Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-8489

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-03 Jul, 2026 | 04:30
Updated At-03 Jul, 2026 | 04:30
Rejected At-
Credits

Ultimate Member <= 2.11.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Non-HTML Custom Textarea Profile Field

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'about_me' parameter in all versions up to, and including, 2.11.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:03 Jul, 2026 | 04:30
Updated At:03 Jul, 2026 | 04:30
Rejected At:
▼CVE Numbering Authority (CNA)
Ultimate Member <= 2.11.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Non-HTML Custom Textarea Profile Field

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'about_me' parameter in all versions up to, and including, 2.11.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected Products
Vendor
Ultimate Member Group Ltdultimatemember
Product
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Default Status
unaffected
Versions
Affected
  • From 0 through 2.11.4 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
daroo
Timeline
EventDate
Vendor Notified2026-05-13 15:14:25
Disclosed2026-07-02 15:57:05
Event: Vendor Notified
Date: 2026-05-13 15:14:25
Event: Disclosed
Date: 2026-07-02 15:57:05
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/229a4e61-571c-44c6-9972-4dfc743afffe?source=cve
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/um-filters-fields.php#L271
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-profile.php#L479
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-fields.php#L4577
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-form.php#L854
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/um-actions-form.php#L628
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/um-filters-fields.php#L271
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/class-profile.php#L479
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/class-fields.php#L4577
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/class-form.php#L854
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/um-actions-form.php#L628
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/229a4e61-571c-44c6-9972-4dfc743afffe?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/um-filters-fields.php#L271
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-profile.php#L479
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-fields.php#L4577
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-form.php#L854
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/um-actions-form.php#L628
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/um-filters-fields.php#L271
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/class-profile.php#L479
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/class-fields.php#L4577
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/class-form.php#L854
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/um-actions-form.php#L628
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:03 Jul, 2026 | 06:16
Updated At:03 Jul, 2026 | 06:16

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'about_me' parameter in all versions up to, and including, 2.11.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-79Primarysecurity@wordfence.com
CWE ID: CWE-79
Type: Primary
Source: security@wordfence.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/class-fields.php#L4577security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/class-form.php#L854security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/class-profile.php#L479security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/um-actions-form.php#L628security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/um-filters-fields.php#L271security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-fields.php#L4577security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-form.php#L854security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-profile.php#L479security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/um-actions-form.php#L628security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/um-filters-fields.php#L271security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/229a4e61-571c-44c6-9972-4dfc743afffe?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/class-fields.php#L4577
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/class-form.php#L854
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/class-profile.php#L479
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/um-actions-form.php#L628
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/core/um-filters-fields.php#L271
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-fields.php#L4577
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-form.php#L854
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-profile.php#L479
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/um-actions-form.php#L628
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/um-filters-fields.php#L271
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/229a4e61-571c-44c6-9972-4dfc743afffe?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2990Records found

CVE-2025-13746
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.19% / 8.57%
||
7 Day CHG~0.00%
Published-06 Jan, 2026 | 03:21
Updated-08 Apr, 2026 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ForumWP – Forum & Discussion Board <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Display Name

The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User's Display Name in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-ForumWP – Forum & Discussion Board
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13217
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.26% / 16.80%
||
7 Day CHG~0.00%
Published-17 Dec, 2025 | 18:21
Updated-08 Apr, 2026 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value'

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping on user-supplied YouTube video URLs in the `um_profile_field_filter_hook__youtube_video()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the injected user's profile page.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-15064
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.27% / 18.48%
||
7 Day CHG~0.00%
Published-04 Apr, 2026 | 07:41
Updated-24 Apr, 2026 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Member <= 2.11.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via DOM Gadgets

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user description field in all versions up to, and including, 2.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when "HTML support for user description" is enabled in Ultimate Member settings.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13220
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.21% / 11.27%
||
7 Day CHG~0.00%
Published-21 Dec, 2025 | 03:20
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Member <= 2.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode attributes in all versions up to, and including, 2.11.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8519
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.40% / 32.03%
||
7 Day CHG~0.00%
Published-04 Oct, 2024 | 02:32
Updated-08 Apr, 2026 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Member <= 2.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'um_loggedin' shortcode in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-ultimate_memberUltimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-1208
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.87% / 54.43%
||
7 Day CHG+0.02%
Published-13 Jun, 2022 | 12:43
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Member <= 2.3.2 - Stored Cross-Site Scripting

The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding that is reflected back on the page. This affects versions up to, and including, 2.3.2. Please note this issue was only partially fixed in version 2.3.2.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-ultimate_memberUltimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-10872
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.05% / 59.99%
||
7 Day CHG~0.00%
Published-12 Aug, 2019 | 15:24
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form.

