Skip to main content
CVE-2024-2643 MEDIUM POC This Month

The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.6.8 does not sanitise and escape some of its settings, which could allow. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS My Sticky Bar
NVD WPScan
CVSS 3.1
4.8
EPSS
0.3%
CVE-2024-1663 MEDIUM POC This Month

The Ultimate Noindex Nofollow Tool II WordPress plugin before 1.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Ultimate Noindex Nofollow Tool Ii
NVD WPScan
CVSS 3.1
4.8
EPSS
0.3%
CVE-2023-5932 MEDIUM POC This Month

The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Travelpayouts
NVD WPScan
CVSS 3.1
4.8
EPSS
0.3%
CVE-2024-6462 MEDIUM POC This Month

The DL Yandex Metrika WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Dl Yandex Metrika
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2023-7168 MEDIUM POC This Month

The Better Follow Button for Jetpack WordPress plugin through 8.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Better Flow Button For Jetpack
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-13482 MEDIUM POC This Month

The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Icegram Engage
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-6478 MEDIUM POC This Month

The CTT Expresso para WooCommerce WordPress plugin before 3.2.13 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Ctt Expresso Para Woocommerce
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-5026 MEDIUM POC This Month

The CM Tooltip Glossary WordPress plugin before 4.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Cm Tooltip Glossary
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-2869 MEDIUM POC This Month

The Easy Property Listings WordPress plugin before 3.5.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Easy Property Listings
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-13730 MEDIUM POC This Month

The Podlove Podcast Publisher WordPress plugin before 4.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Podlove Podcast Publisher
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-13729 MEDIUM POC This Month

The Podlove Podcast Publisher WordPress plugin before 4.1.24 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Podlove Podcast Publisher
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-13621 MEDIUM POC This Month

The GDPR Framework By Data443 WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Gdpr Framework
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-13616 MEDIUM POC This Month

The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-13486 MEDIUM POC This Month

The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Icegram Engage
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-13384 MEDIUM POC This Month

The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.24 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Robo Gallery
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-13383 MEDIUM POC This Month

The HD Quiz WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Hd Quiz
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-13382 MEDIUM POC This Month

The Calculated Fields Form WordPress plugin before 5.2.64 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Calculated Fields Form
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-13357 MEDIUM POC This Month

The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Ditty
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-13313 MEDIUM POC This Month

The AWeber WordPress plugin through 7.3.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Aweber
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-12679 MEDIUM POC This Month

The Prisna GWT WordPress plugin before 1.4.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Google Website Translator
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-10149 MEDIUM POC This Month

The Social Slider Feed WordPress plugin before 2.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Social Slider Widget
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-10145 MEDIUM POC This Month

The Hubbub Lite WordPress plugin before 1.34.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Social Pug
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-10144 MEDIUM POC This Month

The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.22 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Robo Gallery
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-10054 MEDIUM POC This Month

The Happyforms WordPress plugin before 1.26.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Happyforms
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-6665 MEDIUM POC This Month

The KBucket: Your Curated Content in WordPress plugin before 4.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Kbucket
NVD WPScan
CVSS 3.1
4.8
EPSS
0.1%
CVE-2024-6335 MEDIUM POC This Month

The Tracking Code Manager WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Tracking Code Manager
NVD WPScan
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-48051 MEDIUM POC PATCH This Month

powertip.ts in Lila (for Lichess) before ab0beaf allows XSS in some applications because of an innerHTML usage pattern in which text is extracted from a DOM node and interpreted as HTML. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

XSS Powertip Ts
NVD GitHub
CVSS 3.1
4.7
EPSS
0.2%
CVE-2023-7196 MEDIUM POC This Month

The Ultimate Noindex Nofollow Tool WordPress plugin through 1.1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Ultimate Noindex Nofollow Tool
NVD WPScan
CVSS 3.1
4.3
EPSS
0.3%
CVE-2023-7195 MEDIUM POC This Month

The WP-Reply Notify WordPress plugin through 1.1 does not have a CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Wp Reply Notify
NVD WPScan
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-10009 MEDIUM POC This Month

The Melapress File Monitor WordPress plugin before 2.1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Melapress File Monitor
NVD WPScan
CVSS 3.1
4.1
EPSS
0.2%
CVE-2025-32738 MEDIUM This Month

Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-0921 MEDIUM This Month

Execution with Unnecessary Privileges vulnerability in multiple services of Mitsubishi Electric GENESIS64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 all versions,. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-4591 MEDIUM This Month

The Weluka Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'weluka-map' shortcode in all versions up to, and including, 1.0.3 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-44182 MEDIUM This Month

Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via the vehiclename, modelnumber, regnumber, vehiclesubtype, chasisnum, enginenumber' in the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP RCE XSS Vehicle Record Management System
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-4516 MEDIUM PATCH This Month

There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required. No vendor patch available.

Use After Free Memory Corruption Information Disclosure Red Hat Suse
NVD GitHub
CVSS 4.0
5.9
EPSS
0.2%
CVE-2024-10076 MEDIUM This Month

The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Jetpack Jetpack Boost
NVD WPScan
CVSS 3.1
5.9
EPSS
0.2%
CVE-2025-31947 MEDIUM PATCH This Month

Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mattermost Server Suse
NVD
CVSS 3.1
5.8
EPSS
0.4%
CVE-2025-1647 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting (XSS).4.1 before 4.0.0. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS Red Hat
NVD HeroDevs
CVSS 3.1
5.6
EPSS
0.3%
CVE-2025-3440 MEDIUM This Month

IBM Security Guardium 11.5 is vulnerable to stored cross-site scripting. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XSS Security Guardium
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-47580 MEDIUM This Month

Missing Authorization vulnerability in Rustaurius Front End Users allows Exploiting Incorrectly Configured Access Control Security Levels.2.32. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-2334 MEDIUM This Month

The edd-google-sheet-connector-pro WordPress plugin before 1.4, Easy Digital Downloads Google Sheet Connector WordPress plugin before 1.6.6 does not have CSRF check when updating its Access Code,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google WordPress CSRF Easy Digital Downloads Google Sheet Connector Edd Gsheetconnector
NVD WPScan
CVSS 3.1
5.4
EPSS
0.1%
CVE-2024-56006 MEDIUM This Month

Missing Authorization vulnerability in Automattic Jetpack Debug Tools.0.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-4701 MEDIUM This Month

A vulnerability, which was classified as problematic, has been found in VITA-MLLM Freeze-Omni up to 20250421.load of the file models/utils.py. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2025-3446 MEDIUM PATCH This Month

Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Mattermost Server Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-51666 MEDIUM This Month

Missing Authorization vulnerability in Automattic Tours.0.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-4728 MEDIUM POC This Week

A vulnerability was found in SourceCodester Best Online News Portal 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Best Online News Portal
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-4727 MEDIUM POC PATCH This Month

A vulnerability was found in Meteor up to 3.2.1 and classified as problematic.assign of the file packages/ddp-server/livedata_server.js. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Denial Of Service Meteor
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.7%
CVE-2025-4726 MEDIUM POC This Week

A vulnerability has been found in itsourcecode Placement Management System 1.0 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Placement Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-4725 MEDIUM POC This Week

A vulnerability, which was classified as critical, was found in itsourcecode Placement Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Placement Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-4724 MEDIUM POC This Week

A vulnerability, which was classified as critical, has been found in itsourcecode Placement Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Placement Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy