Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ntp-header-images allows Reflected XSS.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jnwry vcOS allows Reflected XSS.4.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in marekki Marekkis Watermark allows Reflected XSS.9.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Stored cross-site scripting in Zigaform WordPress plugin versions up to 7.4.2 allows unauthenticated attackers to inject malicious scripts that execute when administrators or users view affected form submissions. The vulnerability achieves changed scope (S:C in CVSS vector), enabling attackers to compromise admin sessions and potentially take over WordPress sites. EPSS probability is low at 0.08% (25th percentile), indicating limited observed exploitation activity. Patchstack vulnerability database confirms the issue but fix version is not independently verified from available data.
Stored cross-site scripting (XSS) in Zigaform Form Builder Lite WordPress plugin through version 7.4.2 allows unauthenticated remote attackers to inject malicious scripts that execute in victims' browsers. The vulnerability requires user interaction (viewing the stored malicious content) and enables changed scope impact, potentially compromising administrator sessions and site integrity. EPSS score of 0.08% (25th percentile) indicates low observed exploitation probability despite the network-accessible attack vector. Patchstack database confirms the vulnerability but patch status is not documented in available references.
Reflected cross-site scripting (XSS) in the Small Package Quotes - Unishippers Edition WordPress plugin through version 2.4.9 allows remote attackers to inject malicious scripts that execute in victims' browsers when users click crafted links. The CVSS vector indicates network-based exploitation requiring user interaction but no authentication, with changed scope enabling attacks beyond the vulnerable component's security context. EPSS score of 0.08% (25th percentile) suggests low observed exploitation activity, though no public exploit code or CISA KEV listing exists at time of analysis.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes WP Templata allows Reflected XSS.0.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Swift Calendar Online Appointment Scheduling allows Reflected XSS.3.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mobde3net ePermissions allows Reflected XSS.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in NotFound Curated Search allows Stored XSS.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in NotFound WP SpaceContent allows Stored XSS.4.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.