Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-4005 The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. This is due to insufficient in... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3998 The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' shortcode attribute of the [jqmath] shortcode in all versions up to and including 1.3. This is due to in... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-2352 The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ao_post_preload' meta value in all versions up to, and including, 3.1.14. This is due to insufficient input s... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-2430 The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overl... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4076 The Slider Bootstrap Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'category' and 'template' shortcode attributes in all versions up to and including 1.0.7. This i... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3659 The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode attributes of the [circliful... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-2924 The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageLoad' parameter in versions up to, and including, 3.4.... | 6.4 | MEDIUM | — | 0 |
| CVE-2019-25369 OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. At... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1985 The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitiz... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1187 The ZoomifyWP Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'filename' parameter of the 'zoomify' shortcode in all versions up to, and including, 1.1 due to insufficie... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4006 The Simple Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'display_name' post meta (Custom Field) in all versions up to and including 2.6.2. This is due to insuff... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-0559 The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'stm_lms_courses_grid_display' shortcode in a... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-0557 The WP Data Access plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpda_app' shortcode in all versions up to, and including, 5.5.63 due to insufficient input saniti... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1912 The Citations tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in the 'ctdoi' shortcode in all versions up to, and including, 0.3.2 due to insufficient ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-5372 An issue that allowed a SQL injection attack vector related to saved queries (introduced in version 4.0.260123.0). This is an instance of CWE-89: Improper Neutralization of Special Elements used in an... | 6.4 | MEDIUM | — | 0 |
| CVE-2020-37014 Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by ... | 6.4 | MEDIUM | — | 0 |
| CVE-2020-37003 Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4083 The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function s... | 6.4 | MEDIUM | — | 0 |
| CVE-2020-36998 Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, ... | 6.4 | MEDIUM | — | 0 |
| CVE-2020-36996 PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. Attackers can inject malicious JavaScri... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-6048 The Flipbox Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flipbox widget's button URL `custom_attributes` field in all versions up to, and including, 2.... | 6.4 | MEDIUM | — | 0 |
| CVE-2020-36966 Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can e... | 6.4 | MEDIUM | — | 0 |
| CVE-2025-13959 The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitizati... | 6.4 | MEDIUM | — | 0 |
| CVE-2023-54343 QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. Attackers can ex... | 6.4 | MEDIUM | — | 0 |
| CVE-2022-50952 Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the TextBox Name Profile input. Attackers can inject malicious script code through a POST reque... | 6.4 | MEDIUM | — | 0 |
| CVE-2022-50951 WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. Attackers can exploit the... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1755 The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_wp_attachment_image_alt’ post meta in all versions up to, and including, 0.13.20 due to insuffic... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1613 The Wonka Slide plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `list_class` shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitiza... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-0742 The Smart Appointment & Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the saab_save_form_data AJAX action in all versions up to, and including, 1.0.7 due to insufficien... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1913 The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login_link shortcode in all versions up to, and including, 2.6.4 due to insufficient inp... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1395 The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-6246 The Simple Random Posts Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'container_right_width' attribute of the 'simple_random_posts' shortcode in all versions up ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1210 The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient i... | 6.4 | MEDIUM | — | 0 |
| CVE-2022-50941 BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. Attackers can exploit unv... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34819 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the REMARK parameter to /cgi-bin/openvpnclient.cgi. An authenticated attacker can inject arbitrary JavaScript that ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1607 The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to ins... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4059 The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. This ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-0688 The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated at... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-35054 XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other u... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-6809 The Social Post Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Threads embed handler in all versions up to, and including, 2.0.1. This is due to insufficient input san... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-6725 The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcsm_text_rotator` shortcode in all versions up to, and inclu... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-6551 The Timeline Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titleTag' attribute of the timeline-blocks/tb-timeline-blocks block in all versions up to, ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34822 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the new_cert_name parameter to /manage/ca/certificate/. An authenticated attacker can inject arbitrary JavaScript t... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34821 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/vpnauthentication/user/. An authenticated attacker can inject arbitrary JavaScript ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34818 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dnsmasq/localdomains/. An authenticated attacker can inject arbitrary JavaScript th... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34811 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/xtaccess.cgi. An authenticated attacker can inject arbitrary JavaScript that is st... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34810 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/vpnfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is store... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34809 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/zonefw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stor... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34798 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/routing.cgi. An authenticated attacker can inject arbitrary JavaScript that is sto... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-2480 The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'max_width' attribute of the `su_box` shortcode in all versions up to, and incl... | 6.4 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.