Cross-Site Scripting

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-rss_aggregator_by_feedzyRSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6781
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.40% / 32.07%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 08:32
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orbit Fox Companion <= 2.10.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via custom fields

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom fields in all versions up to, and including, 2.10.26 due to insufficient input sanitization and output escaping on user supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-orbit_foxOrbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-7778
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.31% / 22.61%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 09:29
Updated-08 Apr, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orbit Fox by ThemeIsle <= 2.10.36 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.10.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Action-Not Available
Vendor-Themeisle
Product-orbit_foxOrbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-16931
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-3.34% / 87.09%
||
7 Day CHG~0.00%
Published-03 Oct, 2019 | 18:34
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored XSS vulnerability in the Visualizer plugin 3.3.0 for WordPress allows an unauthenticated attacker to execute arbitrary JavaScript when an admin or other privileged user edits the chart via the admin dashboard. This occurs because classes/Visualizer/Gutenberg/Block.php registers wp-json/visualizer/v1/update-chart with no access control, and classes/Visualizer/Render/Page/Data.php lacks output sanitization.

Action-Not Available
Vendor-n/aThemeisle
Product-visualizern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4635
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.37% / 28.80%
||
7 Day CHG~0.00%
Published-16 May, 2024 | 05:33
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Menu Icons by ThemeIsle <= 0.13.13 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘add_mime_type’ function in versions up to, and including, 0.13.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-Menu Icons by ThemeIsle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1691
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.47% / 36.81%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-08 Apr, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Otter Blocks PRO <= 2.6.3 - Unauthenticated Stored Cross-Site Scripting via SVG Upload

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file upload form, which allows SVG uploads, in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that the patch in 2.6.4 allows SVG uploads but the uploaded SVG files are sanitized.

Action-Not Available
Vendor-ThemisleThemeisle
Product-otter_blocksOtter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24157
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.69% / 47.88%
||
7 Day CHG~0.00%
Published-05 Apr, 2021 | 18:27
Updated-03 Aug, 2024 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Stored Cross Site Scripting

Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. There were no checks to verify that a user had the unfiltered_html capability prior to saving the script tags, thus allowing lower-level users to inject scripts that could potentially be malicious.

Action-Not Available
Vendor-UnknownThemeisle
Product-orbit_foxOrbit Fox by ThemeIsle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6877
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.35% / 26.98%
||
7 Day CHG~0.00%
Published-07 Apr, 2024 | 01:55
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Error Message

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.3.3 due to insufficient input sanitization and output escaping on the Content-Type field of error messages when retrieving an invalid RSS feed. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-rss_aggregator_by_feedzyRSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-1755
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.18% / 7.82%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 22:22
Updated-08 Apr, 2026 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Menu Icons by ThemeIsle <= 0.13.20 - Authenticated (Author+) Stored Cross-Site Scripting

The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_wp_attachment_image_alt’ post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-Menu Icons by ThemeIsle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-4887
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.34% / 26.28%
||
7 Day CHG~0.00%
Published-12 Sep, 2023 | 01:52
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Google Maps Plugin by Intergeo <= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Google Maps Plugin by Intergeo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'intergeo' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-google_maps_plugin_by_intergeoGoogle Maps Plugin by Intergeo
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2256
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.95% / 56.71%
||
7 Day CHG~0.00%
Published-30 May, 2023 | 07:49
Updated-10 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Product Addons & Fields for WooCommerce < 32.0.7 - Reflected Cross-Site Scripting

The Product Addons & Fields for WooCommerce WordPress plugin before 32.0.7 does not sanitize and escape some URL parameters, leading to Reflected Cross-Site Scripting.

