Information disclosure in Razvan Stanga's Varnish/Nginx Proxy Caching WordPress plugin through version 1.8.3 allows sensitive data embedded in cached responses to be exposed to unauthorized users. The vulnerability stems from improper handling of sensitive information during proxy caching operations, enabling attackers to retrieve cached data containing credentials, tokens, or other confidential material. No authentication is required to exploit this issue, and EPSS analysis indicates a 4.43% probability of exploitation (89th percentile), suggesting moderate real-world risk despite the lack of known public exploits.
The Efí Bank Gerencianet Oficial WordPress plugin through version 3.1.3 exposes sensitive data by embedding it into sent HTTP requests or responses, allowing attackers to retrieve payment-related information without authentication. This information disclosure vulnerability (CWE-201) affects all installations of the affected plugin versions and is classified as low-risk based on EPSS score (0.04%, 12th percentile), with no public exploit code or active exploitation confirmed.
Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress pro-watermark allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through <= 2.0.
Stored cross-site scripting (XSS) vulnerability in Wayne Allen Postie WordPress plugin through version 1.9.73 allows authenticated attackers to inject malicious scripts into web pages that execute in the context of other users' browsers. The vulnerability stems from improper input neutralization during web page generation, enabling persistence of injected payloads in the application's data store. No public exploit code or active exploitation has been identified at time of analysis, though the low EPSS score (0.04th percentile) suggests limited real-world exploitation interest despite the vulnerability's presence in a plugin with unknown user base size.
DOM-based cross-site scripting (XSS) in SEO Slider WordPress plugin through version 1.1.1 allows authenticated or unauthenticated attackers to inject malicious scripts into the DOM, potentially enabling session hijacking, credential theft, or malware distribution. The vulnerability affects all versions up to and including 1.1.1 and has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the XSS attack vector. No public exploit code or active exploitation has been confirmed.
Stored cross-site scripting (XSS) in WPFactory Maximum Products per User for WooCommerce plugin through version 4.4.3 allows authenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects WordPress installations using this WooCommerce extension, with an EPSS score of 0.04% indicating low real-world exploitation probability despite the XSS attack vector. No active exploitation has been confirmed.
Stored cross-site scripting (XSS) vulnerability in Livemesh Addons for Beaver Builder WordPress plugin versions 3.9.2 and earlier allows attackers to inject malicious scripts into web pages that execute in the browsers of site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling authenticated or privileged users to store malicious payloads that persist in the plugin's content. With an EPSS score of 0.04% (14th percentile), real-world exploitation likelihood is minimal, though the stored nature of the XSS means injected content could affect multiple end users if compromised.
Stored cross-site scripting (XSS) in Chris Steman Page Title Splitter WordPress plugin versions through 2.5.9 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators and visitors. The vulnerability exists in page generation functionality where user input is not properly sanitized before being rendered in web pages. EPSS score of 0.04% indicates low exploitation probability at present, with no confirmed active exploitation or public proof-of-concept identified.
Stored cross-site scripting (XSS) in MyBookTable Bookstore WordPress plugin version 3.6.0 and earlier allows authenticated or unauthenticated attackers to inject malicious scripts into web pages that execute in the context of other users' browsers. The vulnerability exists in the web page generation process where user input is not properly neutralized before being stored and rendered. No public exploit code has been identified, and the EPSS score of 0.04% suggests low real-world exploitation probability despite the XSS classification.
Stored cross-site scripting (XSS) in Curator.io WordPress plugin through version 1.9.5 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise user sessions and steal sensitive data. While EPSS scoring indicates low exploitation probability (0.04%), the persistent nature of stored XSS and potential for privilege escalation warrant prompt patching.
Stored cross-site scripting (XSS) in Custom Background Changer WordPress plugin through version 3.0 allows authenticated attackers to inject malicious JavaScript that persists in the database and executes for all users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the vulnerability's technical severity.
Stored cross-site scripting (XSS) in the kcseopro AdWords Conversion Tracking Code WordPress plugin version 1.0 and earlier allows attackers to inject malicious scripts into web pages, which are then executed in the browsers of other users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling persistent XSS attacks that can compromise user sessions, steal credentials, or redirect visitors to malicious sites. EPSS score of 0.04% indicates low exploitation probability despite the stored XSS vector.
Stored cross-site scripting (XSS) in webvitaly Extra Shortcodes WordPress plugin through version 2.2 allows authenticated attackers to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability stems from improper input neutralization during web page generation, enabling persistence of arbitrary JavaScript code within the plugin's shortcode processing. The low EPSS score (0.04%) and lack of public exploit code suggest limited practical exploitation likelihood, though the stored nature of the vulnerability means injected payloads affect all subsequent visitors until remediated.