Action-Not Available
Vendor-n/aUltimate Member Group Ltd
Product-ultimate_membern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-9304
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.05% / 59.99%
||
7 Day CHG~0.00%
Published-12 Aug, 2019 | 15:23
Updated-06 Aug, 2024 | 08:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.

Action-Not Available
Vendor-n/aUltimate Member Group Ltd
Product-ultimate_membern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-14947
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.89% / 54.82%
||
7 Day CHG~0.00%
Published-12 Aug, 2019 | 15:27
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.

Action-Not Available
Vendor-n/aUltimate Member Group Ltd
Product-ultimate_membern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-14946
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.78% / 51.37%
||
7 Day CHG~0.00%
Published-12 Aug, 2019 | 15:29
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations.

Action-Not Available
Vendor-n/aUltimate Member Group Ltd
Product-ultimate_membern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-8354
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-2.10% / 79.43%
||
7 Day CHG~0.00%
Published-11 Sep, 2017 | 20:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Ultimate Member WordPress plugin before 1.3.29 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _refer parameter to wp-admin/users.php.

Action-Not Available
Vendor-n/aUltimate Member Group Ltd
Product-ultimate_membern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-14945
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.88% / 54.72%
||
7 Day CHG~0.00%
Published-12 Aug, 2019 | 15:29
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ultimate-member plugin before 2.0.54 for WordPress has XSS.

Action-Not Available
Vendor-n/aUltimate Member Group Ltd
Product-ultimate_membern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-1404
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 11.35%
||
7 Day CHG~0.00%
Published-18 Feb, 2026 | 14:24
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Member <= 2.11.1 - Reflected Cross-Site Scripting via Filter Parameters

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the filter parameters (e.g., 'filter_first_name') in all versions up to, and including, 2.11.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-6944
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.21% / 64.58%
||
7 Day CHG~0.00%
Published-16 Feb, 2018 | 14:00
Updated-05 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable.

Action-Not Available
Vendor-n/aUltimate Member Group Ltd
Product-ultimate_membern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-6943
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.06% / 60.55%
||
7 Day CHG~0.00%
Published-16 Feb, 2018 | 14:00
Updated-05 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

core/lib/upload/um-image-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable.

Action-Not Available
Vendor-n/aUltimate Member Group Ltd
Product-ultimatemembern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20965
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.04% / 59.72%
||
7 Day CHG~0.00%
Published-12 Aug, 2019 | 15:25
Updated-05 Aug, 2024 | 12:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ultimate-member plugin before 2.0.4 for WordPress has XSS.

Action-Not Available
Vendor-n/aUltimate Member Group Ltd
Product-ultimate_membern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-17866
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.65% / 73.61%
||
7 Day CHG~0.00%
Published-09 Oct, 2018 | 22:00
Updated-05 Aug, 2024 | 11:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile & Membership" plugin before 2.0.28 for WordPress allow remote attackers to inject arbitrary web script or HTML via the "Primary button Text" or "Second button text" field.

Action-Not Available
Vendor-n/aUltimate Member Group Ltd
Product-ultimate_membern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-0585
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-5.4||MEDIUM
EPSS-1.00% / 58.45%
||
7 Day CHG~0.00%
Published-14 May, 2018 | 13:00
Updated-05 Aug, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-ultimate_memberUltimate Member
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-13136
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.48% / 70.78%
||
7 Day CHG~0.00%
Published-04 Jul, 2018 | 08:00
Updated-05 Aug, 2024 | 08:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen.

Action-Not Available
Vendor-n/aUltimate Member Group Ltd
Product-ultimate_membern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-39329
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-5.5||MEDIUM
EPSS-1.00% / 58.68%
||
7 Day CHG~0.00%
Published-19 Oct, 2021 | 14:14
Updated-14 Feb, 2025 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JobBoardWP – Job Board Listings and Submissions <= 1.0.7 Authenticated Stored Cross-Site Scripting

The JobBoardWP WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-metabox.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.7. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-jobboardwpJobBoardWP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-10234
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.64% / 46.23%
||
7 Day CHG~0.00%
Published-23 Apr, 2018 | 14:00
Updated-05 Aug, 2024 | 07:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options&section=account page.

