Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-28558

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-28 Feb, 2026 | 21:47
Updated At-28 Feb, 2026 | 21:47
Rejected At-
Credits

wpForo Forum 2.4.14 Stored XSS via SVG Avatar File Upload

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the browsers of any user who views the attacker's profile page.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:28 Feb, 2026 | 21:47
Updated At:28 Feb, 2026 | 21:47
Rejected At:
▼CVE Numbering Authority (CNA)
wpForo Forum 2.4.14 Stored XSS via SVG Avatar File Upload

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the browsers of any user who views the attacker's profile page.

Affected Products
Vendor
gVectors Team
Product
wpForo Forum
Default Status
unaffected
Versions
Affected
  • From 2.4 before 2.4.16 (semver)
Unaffected
  • 2.4.16 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Scott Moore - VulnCheck
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wordpress.org/plugins/wpforo/
product
https://wordpress.org/plugins/wpforo/#developers
patch
https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-svg-avatar-file-upload
third-party-advisory
Hyperlink: https://wordpress.org/plugins/wpforo/
Resource:
product
Hyperlink: https://wordpress.org/plugins/wpforo/#developers
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-svg-avatar-file-upload
Resource:
third-party-advisory
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:28 Feb, 2026 | 22:16
Updated At:28 Feb, 2026 | 22:16

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the browsers of any user who views the attacker's profile page.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Primarydisclosure@vulncheck.com
CWE ID: CWE-79
Type: Primary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://wordpress.org/plugins/wpforo/disclosure@vulncheck.com
N/A
https://wordpress.org/plugins/wpforo/#developersdisclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-svg-avatar-file-uploaddisclosure@vulncheck.com
N/A
Hyperlink: https://wordpress.org/plugins/wpforo/
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://wordpress.org/plugins/wpforo/#developers
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-svg-avatar-file-upload
Source: disclosure@vulncheck.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2534Records found
CVE-2025-2576
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.07% / 22.27%
||
7 Day CHG~0.00%
Published-26 Mar, 2025 | 02:23
Updated-27 Mar, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ayyash Studio <= 1.0.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The Ayyash Studio — The kick-start kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Action-Not Available
Vendor-themerox
Product-Ayyash Studio — The kick-start kit
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2542
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 24.78%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 09:22
Updated-31 Mar, 2025 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Your Simple SVG Support <= 1.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The Your Simple SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Action-Not Available
Vendor-obbdpu
Product-Your Simple SVG Support
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2544
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.15% / 35.27%
||
7 Day CHG~0.00%
Published-05 Apr, 2025 | 01:44
Updated-07 Apr, 2025 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI Content Pipelines <= 1.6 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Action-Not Available
Vendor-adamwillhoeft
Product-AI Content Pipelines: Content Engine + Analytics
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2537
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 13.65%
||
7 Day CHG~0.00%
Published-03 Jul, 2025 | 12:23
Updated-03 Jul, 2025 | 15:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled ThickBox JavaScript library (version 3.1) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-denis-de-bernardyWpDevArtAwesome Motive Inc.
Product-Auto ThickboxYouTube Embed, Playlist and Popup by WpDevArtPhoto Gallery, Sliders, Proofing and Themes – NextGEN Gallery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24320
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.43% / 62.66%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 17:31
Updated-26 Feb, 2026 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BIG-IP Configuration utility vulnerability

A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. This vulnerability is due to an incomplete fix for CVE-2024-31156 https://my.f5.com/manage/s/article/K000138636 .  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-F5, Inc.
Product-big-ip_global_traffic_managerbig-ip_application_acceleration_managerbig-ip_carrier-grade_natbig-ip_ddos_hybrid_defenderbig-ip_advanced_firewall_managerbig-ip_policy_enforcement_managerbig-ip_local_traffic_managerbig-ip_webacceleratorbig-ip_access_policy_managerbig-ip_advanced_web_application_firewallbig-ip_fraud_protection_servicebig-ip_analyticsbig-ip_ssl_orchestratorbig-ip_edge_gatewaybig-ip_link_controllerbig-ip_container_ingress_servicesbig-ip_application_security_managerbig-ip_automation_toolchainbig-ip_domain_name_systembig-ip_application_visibility_and_reportingbig-ip_websafeBIG-IP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2330
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.03% / 8.72%
||
7 Day CHG~0.00%
Published-02 Jul, 2025 | 09:23
Updated-10 Jul, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
All-in-One Addons for Elementor – WidgetKit <= 2.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via button+modal Widget

The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button+modal' widget in all versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-themesgrovethemesgrove
Product-all-in-one_addons_for_elementorAll-in-One Addons for Elementor – WidgetKit
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23227
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 17.09%
||
7 Day CHG~0.00%
Published-23 Jan, 2025 | 17:19
Updated-15 Aug, 2025 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Tivoli Application Dependency Discovery Manager cross-site scripting

IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.11 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Action-Not Available
Vendor-Linux Kernel Organization, IncMicrosoft CorporationIBM Corporation
Product-linux_kerneltivoli_application_dependency_discovery_managerwindowsaixTivoli Application Dependency Discovery Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2314
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.16% / 37.30%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 01:45
Updated-16 Apr, 2025 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.13.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue was partially patched in version 3.13.6 of the plugin, and fully patched in 3.13.7.

