Total
43367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14137 | 2026-04-15 | N/A | 6.1 MEDIUM | ||
| The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-31857 | 2026-04-15 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWax Directorist AddonsKit for Elementor addonskit-for-elementor allows Stored XSS.This issue affects Directorist AddonsKit for Elementor: from n/a through <= 1.1.6. | |||||
| CVE-2024-38677 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Reviews.Co.Uk REVIEWS.Io allows Stored XSS.This issue affects REVIEWS.Io: from n/a through 1.2.7. | |||||
| CVE-2024-32079 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Dempfle Advanced iFrame allows Stored XSS.This issue affects Advanced iFrame: from n/a through 2024.2. | |||||
| CVE-2025-58862 | 2026-04-15 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in George Sexton WordPress Events Calendar Plugin – connectDaily connect-daily-web-calendar allows Stored XSS.This issue affects WordPress Events Calendar Plugin – connectDaily: from n/a through <= 1.5.5. | |||||
| CVE-2025-12717 | 2026-04-15 | N/A | 6.4 MEDIUM | ||
| The List Attachments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_list' parameter in the [list-attachments] shortcode in all versions up to, and including, 0.4.1a due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-10675 | 2026-04-15 | N/A | 6.1 MEDIUM | ||
| The affiliate-toolkit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via a URL in all versions up to, and including, 3.6.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-48312 | 2026-04-15 | N/A | 5.4 MEDIUM | ||
| WebLaudos v20.8 (118) was discovered to contain a cross-site scripting (XSS) vulnerability via the login page. | |||||
| CVE-2025-0863 | 2026-04-15 | N/A | 6.4 MEDIUM | ||
| The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'idx_frame' shortcode in all versions up to, and including, 3.14.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-29126 | 2026-04-15 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jose Mortellaro Specific Content For Mobile – Customize the mobile version without redirections allows Reflected XSS.This issue affects Specific Content For Mobile – Customize the mobile version without redirections: from n/a through 0.1.9.5. | |||||
| CVE-2025-9344 | 2026-04-15 | N/A | 6.4 MEDIUM | ||
| The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uwp_profile' and 'uwp_profile_header' shortcodes in all versions up to, and including, 1.2.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-23531 | 2026-04-15 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in davidfcarr RSVPMaker Volunteer Roles rsvpmaker-volunteer-roles allows Reflected XSS.This issue affects RSVPMaker Volunteer Roles: from n/a through <= 1.5.1. | |||||
| CVE-2025-23724 | 2026-04-15 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in oleksandr87 University Quizzes Online university-quizzes-online allows Reflected XSS.This issue affects University Quizzes Online: from n/a through <= 1.4. | |||||
| CVE-2025-11819 | 2026-04-15 | N/A | 6.4 MEDIUM | ||
| The WP-Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'roboshot' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-11804 | 2026-04-15 | N/A | 6.1 MEDIUM | ||
| The Planaday API plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 11.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-12796 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Holistic IT, Consultancy Coop. Workcube ERP allows Reflected XSS.This issue affects Workcube ERP: from V12 - V14 before Cognitive. | |||||
| CVE-2024-32126 | 2026-04-15 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Peters Navigation menu as Dropdown Widget navigation-menu-as-dropdown-widget.This issue affects Navigation menu as Dropdown Widget: from n/a through <= 1.3.4. | |||||
| CVE-2026-1316 | 2026-04-15 | N/A | 7.2 HIGH | ||
| The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'media[].href' parameter in all versions up to, and including, 5.97.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers (if 'Enable for Guests' is enabled) to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-2030 | 2026-04-15 | N/A | 6.4 MEDIUM | ||
| The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-51814 | 2026-04-15 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 野人 活动链接推广插件 yr-activity-link allows DOM-Based XSS.This issue affects 活动链接推广插件: from n/a through <= 1.2.0. | |||||