Action-Not Available
Vendor-n/aUltimate Member Group Ltd
Product-user_profile_\&_membershipn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2765
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.50% / 39.25%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-08 Apr, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Member <= 2.8.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and Spotify URL parameters in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-ultimate_memberUltimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Pluginultimate_member
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24306
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.62% / 45.32%
||
7 Day CHG~0.00%
Published-24 May, 2021 | 10:58
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Member < 2.1.20 - Authenticated Reflected Cross-Site Scripting (XSS)

The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue. Knowledge of the targeted username is required to exploit this, and attackers would then need to make the related logged in user open a malicious link.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-ultimate_memberUltimate Member – User Profile, User Registration, Login & Membership Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2123
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-26.67% / 97.77%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 09:35
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Member <= 2.8.3 - Unauthenticated Stored Cross-Site Scripting

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-ultimate_memberUltimate Member Group Ltd
Product-ultimate_memberUltimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Pluginregistration
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11204
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.34% / 25.97%
||
7 Day CHG+0.01%
Published-06 Dec, 2024 | 08:24
Updated-08 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ForumWP – Forum & Discussion Board <= 2.1.2 - Reflected Cross-Site Scripting via url Parameter

The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-forumwpForumWP – Forum & Discussion Board
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10879
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.39% / 30.63%
||
7 Day CHG+0.01%
Published-06 Dec, 2024 | 08:24
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ForumWP – Forum & Discussion Board <= 2.1.2 - Reflected Cross-Site Scripting

The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-forumwpForumWP – Forum & Discussion Board
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10880
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.46% / 36.82%
||
7 Day CHG~0.00%
Published-23 Nov, 2024 | 04:32
Updated-08 Apr, 2026 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JobBoardWP – Job Board Listings and Submissions <= 1.3.0 - Reflected Cross-Site Scripting

The JobBoardWP – Job Board Listings and Submissions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-jobboardwpJobBoardWP – Job Board Listings and Submissions
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8872
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.19% / 9.22%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Animate Your Content <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_args_to_html_attrs() function, which concatenates shortcode attribute values directly into double-quoted HTML attributes without calling esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-fides-it
Product-Animate Your Content
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-44174
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-6.4||MEDIUM
EPSS-0.35% / 27.27%
||
7 Day CHG~0.00%
Published-28 Sep, 2023 | 21:14
Updated-23 Sep, 2024 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Online Movie Ticket Booking System v1.0 - Stored Cross-Site Scripting (XSS)

Online Movie Ticket Booking System v1.0 is vulnerable to an authenticated Stored Cross-Site Scripting vulnerability.

Action-Not Available
Vendor-Online Movie Ticket Booking SystemProjectworlds
Product-online_movie_ticket_booking_systemOnline Movie Ticket Booking System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-4219
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 10.43%
||
7 Day CHG~0.00%
Published-21 May, 2025 | 09:21
Updated-08 Apr, 2026 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DPEPress <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The DPEPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dpe' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-darkyudex
Product-DPEPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8866
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 14.34%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jQuery googleslides <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes (userid, albumid, authkey, imgmax, maxresults, random, caption, albumlink, time, and fadespeed) in the googleslides_handler() function, which interpolates the attribute values directly into single-quoted HTML attributes without using esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-bradyholt
Product-jQuery googleslides
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8677
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 15.39%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 08:29
Updated-09 Jun, 2026 | 15:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prime Elementor Addons <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget HTML Tag Settings

The Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploit succeeds even for users without the unfiltered_html capability because the payload (e.g., 'img src=x onerror=alert(document.domain)') contains no HTML angle brackets and therefore passes through Elementor's wp_kses_post() filter unchanged at save time.