Action-Not Available
Vendor-cozmoslabs
Product-User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2225
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.16% / 36.63%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 05:23
Updated-12 Aug, 2025 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'rael_title_tag'

The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘rael_title_tag' parameter in all versions up to, and including, 1.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 1.6.9.

Action-Not Available
Vendor-CyberChimps Inc.
Product-responsive_addons_for_elementorResponsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-2695
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.91% / 75.68%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 17:18
Updated-13 Feb, 2025 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Beaver Builder – WordPress Page Builder <= 2.5.5.2 - Authenticated Stored Cross-Site Scripting via 'caption'

The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' parameter added to images via the media uploader in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor and the ability to upload media files to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-fastlinemediajustinbusa
Product-beaver_builderBeaver Builder – WordPress Page Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-2716
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.91% / 75.68%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 17:19
Updated-13 Feb, 2025 | 20:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Beaver Builder – WordPress Page Builder <= 2.5.5.2 - Authenticated Stored Cross-Site Scripting via Text Editor

The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Text Editor' block in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-fastlinemediajustinbusa
Product-beaver_builderBeaver Builder – WordPress Page Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-3210
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 44.70%
||
7 Day CHG-0.17%
Published-10 Apr, 2024 | 05:32
Updated-23 Jan, 2025 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'reg-single-checkbox' shortcode in all versions up to, and including, 4.15.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-properfractioncollizo4sky
Product-profilepressPaid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2108
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.12% / 30.89%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 06:54
Updated-20 Mar, 2025 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Site Title' widget

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Site Title’ widget's 'title_tag' and 'html_tag' parameters in all versions up to, and including, 1.4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-xpro
Product-140+ Widgets | Xpro Addons For Elementor – FREE
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2083
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 42.42%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 09:22
Updated-15 Apr, 2025 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Logo Carousel Gutenberg Block <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via sliderId Parameter

The Logo Carousel Gutenberg Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘sliderId’ parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-binsaifullah
Product-Logo Carousel Gutenberg Block
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-59898
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-5.1||MEDIUM
EPSS-0.03% / 9.64%
||
7 Day CHG+0.01%
Published-28 Jan, 2026 | 11:58
Updated-10 Feb, 2026 | 21:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Cross-Site Scripting (XSS) vulnerability in Sync Breeze Enterprise Server

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/add_exclude_dir?sid=', affecting the 'exclude_dir' parameter.

Action-Not Available
Vendor-flexenseFlexense
Product-diskpulsesyncbreezeDisk Pulse EnterpriseSync Breeze Enterprise Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14941
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.01% / 1.76%
||
7 Day CHG~0.00%
Published-24 Jan, 2026 | 07:26
Updated-26 Jan, 2026 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GZSEO <= 2.0.11 - Authenticated (Contributor+) Authorization Bypass to Stored Cross-Site Scripting

The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the embed_code parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary content into any post on the site that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-aminhashemy
Product-GZSEO
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1664
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-08 Mar, 2025 | 11:16
Updated-11 Mar, 2025 | 21:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 5.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Parallax slider in all versions up to, and including, 5.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-WPDeveloper
Product-essential_blocksEssential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-15479
Matching Score-4
Assigner-64c5ae8f-7972-4697-86a0-7ada793ac795
ShareView Details
Matching Score-4
Assigner-64c5ae8f-7972-4697-86a0-7ada793ac795
CVSS Score-5.1||MEDIUM
EPSS-0.04% / 13.43%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 13:23
Updated-29 Jan, 2026 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NGSurvey Enterprise 3.6.4 incorrect authorization exposes other users’ API keys and personal data

Stored cross-site scripting (XSS, CWE-79) in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms ( on Windows and Linux servers ) allows authenticated remote users with survey creation or edit privileges to execute arbitrary JavaScript in other users’ browsers, steal session information and perform unauthorized actions on their behalf via crafted survey content that is rendered without proper output encoding.

Action-Not Available
Vendor-ngsurveyData Illusion Zumbrunn
Product-ngsurveyNGSurvey
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14891
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.30% / 53.02%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 03:21
Updated-08 Jan, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Customer Reviews for WooCommerce <= 5.93.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via displayName Parameter

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with customer-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While it is possible to invoke the AJAX action without authentication, the attacker would need to know a valid form ID, which requires them to place an order. This vulnerability can be exploited by unauthenticated attackers if guest checkout is enabled. However, the form ID still needs to be obtained through placing an order.