Action-Not Available
Vendor-UnknownThemeisle
Product-product_addons_\&_fields_for_woocommerceProduct Addons & Fields for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1839
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.46% / 36.47%
||
7 Day CHG-0.00%
Published-15 May, 2023 | 12:15
Updated-24 Jan, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Product Addons & Fields for WooCommerce < 32.0.6 - Admin+ Stored Cross-Site Scripting

The Product Addons & Fields for WooCommerce WordPress plugin before 32.0.6 does not sanitize and escape some of its setting fields, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

Action-Not Available
Vendor-UnknownThemeisle
Product-product_addons_\&_fields_for_woocommerceProduct Addons & Fields for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2841
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.34% / 25.70%
||
7 Day CHG~0.00%
Published-29 Mar, 2024 | 04:31
Updated-08 Apr, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 2.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping on user supplied attributes such as 'id'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-otter_blocksOtter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22659
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 16.43%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 15:01
Updated-12 May, 2026 | 23:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Orbit Fox by ThemeIsle plugin <= 2.10.44 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Orbit Fox by ThemeIsle themeisle-companion allows Stored XSS.This issue affects Orbit Fox by ThemeIsle: from n/a through <= 2.10.44.

Action-Not Available
Vendor-Themeisle
Product-orbit_foxOrbit Fox by ThemeIsle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23708
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.42% / 33.68%
||
7 Day CHG~0.00%
Published-03 May, 2023 | 12:27
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Visualizer Plugin <= 3.9.4 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Themeisle Visualizer: Tables and Charts Manager for WordPress plugin <= 3.9.4 versions.

Action-Not Available
Vendor-Themeisle
Product-visualizerVisualizer: Tables and Charts Manager for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-1319
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.21% / 10.41%
||
7 Day CHG~0.00%
Published-05 Feb, 2026 | 08:25
Updated-08 Apr, 2026 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Robin Image Optimizer <= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field

The Robin Image Optimizer – Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-Robin Image Optimizer – Unlimited Image Optimization & WebP Converter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9562
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.29% / 20.04%
||
7 Day CHG~0.00%
Published-18 Oct, 2025 | 06:42
Updated-08 Apr, 2026 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Redirection for Contact Form 7 <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via qs_date Shortcode

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's qs_date shortcode in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-Redirection for Contact Form 7
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12045
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 9.77%
||
7 Day CHG~0.00%
Published-04 Nov, 2025 | 11:19
Updated-08 Apr, 2026 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orbit Fox Companion <= 3.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the category and tag 'name' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-3725
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.42% / 33.83%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'titleTag'

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Grid widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes such as 'titleTag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-otter_blocksOtter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-3344
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.32% / 23.64%
||
7 Day CHG~0.00%
Published-11 Apr, 2024 | 11:03
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 2.6.8 - Authenticated (Author+) Limited File Upload to Stored Cross-Site Scripting

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-otter_blocksOtter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2729
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 33.53%
||
7 Day CHG~0.00%
Published-18 Apr, 2024 | 05:00
Updated-08 May, 2025 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Otter Blocks < 2.6.6 - Contributor+ Stored XSS

The Otter Blocks WordPress plugin before 2.6.6 does not properly escape its mainHeadings blocks' attribute before appending it to the final rendered block, allowing contributors to conduct Stored XSS attacks.

Action-Not Available
Vendor-UnknownThemeisle
Product-otter_blocksOtter Blocks otter_blocks
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2484
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.39% / 30.23%
||
7 Day CHG~0.00%
Published-22 Jun, 2024 | 02:01
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orbit Fox by ThemeIsle <= 2.10.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via Services and Post Type Grid Widgets

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Services and Post Type Grid widgets in all versions up to, and including, 2.10.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-orbit_foxOrbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2956
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.33% / 24.61%
||
7 Day CHG~0.00%
Published-27 Mar, 2024 | 07:34
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Ajax Chat <= 20231101 - Authenticated (Admin+) Stored Cross-Site Scripting

The Simple Ajax Chat – Add a Fast, Secure Chat Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 20231101 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-specialk
Product-Simple Ajax Chat – Add a Fast, Secure Chat Box
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-8783
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.27% / 18.77%
||
7 Day CHG~0.00%
Published-19 Aug, 2025 | 10:57
Updated-08 Apr, 2026 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Manager <= 8.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'title'

