Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-2383

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-27 Feb, 2026 | 08:24
Updated At-27 Feb, 2026 | 08:24
Rejected At-
Credits

Simple Download Monitor <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:27 Feb, 2026 | 08:24
Updated At:27 Feb, 2026 | 08:24
Rejected At:
▼CVE Numbering Authority (CNA)
Simple Download Monitor <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected Products
Vendor
mra13
Product
Simple Download Monitor
Default Status
unaffected
Versions
Affected
  • From * through 4.0.5 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Muhammad Yudha - DJ
Timeline
EventDate
Disclosed2026-02-26 19:24:24
Event: Disclosed
Date: 2026-02-26 19:24:24
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/556e41d1-2c98-4175-87ba-29689704c2f0?source=cve
N/A
https://plugins.trac.wordpress.org/browser/simple-download-monitor/tags/4.0.3/sdm-shortcodes.php#L543
N/A
https://plugins.trac.wordpress.org/browser/simple-download-monitor/trunk/sdm-shortcodes.php#L543
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3464024%40simple-download-monitor%2Ftrunk&old=3430786%40simple-download-monitor%2Ftrunk&sfp_email=&sfph_mail=
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/556e41d1-2c98-4175-87ba-29689704c2f0?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/simple-download-monitor/tags/4.0.3/sdm-shortcodes.php#L543
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/simple-download-monitor/trunk/sdm-shortcodes.php#L543
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3464024%40simple-download-monitor%2Ftrunk&old=3430786%40simple-download-monitor%2Ftrunk&sfp_email=&sfph_mail=
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:27 Feb, 2026 | 09:16
Updated At:27 Feb, 2026 | 14:06

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Primarysecurity@wordfence.com
CWE ID: CWE-79
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/simple-download-monitor/tags/4.0.3/sdm-shortcodes.php#L543security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/simple-download-monitor/trunk/sdm-shortcodes.php#L543security@wordfence.com
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3464024%40simple-download-monitor%2Ftrunk&old=3430786%40simple-download-monitor%2Ftrunk&sfp_email=&sfph_mail=security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/556e41d1-2c98-4175-87ba-29689704c2f0?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/simple-download-monitor/tags/4.0.3/sdm-shortcodes.php#L543
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/simple-download-monitor/trunk/sdm-shortcodes.php#L543
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3464024%40simple-download-monitor%2Ftrunk&old=3430786%40simple-download-monitor%2Ftrunk&sfp_email=&sfph_mail=
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/556e41d1-2c98-4175-87ba-29689704c2f0?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2366Records found
CVE-2024-13805
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 15.30%
||
7 Day CHG~0.00%
Published-07 Mar, 2025 | 09:21
Updated-21 May, 2025 | 18:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advanced File Manager <= 5.2.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Upload

The Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.2.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Action-Not Available
Vendor-advancedfilemanagersaadiqbal
Product-advanced_file_managerAdvanced File Manager — Ultimate WordPress File Manager and Document Library Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13859
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.12% / 31.43%
||
7 Day CHG+0.08%
Published-02 May, 2025 | 06:41
Updated-09 May, 2025 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BuddyBoss Platform <= 2.8.50 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'bp_nouveau_ajax_media_save' function

The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bp_nouveau_ajax_media_save’ function in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41.