Stored cross-site scripting (XSS) in the Audiomack WordPress plugin through version 1.4.8 allows authenticated attackers to inject malicious scripts into web pages, enabling session hijacking, credential theft, or defacement. No active exploitation detected (EPSS 0.04%, low percentile), but the vulnerability affects all installations of the vulnerable plugin versions and persists across page loads due to its stored nature.
Stored cross-site scripting (XSS) in Tomas WordPress Tooltips plugin versions 10.9.3 and earlier allows authenticated attackers to inject malicious scripts into tooltip content that execute in the browsers of site administrators and other users. The vulnerability affects WordPress Tooltips through version 10.9.3, and exploitation requires an authenticated user with permissions to create or modify tooltips. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in wpforchurch Sermon Manager WordPress plugin through version 2.30.0 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site administrators and other users. The vulnerability affects sermon content input validation, enabling attackers with contributor or editor privileges to compromise website integrity and steal sensitive data from higher-privileged users.
Stored cross-site scripting (XSS) vulnerability in BasePress Knowledge Base documentation & wiki plugin versions through 2.17.0.1 allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of other users viewing affected content. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise user sessions, steal credentials, or deface documentation within WordPress installations using BasePress. With EPSS exploitation probability at 0.04% (14th percentile), real-world exploitation risk is currently low, though the stored nature of the XSS makes it a persistence risk if discovered by threat actors.
Stored cross-site scripting (XSS) in BuddyDev BuddyPress Activity Shortcode plugin through version 1.1.8 allows attackers to inject and persist malicious scripts that execute in users' browsers. The vulnerability affects WordPress sites using this plugin, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and active exploitation has not been confirmed.
Stored cross-site scripting (XSS) in the Justin Tadlock Series WordPress plugin up to version 2.0.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage within the plugin's data structures. With an EPSS score of 0.04% and low exploitation probability, this represents a lower-priority but still exploitable vulnerability in a plugin with active distribution.
DOM-based cross-site scripting (XSS) in Funnelforms Free WordPress plugin version 3.8 and earlier allows authenticated attackers to inject malicious scripts through improper input neutralization during web page generation. The vulnerability has a low EPSS score (0.04%, 14th percentile) and no confirmed active exploitation, suggesting limited real-world attack probability despite the XSS classification.
Stored XSS vulnerability in MX Time Zone Clocks WordPress plugin versions up to 5.1.1 allows authenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input sanitization during web page generation, enabling persistent cross-site scripting attacks that could compromise site visitors, steal session tokens, or deface content. EPSS score of 0.04% indicates low real-world exploitation probability, though the stored nature of the XSS makes it a medium-priority remediation target for affected WordPress administrators.
Stored cross-site scripting (XSS) in Shuttle WordPress theme through version 1.5.0 allows authenticated users to inject malicious scripts that persist in the application and execute in the browsers of other users who view the affected content. The vulnerability has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the moderate attack surface typical of stored XSS flaws. No public exploit code or active exploitation has been confirmed.
Stored cross-site scripting (XSS) vulnerability in the Melos WordPress theme through version 1.6.0 allows attackers to inject and execute arbitrary JavaScript code that persists in the application and executes in the browsers of other users. The vulnerability affects all versions up to and including 1.6.0, and while no CVSS vector or EPSS exploitation probability is formally assigned, the low EPSS score (0.04th percentile) suggests minimal real-world exploitation likelihood despite the stored nature of the flaw.
DOM-based cross-site scripting (XSS) in codetipi Valenti Engine through version 1.0.3 allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the WordPress plugin and is classified as improper neutralization of input during web page generation. With an EPSS score of 0.01% and no CVSS severity data available, real-world exploitation risk appears minimal, though the attack vector and prerequisites require confirmation from patch analysis.
Stored cross-site scripting (XSS) vulnerability in Bootstrap Modals WordPress plugin versions up to 1.3.2 allows authenticated attackers to inject and execute arbitrary JavaScript code that persists in the database and executes for all site visitors. The vulnerability stems from improper input neutralization during web page generation, enabling attackers with plugin-relevant permissions to compromise user sessions and steal sensitive data from administrators and site visitors.
Stored cross-site scripting in thinkupthemes Consulting WordPress theme versions through 1.5.0 enables authenticated users or malicious admins to inject persistent JavaScript payloads that execute in the browsers of other site visitors or administrators. The vulnerability allows arbitrary script execution within the context of the affected WordPress installation, potentially leading to account compromise, malware distribution, or session hijacking. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in thinkupthemes Minamaze WordPress theme versions up to 1.10.1 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability has an EPSS score of 0.01% (3rd percentile), indicating minimal likelihood of exploitation in practice, though it represents a privilege-escalation pathway for authenticated attackers with contributor-level access or higher.
DOM-based cross-site scripting (XSS) in WebMan Amplifier WordPress plugin through version 1.5.12 allows attackers to inject malicious scripts that execute in users' browsers. The vulnerability stems from improper neutralization of user input during web page generation, enabling stored or reflected XSS attacks depending on the specific injection vector. With an EPSS score of 0.01% (3rd percentile) and no evidence of active exploitation, this represents a low real-world risk despite the XSS classification, though remediation is still recommended for all affected installations.
DOM-based cross-site scripting (XSS) in The Moneytizer WordPress plugin up to version 10.0.9 allows attackers to inject malicious scripts into web pages through improper input neutralization. The vulnerability affects WordPress sites running the vulnerable plugin versions and could enable session hijacking, credential theft, or malware distribution targeting site administrators and visitors. No public exploit code or active exploitation has been confirmed at this time, though the EPSS score of 0.01% suggests minimal real-world exploitation probability.
DOM-based cross-site scripting (XSS) in Kalender.digital WordPress plugin through version 1.0.13 allows unauthenticated attackers to inject malicious scripts via improper input neutralization during web page generation. The vulnerability affects all versions up to and including 1.0.13, with an EPSS score of 0.01% indicating very low exploitation likelihood in practice despite the high-severity CWE-79 classification.
DOM-based cross-site scripting (XSS) in Bainternet User Specific Content WordPress plugin versions 1.0.6 and earlier allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While no public exploit code or active exploitation has been confirmed, the extremely low EPSS score (0.01%) and lack of CVSS vector data suggest limited real-world exploitability or specificity to attack scenarios, despite the XSS classification.
DOM-based cross-site scripting (XSS) in Genetech Products Web and WooCommerce Addons for WPBakery Builder (vc-addons-by-bit14) plugin versions up to 1.5 allows unauthenticated attackers to inject malicious scripts that execute in the context of affected user sessions. The vulnerability stems from improper neutralization of user-supplied input during web page generation. EPSS scoring (0.01%, percentile 3%) indicates very low real-world exploitation probability despite the nature of the flaw, and no public exploit code or active exploitation has been confirmed.
DOM-based cross-site scripting (XSS) vulnerability in the Responsive Block Control WordPress plugin through version 1.3.0 allows attackers to inject malicious scripts that execute in users' browsers. Exploitation requires user interaction with a malicious link or form, but once triggered, the vulnerability enables session hijacking, credential theft, or defacement. The vulnerability has an exceptionally low EPSS score (0.01th percentile) suggesting minimal real-world exploitation likelihood despite public disclosure.
DOM-based cross-site scripting (XSS) vulnerability in Ruhul Amin Content Fetcher WordPress plugin versions 1.1 and earlier allows authenticated attackers to inject arbitrary JavaScript code into web pages, potentially compromising site integrity and user sessions. The vulnerability resides in improper input neutralization during web page generation, enabling malicious scripts to execute in the context of affected websites. EPSS exploitation probability is extremely low at 0.01% (3rd percentile), indicating minimal real-world attack likelihood despite the XSS vector.
Cross-Site Request Forgery (CSRF) in Everest Backup WordPress plugin versions ≤2.3.11 enables unauthenticated attackers to manipulate backup file paths via path traversal, potentially exposing sensitive files or altering backup integrity. The vulnerability requires user interaction (CVSS UI:R) and carries no authentication requirement (PR:N), allowing remote exploitation through social engineering. EPSS probability of 0.01% (1st percentile) indicates minimal observed exploitation activity in the wild, and no public exploit identified at time of analysis. Despite CVSS 8.1 severity reflecting high confidentiality and integrity impact, real-world risk remains moderate given the user-interaction dependency and absence of active exploitation indicators.
Stored cross-site scripting (XSS) in Gora Tech Cooked WordPress plugin versions up to 1.11.3 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers. The vulnerability persists in the plugin's database and is triggered when affected content is viewed, enabling account compromise, session hijacking, or malware distribution to site visitors. This is a low-probability exploitation risk (EPSS 0.04%) but represents a meaningful concern for multi-user WordPress installations where contributor or editor-level accounts are delegated.
Stored cross-site scripting (XSS) in the eleopard Behance Portfolio Manager WordPress plugin versions 1.7.5 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other users visiting affected pages. The vulnerability stems from improper input sanitization during portfolio content generation, enabling attackers with contributor-level access or higher to compromise site visitors. No public exploit code or active exploitation has been reported, though the vulnerability carries a low EPSS score (0.04%, percentile 13%) suggesting limited real-world exploitation likelihood at time of analysis.
Stored XSS vulnerability in ikaes Accessibility Press plugin (ilogic-accessibility) versions through 1.0.2 allows authenticated attackers to inject arbitrary JavaScript that executes in the browsers of other site visitors, potentially compromising user sessions, stealing credentials, or defacing content. The vulnerability stems from improper input sanitization during web page generation and carries a low exploitation probability (EPSS 0.04th percentile) with no confirmed active exploitation.
Stored cross-site scripting (XSS) in Dashboard Beacon WordPress plugin versions up to 1.2.0 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage and execution across user sessions. No public exploit code or active exploitation has been confirmed.
DOM-based cross-site scripting (XSS) in WooCommerce Parcelas WordPress plugin versions up to 1.3.5 allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While EPSS scoring indicates low exploitation probability (0.01%), the DOM-based nature and lack of authentication barriers make this a persistent client-side threat in environments where the vulnerable plugin remains deployed.
Stored cross-site scripting (XSS) vulnerability in SaifuMak Add Custom Codes WordPress plugin versions 4.80 and earlier allows authenticated attackers to inject malicious JavaScript that persists in the database and executes in the browsers of site administrators and other users. The vulnerability stems from improper input sanitization when storing custom code, enabling attackers with plugin access to compromise site integrity and steal administrative credentials or sessions.
Stored cross-site scripting (XSS) in nicashmu Post Video Players WordPress plugin through version 1.163 allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability exists in the video-playlist-and-gallery-plugin and affects all versions up to and including 1.163; no public exploit code has been identified, but the low EPSS score (0.01%) suggests limited real-world exploitation likelihood despite the vulnerability's persistent nature.
Stored cross-site scripting (XSS) in plainware Locatoraid Store Locator WordPress plugin versions up to 3.9.68 allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the plugin's input handling during web page generation, enabling persistent XSS attacks. With an EPSS score of 0.01% and no active exploitation confirmed, this represents a low-probability but persistent risk requiring plugin updates.
Stored cross-site scripting (XSS) in Soli WP Post Signature plugin through version 0.4.1 allows authenticated users to inject malicious scripts into post signatures, which execute in the browsers of administrators and other site visitors viewing affected posts. The vulnerability requires user interaction or administrative access to inject the payload but poses a risk to site integrity and user data. EPSS exploitation probability is minimal at 0.01%, suggesting low real-world attack likelihood despite the vulnerability class.
Stored cross-site scripting (XSS) in Imran Emu Logo Slider WordPress plugin versions 1.8.1 and earlier allows attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability affects the Logo Slider, Logo Carousel, Logo Showcase, and Client Logo plugin variants. An attacker with sufficient privileges to inject content (such as a contributor or compromised admin account) can embed arbitrary JavaScript to steal session tokens, deface pages, or redirect users to malicious sites. EPSS score of 0.01% indicates low exploitation probability in the wild, though the stored nature of the XSS elevates the persistence risk once injected.
DOM-based cross-site scripting in the ViitorCloud Technologies Add Featured Image Custom Link WordPress plugin (versions up to 2.0.0) allows unauthenticated attackers to inject arbitrary JavaScript into web pages through improper input sanitization. The vulnerability affects the custom URL handling mechanism for featured images, enabling malicious actors to steal session cookies, perform account takeover, or redirect users to phishing sites. EPSS score of 0.01% indicates minimal real-world exploitation probability despite the XSS classification.
ColorWay WordPress theme through version 4.2.3 embeds sensitive information in sent data, allowing unauthenticated attackers to retrieve embedded data without authentication. The vulnerability has an exceptionally low exploitation probability (EPSS 0.03%, 9th percentile) despite being information disclosure in nature, suggesting the sensitive data exposure requires specific conditions or limited practical impact. No active exploitation or public exploit code is documented at time of analysis.
Missing authorization controls in Conformer for Elementor WordPress plugin version 1.0.7 and earlier allow attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized access to plugin functionality. The vulnerability stems from broken access control (CWE-862) without explicit authentication requirements, affecting all users of the plugin through version 1.0.7. While EPSS score is minimal at 0.05%, the nature of access control bypasses warrants assessment in WordPress environments where the plugin is deployed.
Missing authorization in merkulove Logger for Elementor plugin through version 1.0.9 allows attackers to bypass access controls and exploit incorrectly configured security levels. Unauthenticated or low-privileged users can access protected functionality due to absent or insufficient authorization checks. The vulnerability has low exploitation probability (EPSS 0.05%) and no confirmed public exploit code or active exploitation reported.
Missing authorization in Worker for WPBakery plugin versions through 1.1.1 allows attackers to exploit incorrectly configured access control, enabling unauthorized actions through broken access control mechanisms. The vulnerability affects WordPress installations running this plugin and could allow unauthenticated or low-privileged users to bypass security restrictions, though the specific attack surface and impact are limited by low EPSS probability (0.05%) and minimal public awareness.