Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-2583

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-02 Mar, 2026 | 22:23
Updated At-03 Mar, 2026 | 14:38
Rejected At-
Credits

Blocksy <= 2.1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via `blocksy_meta` Fields

The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:02 Mar, 2026 | 22:23
Updated At:03 Mar, 2026 | 14:38
Rejected At:
▼CVE Numbering Authority (CNA)
Blocksy <= 2.1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via `blocksy_meta` Fields

The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected Products
Vendor
creativethemeshq
Product
Blocksy
Default Status
unaffected
Versions
Affected
  • From * through 2.1.30 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Quốc Huy
Timeline
EventDate
Discovered2026-02-13 00:00:00
Vendor Notified2026-02-16 13:17:35
Disclosed2026-03-02 09:26:54
Event: Discovered
Date: 2026-02-13 00:00:00
Event: Vendor Notified
Date: 2026-02-16 13:17:35
Event: Disclosed
Date: 2026-03-02 09:26:54
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/ce7ee2c7-0c7b-4ce3-89d2-5503dff6e59c?source=cve
N/A
https://themes.trac.wordpress.org/changeset/315531/
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/ce7ee2c7-0c7b-4ce3-89d2-5503dff6e59c?source=cve
Resource: N/A
Hyperlink: https://themes.trac.wordpress.org/changeset/315531/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:02 Mar, 2026 | 23:16
Updated At:03 Mar, 2026 | 21:52

The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Primarysecurity@wordfence.com
CWE ID: CWE-79
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://themes.trac.wordpress.org/changeset/315531/security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/ce7ee2c7-0c7b-4ce3-89d2-5503dff6e59c?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://themes.trac.wordpress.org/changeset/315531/
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/ce7ee2c7-0c7b-4ce3-89d2-5503dff6e59c?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2364Records found
CVE-2024-13462
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.12% / 30.84%
||
7 Day CHG~0.00%
Published-19 Feb, 2025 | 07:32
Updated-19 Feb, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Wiki Tooltip <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Wiki Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wiki' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-nida78
Product-WP Wiki Tooltip
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13549
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.84%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 13:42
Updated-31 Jan, 2025 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
All Bootstrap Blocks <= 1.3.26 - Authenticated (Contributor+) Stored Cross-Site Scripting

The All Bootstrap Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "Accordion" widget in all versions up to, and including, 1.3.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-areoimilesAREOI
Product-all_bootstrap_blocksAll Bootstrap Blocks
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13386
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 44.89%
||
7 Day CHG+0.09%
Published-17 Jan, 2025 | 07:01
Updated-12 Feb, 2025 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
quote-posttype-plugin <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The quote-posttype-plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Author field in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-tobig
Product-quote-posttype-plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13398
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 47.56%
||
7 Day CHG+0.10%
Published-17 Jan, 2025 | 04:30
Updated-12 Feb, 2025 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Checkout for PayPal <= 1.0.32 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Checkout for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'checkout_for_paypal' shortcode in all versions up to, and including, 1.0.32 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-naa986
Product-Checkout for PayPal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13397
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 28.18%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 02:24
Updated-31 Jan, 2025 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPRadio – WordPress Radio Streaming Plugin <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WPRadio – WordPress Radio Streaming Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpradio_player' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-casterfm
Product-WPRadio – WordPress Radio Streaming Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13542
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 19.78%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 11:07
Updated-05 Feb, 2025 | 01:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Google Street View (with 360° virtual tour) & Google maps + Local SEO <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpgsv' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-agenceseopagup
Product-wp_google_street_viewWP Google Street View (with 360° virtual tour) & Google maps + Local SEO
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13612
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.12% / 30.95%
||
7 Day CHG~0.00%
Published-01 Feb, 2025 | 12:21
Updated-20 Feb, 2025 | 16:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'better_messages_live_chat_button' shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wordpluswordplus
Product-better_messagesBetter Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13701
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.84%
||
7 Day CHG~0.00%
Published-12 Feb, 2025 | 03:21
Updated-25 Feb, 2025 | 03:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Liveticker (by stklcode) <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Liveticker (by stklcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'liveticker' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-stklcodestklcode
Product-livetickerLiveticker (by stklcode)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13460
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.84%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 13:42
Updated-31 Jan, 2025 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WE – Testimonial Slider <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WE – Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Testimonial Author Names in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wordpresteemwordpresteem
Product-we_-_testimonial_slideWE – Testimonial Slider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13583
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.07% / 22.29%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 09:21
Updated-12 Feb, 2025 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Gallery with Filter <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Simple Gallery with Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'c2tw_sgwf' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-come2thewebjitendra742744
Product-simple_gallery_with_filterSimple Gallery with Filter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13565
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.34%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-24 Feb, 2025 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Map No Api <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