Action-Not Available
Vendor-wpmessiah
Product-Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8868
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 14.34%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Single Mailchimp <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'single-mailchimp' shortcode in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (autocomplete, label, placeholder, btn_text, success_msg, error_msg) which are concatenated directly into HTML output by the single_mailchimp() function in shortcodes.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-jonathan-robrecht
Product-Single Mailchimp
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8846
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.19% / 8.48%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tuxquote <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes ('title', 'align', and 'width') in the tuxquote_build_format() function, which are concatenated into the rendered HTML without being passed through esc_attr() or esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-eldougo
Product-Tuxquote
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8842
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 9.73%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Google+ Link Name <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gplusnamelink' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes ('id' and 'name') in the gplusnamelink_generate() function, which are concatenated directly into the rendered HTML without calling esc_attr() or esc_html(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-morettolss
Product-Google+ Link Name
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8897
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 14.34%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shortcode Buddy <= 0.1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-vincentastolfi
Product-Shortcode Buddy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8877
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 14.34%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Responsive Video Embedder <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rem_video' shortcode in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (notably 'id' and 'list') in the video_shortcode() function, which are concatenated directly into an HTML iframe's src attribute without escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Alex Raven (Esiteq)
Product-Responsive Video Embedder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8870
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.19% / 8.81%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Team Master <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Team Master – A Modern WordPress Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-adnanmoqsood
Product-Team Master – A Modern WordPress Team Showcase
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8837
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.19% / 8.49%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Iframe Geo Style for Amazon affiliates <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'adid' Shortcode Attribute

The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'adid' Shortcode Attribute in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-ektorcaba
Product-WP Iframe Geo Style for Amazon affiliates
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8898
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 14.34%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Events In City <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitization and output escaping on user supplied attributes (such as 'organizer_id', 'width', 'height', 'transparency', 'header', 'border', and 'layout') in the org_event_scode() function. The attribute values are concatenated directly into HTML attributes without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-ruchit47
Product-Events In City
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8895
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.18% / 7.92%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 03:41
Updated-09 Jun, 2026 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
kk blog card <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blog-card' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on the shortcode's 'href' and 'type' attributes, which are concatenated directly into HTML attribute contexts in the shortcode callback registered in kk-blog-card-shortcode.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-kenz60
Product-kk blog card
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-9629
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 9.93%
||
7 Day CHG~0.00%
Published-13 Jun, 2026 | 07:51
Updated-15 Jun, 2026 | 12:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Canvas <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tag' Block Attribute

The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-codesupplyco
Product-Canvas
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8607
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.27% / 18.48%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 06:49
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wrap' Shortcode Attribute

The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-saadiqbal
Product-Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8702
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.16% / 5.18%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GBI To Print <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'div' Shortcode Attribute

The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in the gbi_toprint_shortcode() function, which concatenates the raw shortcode attribute value directly into an HTML attribute without applying esc_attr() or any other sanitization. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-garber
Product-GBI To Print
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8893
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.19% / 8.57%
||
7 Day CHG~0.00%
Published-05 Jun, 2026 | 23:28
Updated-08 Jun, 2026 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Express Payment For Stripe <= 1.28.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the [stripe-express] shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value, which is concatenated into an HTML attribute in the rendered output of the register_shortcode() function without being passed through esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-payaddons
Product-Express Payment For Stripe
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8891
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.19% / 9.22%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BitForm <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes ('width' and 'height') in the Shortcode::shortcode() function, which are interpolated directly into the 'style' attribute of an <iframe> element. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-bitform
Product-BitForm – Data management solution for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-4172
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 9.74%
||
7 Day CHG~0.00%
Published-03 May, 2025 | 01:43
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VerticalResponse Newsletter Widget <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The VerticalResponse Newsletter Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'verticalresponse' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-katzwebdesign
Product-VerticalResponse Newsletter Widget
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-9281
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.21% / 11.80%
||
7 Day CHG~0.00%
Published-06 Jun, 2026 | 01:26
Updated-08 Jun, 2026 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Master Addons For Elementor <= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension)

The Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension) in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unfiltered_html capability check is only enforced during Elementor control registration (UI rendering) and not during the save process, enabling Author-level users to inject the jtlma_custom_js setting directly via a crafted POST request to admin-ajax.php?action=elementor_ajax, bypassing the UI-level restriction entirely.

Action-Not Available
Vendor-litonice13
Product-Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8841
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.18% / 7.92%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 03:41
Updated-09 Jun, 2026 | 13:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Extra Settings for RocketChat <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstg_shortcode() function, which concatenates the user-supplied 'title' attribute directly into HTML output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-andrewabarber
Product-Extra Settings for RocketChat
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8845
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.19% / 8.48%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Islamic Database <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied 'width' and 'height' shortcode attributes within the islamicDB_sc_quran_qari_roqya() function, which are concatenated directly into HTML iframe attribute values. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-samiullah-kaifi
Product-Islamic Database
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 59
  • 60
  • Next
Details not found