Total
45125 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-2483 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2026-06-17 | N/A | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session | |||||
| CVE-2026-2481 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'settings[js]' parameter in versions up to, and including, 2.10.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-2480 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'max_width' attribute of the `su_box` shortcode in all versions up to, and including, 7.4.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-2466 | 2026-06-17 | N/A | 7.1 HIGH | ||
| The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2026-2440 | 2026-06-17 | N/A | 7.2 HIGH | ||
| The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce required for submission, allowing unauthenticated attackers to submit HTML-encoded payloads that are decoded and rendered as executable HTML when an administrator views survey results, leading to stored XSS in the admin context. | |||||
| CVE-2026-2437 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte_trip_tax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-2434 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-2433 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin's admin page. | |||||
| CVE-2026-2432 | 2026-06-17 | N/A | 4.4 MEDIUM | ||
| The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2026-2431 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date_from' and 'date_to' parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2026-2430 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces all occurrences of `\ssrc=` in image tags without limiting to the actual attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by crafting an image tag where the `src` URL contains a space followed by `src=`, causing the regex to break the HTML structure and promote text inside attribute values into executable HTML attributes. | |||||
| CVE-2026-2427 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-2425 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| The hiWeb Migration Simple plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'new_domain' parameter in all versions up to, and including, 2.0.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-2424 | 2026-06-17 | N/A | 4.4 MEDIUM | ||
| The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sanitization and output escaping on plugin settings such as the 'Account ID', 'Message before the video', and color fields. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-2420 | 2026-06-17 | N/A | 4.4 MEDIUM | ||
| The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the frontend of the site where the popup is displayed. | |||||
| CVE-2026-2396 | 2026-06-17 | N/A | 4.4 MEDIUM | ||
| The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2026-2389 | 2026-06-17 | N/A | 4.9 MEDIUM | ||
| The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.4.2. This is due to the `revert_divs_to_summary` function replacing `”` HTML entities with literal double-quote characters (`"`) in post content without subsequent sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The Classic Editor plugin is required to be installed and activated in order to exploit this vulnerability. | |||||
| CVE-2026-2384 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This vulnerability requires WPBakery Page Builder to be installed and active | |||||
| CVE-2026-2383 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-2382 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| The FPW Category Thumbnails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'fpw_fs_get_file' AJAX action in all versions up to, and including, 1.9.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the plugin's settings page. | |||||