The Simple Map No Api plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-shaonback2shaonback2
Product-simple_map_no_apiSimple Map No Api
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13702
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.07% / 20.60%
||
7 Day CHG~0.00%
Published-26 Mar, 2025 | 08:21
Updated-05 Jun, 2025 | 14:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CRM and Lead Management by vcita <= 2.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vCitaMeetingScheduler' and 'vCitaSchedulingCalendar' shortcodes in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-vcitavcita
Product-crm_and_lead_management_by_vcitaCRM and Lead Management by vcita
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13559
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 28.18%
||
7 Day CHG~0.00%
Published-01 Mar, 2025 | 04:21
Updated-03 Mar, 2025 | 17:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TemplatesNext ToolKit <= 3.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The TemplatesNext ToolKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tx_woo_wishlist_table' shortcode in all versions up to, and including, 3.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-marsian
Product-TemplatesNext ToolKit
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13527
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.84%
||
7 Day CHG~0.00%
Published-28 Jan, 2025 | 08:21
Updated-30 Jan, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Philantro – Donations and Donor Management <= 5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via donate Shortcode

The Philantro – Donations and Donor Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'donate' in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-philantrophilantro
Product-philantroPhilantro – Donations and Donor Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1364
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.13% / 32.17%
||
7 Day CHG~0.00%
Published-27 Mar, 2024 | 06:40
Updated-12 Mar, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget's custom_id in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-elementorhttps://elementor.com/
Product-elementor_proElementor Website Builder Pro
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13802
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.84%
||
7 Day CHG~0.00%
Published-20 Feb, 2025 | 09:21
Updated-01 Aug, 2025 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bandsintown Events <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Bandsintown Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bandsintown_events' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-bandsintownkwestion505
Product-eventsBandsintown Events
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13803
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 26.55%
||
7 Day CHG~0.00%
Published-26 Feb, 2025 | 07:01
Updated-10 Apr, 2025 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 5.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-marker’ parameter in all versions up to, and including, 5.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-WPDeveloper
Product-essential_blocksEssential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13799
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-19 Feb, 2025 | 05:22
Updated-19 Feb, 2025 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Private Files – File Upload & Download Manager with Secure File Sharing <= 2.1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The User Private Files – File Upload & Download Manager with Secure File Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘new-fldr-name’ parameter in all versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-deepakkite
Product-User Private Files – File Upload & Download Manager with Secure File Sharing
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-3647
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 41.47%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-08 Jan, 2025 | 21:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's post ticker widget in all versions up to, and including, 4.10.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the premium version of the plugin to be installed and activated in order to be exploited.

