CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-1401 The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1893 The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn_label' parameter in the 'orbisius_random_name_generator' shortcode in all versions up ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1231 The Beaver Builder Page Builder β Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global Settings parameter in all versions up to, and incl... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3998 The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' shortcode attribute of the [jqmath] shortcode in all versions up to and including 1.3. This is due to in... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1808 The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplus_button shortcode in all versions up to... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4005 The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. This is due to insufficient in... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1915 The Simple Plyr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'poster' parameter in the 'plyr' shortcode in all versions up to, and including, 0.0.1 due to insufficient inp... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1910 The UpMenu β Online ordering for restaurants plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'lang' attribute of the 'upmenu-menu' shortcode in all versions up to, and includ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4011 The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [pc] shortcode in all versions up to, and including, 0.1.0. This is due to insuffi... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5717 The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions up to, and includin... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3516 The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_cl_map_iframe' parameter in all versions up to, and including, 3.0.18. This is due to insufficient input sa... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5372 An issue that allowed a SQL injection attack vector related to saved queries (introduced in version 4.0.260123.0). This is an instance of CWE-89: Improper Neutralization of Special Elements used in an... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3659 The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode attributes of the [circliful... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1913 The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login_link shortcode in all versions up to, and including, 2.6.4 due to insufficient inp... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1755 The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β_wp_attachment_image_altβ post meta in all versions up to, and including, 0.13.20 due to insuffic... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1888 The Docus β YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient i... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-6246 The Simple Random Posts Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'container_right_width' attribute of the 'simple_random_posts' shortcode in all versions up ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1293 The Yoast SEO β Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to,... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2924 The Gutenverse β Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageLoad' parameter in versions up to, and including, 3.4.... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1822 The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortcode in all versions up to, and including, 1.0.9 due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
| CVE-2023-54343 QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. Attackers can ex... | 6.4 | MEDIUM | β | 0 |
| CVE-2022-50952 Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the TextBox Name Profile input. Attackers can inject malicious script code through a POST reque... | 6.4 | MEDIUM | β | 0 |
| CVE-2022-50951 WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. Attackers can exploit the... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1905 The Sphere Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in the 'show_sphere_image' shortcode in all versions up to, and including, 1.0.2 due to i... | 6.4 | MEDIUM | β | 0 |
| CVE-2022-50941 BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. Attackers can exploit unv... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1252 The Events Listing Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Event URL' parameter in all versions up to, and including, 1.3.4 due to insufficient input sanitiza... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1395 The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient... | 6.4 | MEDIUM | β | 0 |
| CVE-2024-58344 Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard setti... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1397 The PQ Addons β Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget attributes in all versions up to, and including, 1.0.0 due to insufficient input... | 6.4 | MEDIUM | β | 0 |
| CVE-2021-47856 Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the search module's keyword parameter. Remote attackers can inject malicious script code through the search... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3492 The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on... | 6.4 | MEDIUM | β | 0 |
| CVE-2019-25263 Zendesk SweetHawk Survey 1.6 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through support ticket submissions. Attackers can insert XSS pay... | 6.4 | MEDIUM | β | 0 |
| CVE-2019-25264 Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script t... | 6.4 | MEDIUM | β | 0 |
| CVE-2019-25265 Online Inventory Manager 3.2 contains a stored cross-site scripting vulnerability in the group description field of the admin edit groups section. Attackers can inject malicious JavaScript through the... | 6.4 | MEDIUM | β | 0 |
| CVE-2020-37103 DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML f... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1886 The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'go-night-pro-shortcode' shortcode in all versions up to, and including, 1.1.0... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1806 The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'target' parameter of the tourcms_doc_link shortcode in all versions up to, an... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1903 The Ravelry Designs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'layout' attribute of the 'sb_ravelry_designs' shortcode in all versions up to, and including, 1.0.... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2257 The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` funct... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3875 The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shortcode in all versions up to, and including, 4.3.8. This is due to insufficient i... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1854 The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization an... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4006 The Simple Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'display_name' post meta (Custom Field) in all versions up to and including 2.6.2. This is due to insuff... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1851 The iVysilani Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' shortcode attribute in all versions up to, and including, 3.0 due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4125 The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-32357 Server-Side Request Forgery (SSRF) vulnerability in Katsushi Kawamori Simple Blog Card simple-blog-card allows Server Side Request Forgery.This issue affects Simple Blog Card: from n/a through <= 2.37... | 6.4 | MEDIUM | β | 0 |
| CVE-2019-25301 Millhouse-Project 1.414 contains a persistent cross-site scripting vulnerability in the comment submission functionality that allows attackers to inject malicious scripts. Attackers can post comments ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5774 Improper synchronization of the userTokens map in the API server in Canonical JujuΒ 4.0.5,Β 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or poss... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2501 The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `social_share` shortcode in all versions up to, and including, 2.0. This is due to insufficient... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2496 The Ed's Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `eds_font_awesome` shortcode in all versions up to, and including, 2.0. This is due to insuffic... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1575 The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `itemscope` shortcode in all versions up to, and including, 1.0 due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.