Action-Not Available
Vendor-BUDDYBOSS LLC
Product-buddyboss_platformBuddyboss Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1408
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 38.55%
||
7 Day CHG-0.07%
Published-20 Feb, 2024 | 18:56
Updated-22 Jan, 2025 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode in all versions up to, and including, 4.14.4 due to insufficient input sanitization and output escaping on user supplied attributes such as 'type'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-properfractioncollizo4sky
Product-profilepressPaid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1413
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.23% / 45.56%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:27
Updated-22 Jan, 2025 | 21:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Timer widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-exclusiveaddonstimstrifler
Product-exclusive_addons_for_elementorExclusive Addons for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1767
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.90%
||
7 Day CHG~0.00%
Published-09 Mar, 2024 | 07:01
Updated-04 Feb, 2025 | 15:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 2.0.26 due to insufficient input sanitization and output escaping on user supplied attributes like 'className' and 'radius'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-creativethemescreativethemeshq
Product-blocksyBlocksy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1447
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 38.55%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-13 Feb, 2025 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aThemes Slider button element in all versions up to, and including, 1.25 due to insufficient input sanitization and output escaping on user supplied link. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Pop Goes The Pixel Ltd. (aThemes)
Product-sydney_toolboxSydney Toolbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13803
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 26.60%
||
7 Day CHG~0.00%
Published-26 Feb, 2025 | 07:01
Updated-10 Apr, 2025 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 5.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-marker’ parameter in all versions up to, and including, 5.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-WPDeveloper
Product-essential_blocksEssential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1428
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.13% / 32.08%
||
7 Day CHG~0.00%
Published-06 Apr, 2024 | 07:34
Updated-17 Jan, 2025 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘element_pack_wrapper_link’ attribute of the Trailer Box widget in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-BdThemes
Product-element_packElement Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1392
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.28% / 51.01%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-17 Jan, 2025 | 19:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button1_icon' attribute of the Dual Button widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-webtechstreetwebtechstreetwebtechstreet
Product-elementor_addon_elementsElementor Addon Elementselementor_addon_elements
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1815
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 42.18%
||
7 Day CHG~0.00%
Published-23 May, 2024 | 11:02
Updated-07 Feb, 2025 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spectra – WordPress Gutenberg Blocks <= 2.12.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Gallery Block

The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Gallery block in all versions up to, and including, 2.12.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Brainstorm Force
Product-spectraSpectra – WordPress Gutenberg Blocks
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1723
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.23% / 45.36%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:27
Updated-13 Mar, 2025 | 00:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 1.58.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Affected parameters include: $instance['fonts']['title_options']['tag'], $headline_tag, $sub_headline_tag, $feature['icon'].

Action-Not Available
Vendor-siteorigingpriday
Product-siteorigin_widgets_bundleSiteOrigin Widgets Bundle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1841
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 41.52%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:51
Updated-28 May, 2025 | 19:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wpbakerywpbakery
Product-page_builderWPBakery Visual Composer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1534
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.13% / 32.22%
||
7 Day CHG~0.00%
Published-07 Mar, 2024 | 09:33
Updated-21 Jan, 2025 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-boosterpluggabl
Product-booster_for_woocommerceBooster for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1458
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.23% / 45.56%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 18:59
Updated-26 Feb, 2025 | 18:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘text_alignment’ attribute of the Animated Text widget in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-livemeshelementorlivemesh
Product-addons_for_elementorElementor Addons by Livemesh
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1796
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 24.08%
||
7 Day CHG~0.00%
Published-15 Mar, 2024 | 06:48
Updated-07 Jul, 2025 | 15:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The HUSKY – Products Filter for WooCommerce Professional plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'woof' shortcode in all versions up to, and including, 1.3.5.1 due to insufficient input sanitization and output escaping on user supplied attributes such as 'swoof_slug'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-PluginUs.Net (RealMag777)
Product-husky_-_products_filter_professional_for_woocommerceHUSKY – Products Filter Professional for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1585
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 38.55%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-05 Mar, 2025 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wpmetxpeedstudio
Product-metform_elementor_contact_form_builderMetform Elementor Contact Form Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1497
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.23% / 45.36%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:27
Updated-22 Jan, 2025 | 21:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form widget addr2_width attribute in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-orbit_foxOrbit Fox by ThemeIsle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1814
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 42.18%
||
7 Day CHG~0.00%
Published-23 May, 2024 | 11:02
Updated-07 Feb, 2025 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spectra – WordPress Gutenberg Blocks <= 2.12.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial Block

The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Testimonial block in all versions up to, and including, 2.12.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Brainstorm Force
Product-spectraSpectra – WordPress Gutenberg Blocks
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13227
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.12% / 31.01%
||
7 Day CHG-0.04%
Published-13 Feb, 2025 | 04:21
Updated-24 Feb, 2025 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.235 - Authenticated (Contributor+) Stored Cross-Site Scripting via Rank Math API

The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Rank Math API in all versions up to, and including, 1.0.235 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-rankmathrankmath
Product-seoRank Math SEO – AI SEO Tools to Dominate SEO Rankings
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13396
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.12% / 30.89%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 02:24
Updated-31 Jan, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frictionless <= 0.0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Frictionless plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'frictionless_form' shortcode[s] in all versions up to, and including, 0.0.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-spgajjar
Product-Frictionless
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13566
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.13% / 33.03%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 08:21
Updated-31 Jan, 2025 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP DataTable <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