The Contact Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title’ parameter in all versions up to, and including, 8.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-kleor
Product-Contact Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-8080
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.23% / 13.82%
||
7 Day CHG~0.00%
Published-15 Aug, 2025 | 08:25
Updated-08 Apr, 2026 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Alobaidi Captcha <= 1.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The Alobaidi Captcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-alobaidi
Product-Alobaidi Captcha
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-9594
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.20% / 10.01%
||
7 Day CHG-0.00%
Published-06 Jun, 2026 | 03:28
Updated-08 Jun, 2026 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Maps <= 4.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting via 'location_messages' Parameter

The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location_messages' parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the attacker to hold the custom wpgmp_manage_location capability, which is granted to administrators by default but can be assigned to lower-privileged roles via the plugin's Permissions screen.

Action-Not Available
Vendor-flippercode
Product-WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-8490
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.18% / 7.37%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 23:22
Updated-08 Apr, 2026 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
All-in-One WP Migration and Backup <= 7.97 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Import in all versions up to, and including, 7.97 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-servmask
Product-All-in-One WP Migration and Backup
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2324
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.32% / 23.66%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FileOrganizer and FileOrganizer Pro <= 1.0.6 - Authenticated Stored Cross-Site Scripting

The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. For the free version, this is limited to administrators. The pro version is also vulnerable and exploitable by administrators, but also offers the functionality to lower level users (as low as subscribers) if enabled.

Action-Not Available
Vendor-fileorganizersoftaculous
Product-fileorganizerFileOrganizer – WordPress File Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8991
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.21% / 11.52%
||
7 Day CHG~0.00%
Published-06 Jun, 2026 | 02:28
Updated-08 Jun, 2026 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-glenwpcoder
Product-Drag and Drop Multiple File Upload for Contact Form 7
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-7431
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.25% / 15.91%
||
7 Day CHG+0.01%
Published-18 Jul, 2025 | 01:44
Updated-08 Apr, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Knowledge Base <= 2.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Slug

The Knowledge Base plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin slug setting in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-ajay
Product-Knowledge Base
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-7486
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.22% / 12.31%
||
7 Day CHG+0.01%
Published-21 Jul, 2025 | 22:21
Updated-08 Apr, 2026 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ebook Store <= 5.8012 - Authenticated (Administrator+) Stored Cross-Site Scripting via Order Details

The Ebook Store plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Order Details in all versions up to, and including, 5.8012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-motovnet
Product-Ebook Store
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14028
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.30% / 21.46%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 09:20
Updated-08 Apr, 2026 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Us Simple Form <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-bruterdregz
Product-Contact Us Simple Form
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1977
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.42% / 33.52%
||
7 Day CHG~0.00%
Published-29 Feb, 2024 | 05:32
Updated-16 Jan, 2025 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Restaurant Solutions – Checklist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Checklist points in version 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-josephloprestefoucciano
Product-restaurant_solutions_-_checklistRestaurant Solutions – Checklist
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-6447
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.25% / 16.29%
||
7 Day CHG~0.00%
Published-02 May, 2026 | 05:29
Updated-05 May, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Call for Price for WooCommerce <= 4.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Call for Price' Label Settings

The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-tychesoftwares
Product-Call for Price for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-6813
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.19% / 9.31%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 09:29
Updated-12 May, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Continually <= 4.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'continually_embed_code' Parameter

The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-continually
Product-Continually
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13748
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.21% / 11.37%
||
7 Day CHG~0.00%
Published-20 Feb, 2025 | 09:21
Updated-08 Apr, 2026 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Classified Listings <= 1.4 Authenticated (Administrator+) Stored Cross-Site Scripting via Title Parameter

The Ultimate Classified Listings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title parameter in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-webcodingplacewebcodingplace
Product-ultimate_classified_listingsUltimate Classified Listings
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 6
  • 7
  • Next
Details not found