Action-Not Available
Vendor-leap13leap13WordPress.org
Product-premium_addons_for_elementorPremium Addons for Elementorpremium_addons_for_elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13662
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.12% / 30.84%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 11:11
Updated-18 Feb, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
eHive Objects Image Grid <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The eHive Objects Image Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ehive_objects_image_grid' shortcode in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-vernonsystems
Product-eHive Objects Image Grid
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13675
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.07% / 20.60%
||
7 Day CHG~0.00%
Published-08 Mar, 2025 | 11:16
Updated-11 Mar, 2025 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "Icon List" Block in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-funnelkitamans2k
Product-slingblocksSlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13575
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.34%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 07:28
Updated-21 Feb, 2025 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Web Stories Enhancer – Level Up Your Web Stories <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Web Stories Enhancer – Level Up Your Web Stories plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'web_stories_enhancer' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Mohammed & Ahmed Kaludi (Magazine3)
Product-web_stories_enhancerWeb Stories Enhancer – Level Up Your Web Stories
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13551
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.07% / 20.14%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 07:24
Updated-05 Feb, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ABC Notation <= 6.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The ABC Notation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'abcjs' shortcode in all versions up to, and including, 6.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-paulrosenpaulrosen
Product-abc_notationABC Notation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13379
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.07% / 19.96%
||
7 Day CHG~0.00%
Published-21 Feb, 2025 | 03:21
Updated-25 Feb, 2025 | 17:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
C9 Admin Dashboard <= 1.3.5 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The C9 Admin Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Action-Not Available
Vendor-covertninettoomey
Product-c9_admin_dashboardC9 Admin Dashboard
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13470
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.11% / 29.70%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 07:23
Updated-04 Feb, 2025 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ninja Forms – The Contact Form Builder That Grows With You <= 3.8.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 3.8.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Saturday Drive, INC
Product-ninja_formsNinja Forms – The Contact Form Builder That Grows With You
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13389
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 44.06%
||
7 Day CHG+0.16%
Published-23 Jan, 2025 | 11:13
Updated-31 Jan, 2025 | 15:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cliptakes <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Cliptakes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cliptakes_input_email' shortcode in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-cliptakescliptakes
Product-cliptakesCliptakes
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13441
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 19.78%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 07:24
Updated-04 Feb, 2025 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bilingual Linker <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Bilingual Linker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bl_otherlang_link_1 parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-ylefebvrejackdewey
Product-bilingual_linkerBilingual Linker
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13354
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 17.29%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 11:07
Updated-05 Feb, 2025 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML tags in several widgets in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-CyberChimps Inc.
Product-responsive_addonsResponsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13564
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 26.55%
||
7 Day CHG~0.00%
Published-22 Feb, 2025 | 08:22
Updated-18 Mar, 2025 | 12:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rife Elementor Extensions & Templates <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Shortcode

The Rife Elementor Extensions & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Writing Effect Headline shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-apollo13apollo13themes
Product-rife_elementor_extensions_\&_templatesRife Elementor Extensions & Templates
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13394
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.26% / 49.18%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 05:24
Updated-15 Jan, 2025 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ViewMedica 9 <= 1.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

The ViewMedica 9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewmedica' shortcode in all versions up to, and including, 1.4.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-swarminteractive
Product-ViewMedica 9
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13589
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 28.18%
||
7 Day CHG~0.00%
Published-19 Feb, 2025 | 07:32
Updated-19 Feb, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YouTube Playlists with Schema <= 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The YouTube Playlists with Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'yt_grid' shortcode in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-johnnya23
Product-YouTube Playlists with Schema
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13769
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 19.00%
||
7 Day CHG~0.00%
Published-12 Feb, 2025 | 04:22
Updated-24 Feb, 2025 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Puzzles | WP Magazine / Review with Store WordPress Theme + RTL <= 4.2.4 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the 'theme_options_ajax_post_action' AJAX action in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings and inject malicious web scripts. The developer opted to remove the software from the repository, so an update is not available and it is recommended to find a replacement software.

Action-Not Available
Vendor-themerexThemeREX
Product-puzzlesPuzzles | WP Magazine / Review with Store WordPress Theme + RTL
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-862
Missing Authorization
CVE-2024-13581
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.84%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-21 Feb, 2025 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Charts <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Simple Charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'simple_chart' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-supporthostsupporthost
Product-simple_chartsSimple Charts
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1357
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.15% / 35.24%
||
7 Day CHG~0.00%
Published-16 Apr, 2024 | 09:33
Updated-22 May, 2025 | 17:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aux_timeline shortcode in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping on user supplied attributes such as thumb_mode and date_type. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Depicter (Averta)
Product-shortcodes_and_extra_features_for_phlox_themeShortcodes and extra features for Phlox themedepicter_slider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1384
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.23% / 46.06%
||
7 Day CHG~0.00%
Published-29 Aug, 2024 | 12:31
Updated-19 Sep, 2024 | 22:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Premium Portfolio Features for Phlox theme <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aux_recent_portfolios_grid' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Depicter (Averta)
Product-auxinportfolioPremium Portfolio Features for Phlox theme
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13427
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 16.53%
||
7 Day CHG~0.00%
Published-24 May, 2025 | 01:41
Updated-28 May, 2025 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Link

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 1.9.9 and completely fixed in version 2.0.1.