Action-Not Available
Vendor-ivole
Product-Customer Reviews for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1703
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.13% / 32.59%
||
7 Day CHG~0.00%
Published-26 Mar, 2025 | 09:21
Updated-03 Apr, 2025 | 13:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Blocks <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter

The Ultimate Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-ultimateblocks
Product-Ultimate Blocks – WordPress Blocks Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14893
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.01% / 1.81%
||
7 Day CHG~0.00%
Published-09 Jan, 2026 | 06:34
Updated-13 Jan, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IndieWeb <= 4.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via 'Telephone' Parameter

The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-indieweb
Product-IndieWeb
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14984
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.02% / 4.05%
||
7 Day CHG~0.00%
Published-08 Jan, 2026 | 09:20
Updated-08 Jan, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gutenverse Form <= 2.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the upload_mimes filter without implementing any sanitization of SVG file contents. This makes it possible for authenticated attackers, with Author-level access and above, to upload SVG files containing malicious JavaScript that executes when the file is viewed, leading to arbitrary JavaScript execution in victims' browsers.

Action-Not Available
Vendor-jegstudio
Product-Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1665
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.12% / 31.58%
||
7 Day CHG~0.00%
Published-01 Apr, 2025 | 05:22
Updated-14 Apr, 2025 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Avada Builder <= 3.11.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 3.11.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Avada (ThemeFusion)
Product-avada_builderAvada (Fusion) Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1560
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.36%
||
7 Day CHG~0.00%
Published-28 Feb, 2025 | 08:23
Updated-28 Feb, 2025 | 13:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WOW Entrance Effects (WEE!) <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WOW Entrance Effects (WEE!) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wee' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-darkosxrc
Product-WOW Entrance Effects (WEE!)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1512
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.16% / 37.47%
||
7 Day CHG~0.00%
Published-01 Apr, 2025 | 06:52
Updated-01 Apr, 2025 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PowerPack Elementor Addons (Free Widgets, Extensions and Templates) <= 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Cursor Extension in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-ideaboxcreations
Product-PowerPack Elementor Addons (Free Widgets, Extensions and Templates)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-15019
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.01% / 1.81%
||
7 Day CHG~0.00%
Published-09 Jan, 2026 | 06:34
Updated-13 Jan, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the post editor.

Action-Not Available
Vendor-pagup
Product-Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-15522
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.01% / 1.89%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 04:34
Updated-26 Jan, 2026 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 6.10.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page.

Action-Not Available
Vendor-Uncanny Owl Inc.
Product-Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14865
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 11.62%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 12:28
Updated-29 Jan, 2026 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Passster – Password Protect Pages and Content <= 4.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21.

Action-Not Available
Vendor-wpchill
Product-Passster – Password Protect Pages and Content
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-15267
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.01% / 1.26%
||
7 Day CHG~0.00%
Published-07 Feb, 2026 | 05:52
Updated-09 Feb, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bold Page Builder <= 5.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_accordion_item Shortcode

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-BoldThemes
Product-Bold Page Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1503
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 28.23%
||
7 Day CHG~0.00%
Published-13 Mar, 2025 | 04:21
Updated-17 Mar, 2025 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Recipe Maker <= 9.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Roundup Recipe Name field in all versions up to, and including, 9.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-brechtvds
Product-WP Recipe Maker
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1783
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.36%
||
7 Day CHG~0.00%
Published-08 Mar, 2025 | 09:22
Updated-24 Mar, 2025 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gallery Styles <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Gallery Styles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery Block in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-tiptoppresskometschuh
Product-gallery_stylesGallery Styles
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1491
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.12% / 30.89%
||
7 Day CHG~0.00%
Published-01 Mar, 2025 | 12:22
Updated-03 Mar, 2025 | 17:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Posts Carousel <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play_timeout Parameter

The WP Posts Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘auto_play_timeout’ parameter in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-teastudiopl
Product-WP Posts Carousel
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1802
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.14% / 34.21%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 11:11
Updated-26 Mar, 2025 | 18:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HT Mega – Absolute Addons For Elementor <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘marker_title’, 'notification_content', and 'stt_button_text' parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.3.

Action-Not Available
Vendor-HasTech IT Limited (HasThemes)
Product-ht_megaHT Mega – Absolute Addons For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14983
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 19.61%
||
7 Day CHG+0.01%
Published-19 Feb, 2026 | 04:36
Updated-24 Feb, 2026 | 01:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advanced Custom Fields: Font Awesome <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible forauthenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute in a victim's browser.

