Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-4303 The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wsm_showDayStatsGraph' shortcode in all versions up to, and including,... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2481 The Beaver Builder Page Builder β Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'settings[js]' parameter in versions up to, and including, 2.1... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2509 The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget's Custom Attributes field in all versions up to, and including, 2.0.8. This is due t... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5451 The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'elevation-track' shortcode in all versions up to, and including, 4.14. This is due to insuffic... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2512 The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values in all versions up to, and including, 2.5.1. This is due to the plugin's sanitization func... | 6.4 | MEDIUM | β | 0 |
| CVE-2015-20119 Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4078 The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) in all versions up to an... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2602 The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImageSizeWidth' parameter in versions up to, and including, 1.9.7 due to insufficient input sanitization ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5711 The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0 du... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-27684 SAP NetWeaver Feedback Notifications Service contains a SQL injection vulnerability that allows an authenticated attacker to inject arbitrary SQL code through user-controlled input fields. The applica... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-24316 SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP requests to arbitrary internal or external endpoints. The report is therefore vulnerab... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-24309 Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module to read, modify or insert entries into the databa... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-34812 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the mimetypes parameter to /cgi-bin/proxypolicy.cgi. An authenticated attacker can inject arbitrary JavaScript that... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-34813 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the user parameter to /cgi-bin/proxyuser.cgi. An authenticated attacker can inject arbitrary JavaScript that is sto... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-34814 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the group parameter to /cgi-bin/proxygroup.cgi. An authenticated attacker can inject arbitrary JavaScript that is s... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4389 The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versi... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-34815 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the DOMAIN parameter to /cgi-bin/smtpdomains.cgi. An authenticated attacker can inject arbitrary JavaScript that is... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4278 The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4075 The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-34816 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the domain parameter to /manage/smtpscan/domainrouting/. An authenticated attacker can inject arbitrary JavaScript ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2305 The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` post meta values in all versions ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-34817 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi. An authenticated attacker can inject arbitrary JavaScript th... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4120 The Info Cards β Add Text and Media in Card Layouts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnUrl' parameter within the Info Cards block in all versions up to, and ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-8766 A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-31953 Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 a... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4429 The OSM β OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5357 The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to in... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-57849 A container privilege escalation flaw was found in certain Fuse images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain condition... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4336 The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling html_entity_... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5742 The UsersWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.2.60. This is due to insufficient input sanitization of user-supplied URL fields and imp... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-33727 Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privileg... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3005 The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.94.0 due to insufficient input sa... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-40226 In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file. | 6.4 | MEDIUM | β | 0 |
| CVE-2025-6229 The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerab... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4766 The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery shortcode post meta field in all versions up to, and including, 1.5.3. This is due to insuffici... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3427 The Yoast SEO β Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `jsonText` block attribute in all versions up to, and... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2358 The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including, 5.0.1. This is due t... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4086 The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wp_random_button' shortcode in all versions up to... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4084 The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1.... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4077 The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'ecover' shortcode in all versions up to and including 1.0. This is due t... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4067 The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4022 The Show Posts list β Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3997 The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes in all versions up to and including 1.1. This... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3996 The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [game] shortcode in all versions up to and including 0.1beta. This is due to insufficient input sanitizatio... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3619 The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles' shortcode attribute in the [sheets2table-render-table] shortcode in all versions up to and including... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3617 The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insuff... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4895 The GreenShift - Animation and Page Builder Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 12.8.9 This is due to insufficient input sanitiza... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-0626 The WPFunnels β Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpf_optin_form' shortcode in all ve... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2437 The WP Travel Engine β Tour Booking Plugin β Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte_trip_tax' shortcode in all versions up to, a... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2600 The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ekit_tab_title' parameter in the Simple Tab widget in all versions up to, and ... | 6.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.