Action-Not Available
Vendor-softaculous
Product-Page Builder: Pagelayer – Drag and Drop website builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13433
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.19% / 40.82%
||
7 Day CHG+0.11%
Published-18 Jan, 2025 | 07:05
Updated-21 Jan, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Utilities for MTG <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Utilities for MTG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mtglink' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-yunra
Product-Utilities for MTG
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1293
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 41.47%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-16 Jan, 2025 | 15:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the embedded media custom block in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-brizythemefusecom
Product-brizyBrizy – Page Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13506
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.12% / 30.84%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 11:10
Updated-12 Feb, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.97 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Display_name Parameter

The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the display_name profile parameter in all versions up to, and including, 2.8.97 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-paoltaia
Product-GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13649
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.34%
||
7 Day CHG~0.00%
Published-08 Mar, 2025 | 11:16
Updated-11 Mar, 2025 | 21:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.4.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wpxproxpro
Product-xpro_addons_for_elementor140+ Widgets | Xpro Addons For Elementor – FREE
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13665
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.84%
||
7 Day CHG~0.00%
Published-12 Feb, 2025 | 04:22
Updated-24 Feb, 2025 | 15:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Admire Extra <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Admire Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'space' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-sonalsinha21Sonl Sinha (SKT Web Themes LLC)
Product-admire_extraAdmire Extra
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13157
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.13% / 32.96%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 08:21
Updated-31 Jan, 2025 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar <= 5.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Podcast RSS Feed

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Podcast RSS Feed in all versions up to, and including, 5.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-sonaar
Product-MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13672
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.34%
||
7 Day CHG~0.00%
Published-21 Feb, 2025 | 03:21
Updated-25 Feb, 2025 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mini Course Generator | Embed mini-courses and interactive content <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Mini Course Generator | Embed mini-courses and interactive content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mcg' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-minicoursegeneratorminicoursegenerator
Product-mini_course_generatorMini Course Generator | Embed mini-courses and interactive content
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13584
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.34% / 56.42%
||
7 Day CHG+0.27%
Published-22 Jan, 2025 | 03:21
Updated-24 Jan, 2025 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Picture Gallery – Frontend Image Uploads, AJAX Photo List <= 1.5.19 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_pictures' shortcode in all versions up to, and including, 1.5.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-videowhispervideowhisper
Product-picture_galleryPicture Gallery – Frontend Image Uploads, AJAX Photo List
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13563
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.11% / 28.94%
||
7 Day CHG~0.00%
Published-15 Feb, 2025 | 08:25
Updated-18 Feb, 2025 | 21:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Front End Users <= 3.2.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via forgot-password Shortcode

The Front End Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's forgot-password shortcode in all versions up to, and including, 3.2.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-rustaurius
Product-Front End Users
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13469
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.84%
||
7 Day CHG~0.00%
Published-28 Feb, 2025 | 08:23
Updated-28 Feb, 2025 | 13:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pricing Table by PickPlugins <= 1.12.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Pricing Table by PickPlugins plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button Link in all versions up to, and including, 1.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-pickplugins
Product-Pricing Table by PickPlugins
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13401
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.37% / 58.49%
||
7 Day CHG+0.20%
Published-17 Jan, 2025 | 04:30
Updated-12 Feb, 2025 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Payment Button for PayPal <= 1.2.3.35 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Payment Button for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_paypal_checkout' shortcode in all versions up to, and including, 1.2.3.35 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-naa986
Product-Payment Button for PayPal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13393
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.14% / 34.81%
||
7 Day CHG+0.06%
Published-18 Jan, 2025 | 07:05
Updated-21 Jan, 2025 | 21:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Video Share VOD – Turnkey Video Site Builder Script <= 2.6.31 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_videos' shortcode in all versions up to, and including, 2.6.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-videowhisper
Product-Video Share VOD – Turnkey Video Site Builder Script
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13586
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 19.78%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 07:24
Updated-04 Feb, 2025 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Masy Gallery <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Masy Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'justified-gallery' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-dineshrawatimdr
Product-masy_galleryMasy Gallery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13155
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.34%
||
7 Day CHG~0.00%
Published-20 Feb, 2025 | 07:33
Updated-25 Feb, 2025 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.140 - Authenticated (Contributor+) Stored Cross-Site Scripting via Transparent Split Hero Widget

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Transparent Split Hero widget in all versions up to, and including, 1.5.140 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: Since the widget code isn't part of the code base, to apply the patch, the affected widget: Transparent Split Hero must be deleted and reinstalled manually.

Action-Not Available
Vendor-unlimited-elementsunitecms
Product-unlimited_elements_for_elementorUnlimited Elements For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • ...
  • 18
  • 19
  • 20
  • ...
  • 47
  • 48
  • Next
Details not found