The WP DataTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 0.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-samsk
Product-WP DataTable
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13581
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-21 Feb, 2025 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Charts <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Simple Charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'simple_chart' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-supporthostsupporthost
Product-simple_chartsSimple Charts
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13577
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-21 Feb, 2025 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CATS Job Listings <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

The CATS Job Listings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catsone' shortcode in all versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-catsonecatssoft
Product-cats_job_listingsCATS Job Listings
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13470
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.11% / 29.76%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 07:23
Updated-04 Feb, 2025 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ninja Forms – The Contact Form Builder That Grows With You <= 3.8.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 3.8.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Saturday Drive, INC
Product-ninja_formsNinja Forms – The Contact Form Builder That Grows With You
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13402
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-27 Feb, 2025 | 12:47
Updated-24 May, 2025 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BuddyBoss Platform <= 2.7.70 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'link_title'

The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link_title’ parameter in all versions up to, and including, 2.7.70 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-BUDDYBOSS LLC
Product-buddyboss_platformBuddyboss Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13542
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 19.86%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 11:07
Updated-05 Feb, 2025 | 01:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Google Street View (with 360° virtual tour) & Google maps + Local SEO <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpgsv' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-agenceseopagup
Product-wp_google_street_viewWP Google Street View (with 360° virtual tour) & Google maps + Local SEO
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12814
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 38.09%
||
7 Day CHG~0.00%
Published-24 Dec, 2024 | 06:59
Updated-24 Dec, 2024 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Loan Comparison <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Loan Comparison plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'loancomparison' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Aerin (Quick Plugins)
Product-Loan Comparison
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13455
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-21 Feb, 2025 | 11:09
Updated-25 Feb, 2025 | 03:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
igumbi Online Booking <= 1.40 - Authenticated (Contributor+) Stored Cross-Site Scripting

The igumbi Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'igumbi_calendar' shortcode in all versions up to, and including, 1.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-igumbismtm
Product-igumbiigumbi Online Booking
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13388
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-21 Feb, 2025 | 03:21
Updated-25 Feb, 2025 | 17:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TCBD Tooltip <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The TCBD Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tcbdtooltip_text' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-tcoderbdtcoder
Product-tcbd_tooltipTCBD Tooltip
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13564
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 26.60%
||
7 Day CHG~0.00%
Published-22 Feb, 2025 | 08:22
Updated-18 Mar, 2025 | 12:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rife Elementor Extensions & Templates <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Shortcode

The Rife Elementor Extensions & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Writing Effect Headline shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-apollo13apollo13themes
Product-rife_elementor_extensions_\&_templatesRife Elementor Extensions & Templates
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13354
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 17.38%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 11:07
Updated-05 Feb, 2025 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML tags in several widgets in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-CyberChimps Inc.
Product-responsive_addonsResponsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12852
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 44.90%
||
7 Day CHG-0.07%
Published-08 Jan, 2025 | 06:41
Updated-03 Apr, 2025 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Happy Addons for Elementor <= 3.15.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ha_cmc_text' parameter of the Happy Mouse Cursor in all versions up to, and including, 3.15.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-thehappymonsterweDevs Pte. Ltd.
Product-happy_addons_for_elementorHappy Addons for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13573
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-24 Feb, 2025 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zigaform – Form Builder Lite <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Zigaform – Form Builder Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zgfm_rfvar' shortcode in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-softdiscoversoftdiscover
Product-zigaformZigaform – Form Builder Lite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13443
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 28.23%
||
7 Day CHG~0.00%
Published-19 Feb, 2025 | 03:21
Updated-19 Feb, 2025 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easypromos Plugin <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Easypromos Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Easypromos shortcode in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-easypromosapp
Product-Easypromos Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12813
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-24 Feb, 2025 | 14:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Hours – Easy Opening Hours <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Open Hours – Easy Opening Hours plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'open-hours-current-status' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-pixelgradepixelgrade
Product-open_hoursOpen Hours – Easy Opening Hours
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13587
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-21 Feb, 2025 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zigaform – Price Calculator & Cost Estimation Form Builder Lite <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Zigaform – Price Calculator & Cost Estimation Form Builder Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zgfm_fvar' shortcode in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-softdiscoversoftdiscover
Product-zigaformZigaform – Price Calculator & Cost Estimation Form Builder Lite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13548
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.07% / 22.35%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 07:24
Updated-04 Feb, 2025 | 19:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Power Ups for Elementor <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Power Ups for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wppugdotrex
Product-power_ups_for_elementorPower Ups for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1396
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.15% / 36.35%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-29 May, 2025 | 13:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_tag’ parameter in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Depicter (Averta)
Product-shortcodes_and_extra_features_for_phlox_themeShortcodes and extra features for Phlox theme
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1349
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.56% / 68.02%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-31 Dec, 2024 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-WPDeveloper
Product-embedpressEmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1296
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.19% / 40.64%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-16 Jan, 2025 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block upload in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-brizythemefusecom
Product-brizyBrizy – Page Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13464
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-24 Feb, 2025 | 14:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Library Bookshelves <= 5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Library Bookshelves plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bookshelf' shortcode in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-photonicgnosticphotonicgnostic
Product-library_bookshelvesLibrary Bookshelves
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13391
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.19% / 40.86%
||
7 Day CHG+0.11%
Published-18 Jan, 2025 | 07:05
Updated-21 Jan, 2025 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet <= 2.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting

The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_content_upload_guest' shortcode in all versions up to, and including, 2.9.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-videowhisper
Product-MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13394
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.26% / 49.19%
||
7 Day CHG+0.09%
Published-15 Jan, 2025 | 05:24
Updated-15 Jan, 2025 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ViewMedica 9 <= 1.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

The ViewMedica 9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewmedica' shortcode in all versions up to, and including, 1.4.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-swarminteractive
Product-ViewMedica 9
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13599
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.07% / 22.35%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 07:24
Updated-04 Feb, 2025 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnPress – WordPress LMS Plugin <= 4.2.7.5 - Authenticated (LP Instructor+) Stored Cross-Site Scripting via Lesson Name

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.7.5 due to insufficient input sanitization and output escaping of a lesson name. This makes it possible for authenticated attackers, with LP Instructor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-learnpressLearnPress – WordPress LMS Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12819
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.26% / 49.19%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 11:11
Updated-09 Jan, 2025 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Searchie <= 1.17.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Searchie plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sio_embed_media' shortcode in all versions up to, and including, 1.17.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-searchie
Product-Searchie
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13323
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.26% / 49.19%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 05:24
Updated-12 Aug, 2025 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Booking Calendar <= 10.9.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'booking' Shortcode

The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'booking' shortcode in all versions up to, and including, 10.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-WP Booking Calendar
Product-wp_booking_calendarWP Booking Calendar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13398
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 47.57%
||
7 Day CHG+0.15%
Published-17 Jan, 2025 | 04:30
Updated-12 Feb, 2025 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Checkout for PayPal <= 1.0.32 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Checkout for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'checkout_for_paypal' shortcode in all versions up to, and including, 1.0.32 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-naa986
Product-Checkout for PayPal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12809
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.12% / 30.50%
||
7 Day CHG~0.00%
Published-07 Mar, 2025 | 06:40
Updated-07 Mar, 2025 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wishlist <= 1.0.43 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wishlist_button' shortcode in all versions up to, and including, 1.0.43 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-pickplugins
Product-Wishlist
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12696
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 38.09%
||
7 Day CHG+0.06%
Published-18 Jan, 2025 | 07:05
Updated-21 Jan, 2025 | 21:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Picture Gallery – Frontend Image Uploads, AJAX Photo List <= 1.5.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via videowhisper_picture_upload_guest Shortcode

The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's videowhisper_picture_upload_guest shortcode in all versions up to, and including, 1.5.22 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-videowhisper
Product-Picture Gallery – Frontend Image Uploads, AJAX Photo List
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13563
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.11% / 28.99%
||
7 Day CHG~0.00%
Published-15 Feb, 2025 | 08:25
Updated-18 Feb, 2025 | 21:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Front End Users <= 3.2.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via forgot-password Shortcode

The Front End Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's forgot-password shortcode in all versions up to, and including, 3.2.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-rustaurius
Product-Front End Users
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • ...
  • 29
  • 30
  • 31
  • ...
  • 47
  • 48
  • Next
Details not found