Action-Not Available
Vendor-mattkeys
Product-Advanced Custom Fields: Font Awesome Field
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1689
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.75%
||
7 Day CHG~0.00%
Published-27 Feb, 2025 | 06:48
Updated-11 Mar, 2025 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ThemeMakers PayPal Express Checkout <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The ThemeMakers PayPal Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'paypal' shortcode in versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-thememakersThemeMakers
Product-paypal_checkoutThemeMakers PayPal Express Checkout
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1527
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-12 Mar, 2025 | 11:13
Updated-24 Mar, 2025 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) <= 3.1.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Flash Sale Countdown Module

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to a Stored DOM-Based Cross-Site Scripting via the plugin's Flash Sale Countdown module in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-HasTech IT Limited (HasThemes)
Product-shoplentorShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1529
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.16% / 37.47%
||
7 Day CHG+0.11%
Published-01 May, 2025 | 11:11
Updated-02 May, 2025 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AM LottiePlayer <= 3.5.3 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Lottie File

The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded lottie files in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-johanaarstein
Product-AM LottiePlayer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1559
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 28.47%
||
7 Day CHG~0.00%
Published-13 Mar, 2025 | 01:45
Updated-14 Mar, 2025 | 13:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CC-IMG-Shortcode <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The CC-IMG-Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'img' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-clearcodehq
Product-CC-IMG-Shortcode
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1663
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.12% / 31.58%
||
7 Day CHG~0.00%
Published-03 Apr, 2025 | 07:21
Updated-07 Apr, 2025 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unlimited Elements For Elementor <= 1.5.142 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.142 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-unitecms
Product-Unlimited Elements For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14985
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 10.88%
||
7 Day CHG~0.00%
Published-24 Jan, 2026 | 07:26
Updated-26 Jan, 2026 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Alpha Blocks <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'alpha_block_css' Post Meta

The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-robiulawal40
Product-Alpha Blocks
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1571
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.36%
||
7 Day CHG~0.00%
Published-28 Feb, 2025 | 07:03
Updated-28 Feb, 2025 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exclusive Addons for Elementor <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Text and Image Comparison Widgets

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Animated Text and Image Comparison Widgets in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-timstrifler
Product-Exclusive Addons for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1517
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 38.70%
||
7 Day CHG~0.00%
Published-26 Feb, 2025 | 08:21
Updated-24 Mar, 2025 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sina Extension for Elementor <= 3.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Text, Countdown Widget, and Login Form Shortcodes

The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Fancy Text, Countdown Widget, and Login Form shortcodes in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-sinaextrashaonsina
Product-sina_extension_for_elementorSina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1784
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 28.47%
||
7 Day CHG~0.00%
Published-26 Mar, 2025 | 05:22
Updated-27 Mar, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spectra – WordPress Gutenberg Blocks <= 2.19.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uagb block in all versions up to, and including, 2.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Brainstorm Force
Product-Spectra – WordPress Gutenberg Blocks
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14069
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.01% / 2.22%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 05:29
Updated-26 Jan, 2026 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Schema & Structured Data for WP & AMP <= 1.54 - Authenticated (Contributor+) Stored Cross-Site Scripting via User Custom Schema

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Mohammed & Ahmed Kaludi (Magazine3)
Product-Schema & Structured Data for WP & AMP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1406
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-21 Feb, 2025 | 03:21
Updated-25 Feb, 2025 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Newpost Catch <= 1.3.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via npc Shortcode

The Newpost Catch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's npc shortcode in all versions up to, and including, 1.3.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-imamuras56bouya
Product-newpost_catchNewpost Catch
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14030
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 13.82%
||
7 Day CHG~0.00%
Published-12 Dec, 2025 | 11:15
Updated-12 Dec, 2025 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI Feeds <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aife_post_meta' Shortcode

The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife_post_meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-soportecibeles
Product-AI Feeds
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13967
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 12.60%
||
7 Day CHG~0.00%
Published-09 Jan, 2026 | 11:15
Updated-13 Jan, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Woodpecker for WordPress <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_name' Shortcode Attribute

The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-woodpeckerleadform
Product-Woodpecker for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13853
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 10.79%
||
7 Day CHG~0.00%
Published-09 Jan, 2026 | 09:19
Updated-13 Jan, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nearby Now Reviews <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-lnbadmin1
Product-Nearby Now Reviews
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-4775
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 28.00%
||
7 Day CHG~0.00%
Published-13 Nov, 2023 | 07:31
Updated-08 Jan, 2025 | 21:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'advanced_iframe' shortcode in versions up to, and including, 2023.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-tinywebgallerymdempfle
Product-advanced_iframeAdvanced iFrame
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13962
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 13.82%
||
7 Day CHG~0.00%
Published-12 Dec, 2025 | 03:20
Updated-12 Dec, 2025 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Divelogs Widget <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Divelogs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'latestdive' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-klemmkeil
Product-Divelogs Widget
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • ...
  • 17
  • 18
  • 19
  • ...
  • 50
  • 51
  • Next
Details not found