Skip to main content
CVE-2026-27440 MEDIUM This Month

Stored cross-site scripting in myCred versions up to 2.9.7.6 allows authenticated attackers to inject malicious scripts that execute in other users' browsers when viewing affected pages. An attacker with login credentials can leverage the vulnerability to steal session tokens, deface content, or perform actions on behalf of victims. No patch is currently available for this vulnerability.

XSS
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27094 MEDIUM This Month

GoDaddy CoBlocks through version 3.1.16 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages, potentially compromising other users who view the affected content. The vulnerability requires user interaction and can impact the confidentiality, integrity, and availability of affected systems. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27074 MEDIUM This Month

Stored XSS in Shortcoder plugin version 6.5.1 and earlier enables authenticated attackers to inject malicious scripts into web pages, affecting all users who view the compromised content. An attacker with user-level privileges can execute arbitrary JavaScript in victims' browsers through improper input sanitization during page generation. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27069 MEDIUM This Month

DOM-based cross-site scripting in PenciDesign Soledad through version 8.7.2 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or data theft. The vulnerability requires user interaction and impacts the confidentiality, integrity, and availability of affected installations. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27059 MEDIUM This Month

DOM-based cross-site scripting in PenciDesign Penci Recipe plugin version 4.1 and earlier allows authenticated attackers to inject malicious scripts that execute in users' browsers, potentially stealing session data or performing actions on behalf of affected users. The vulnerability requires user interaction and affects installations using vulnerable versions of the Penci Recipe component.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27058 MEDIUM This Month

DOM-based cross-site scripting in PenciDesign Penci Podcast through version 1.7 allows authenticated attackers to inject malicious scripts that execute in users' browsers with user interaction. An attacker with login credentials can exploit improper input sanitization during page generation to steal session tokens, redirect users, or perform actions on their behalf. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27057 MEDIUM This Month

PenciDesign Penci Filter Everything penci-filter-everything is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25472 MEDIUM This Month

Stored cross-site scripting in ThemeFusion Fusion Builder through version 3.14.3 allows authenticated attackers to inject malicious scripts that execute in other users' browsers when viewing affected pages. An attacker with login credentials can leverage this vulnerability to steal session cookies, redirect users, or perform actions on their behalf. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25463 MEDIUM This Month

Stored cross-site scripting in WpEstate Wpresidence Core through version 5.4.0 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction to trigger the payload and affects the broader site context, making it a persistence risk for compromised WordPress installations. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25453 MEDIUM This Month

DOM-based cross-site scripting in Advanced iFrame plugin through version 2025.10 allows authenticated attackers to inject malicious scripts that execute in users' browsers, potentially compromising session data and user interactions. The vulnerability requires user interaction and network access but can affect multiple security domains due to its scope impact. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25451 MEDIUM This Month

Bold Page Builder through version 5.6.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages. An attacker with user privileges can craft malicious input that persists in the application and executes in the browsers of other users who view the affected pages, potentially leading to credential theft or unauthorized actions. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25432 MEDIUM This Month

Stored cross-site scripting in Omnipress versions 1.6.7 and earlier allows authenticated users to inject malicious scripts that execute in other users' browsers, potentially compromising session data and user interactions. The vulnerability requires user interaction to trigger but can affect any user viewing the affected content due to its stored nature. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25331 MEDIUM This Month

Melapress WP Activity Log wp-security-audit-log is affected by cross-site scripting (xss) (CVSS 6.5).

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25307 MEDIUM This Month

DOM-based XSS in the 8theme XStore Core et-core-plugin versions below 5.7 enables authenticated attackers to inject malicious scripts that execute in users' browsers through improper input handling during page generation. An attacker with user-level privileges and ability to trigger user interaction can exploit this to steal session data, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for this medium-severity vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25305 MEDIUM This Month

DOM-based cross-site scripting in 8theme XStore through version 9.6.4 allows authenticated attackers to inject malicious scripts that execute in users' browsers, potentially stealing sensitive information or performing actions on behalf of victims. The vulnerability requires user interaction and affects the scope beyond the vulnerable component, with no patch currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27092 MEDIUM This Month

Inadequate access control in WPAdverts through version 2.2.11 permits authenticated users to access sensitive information they should not be authorized to view. An attacker with valid login credentials could exploit misconfigured permission checks to read confidential data within the plugin. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25368 MEDIUM This Month

codepeople Calculated Fields Form calculated-fields-form is affected by missing authorization (CVSS 6.5).

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-71242 MEDIUM This Month

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. [CVSS 6.5 MEDIUM]

Authentication Bypass Spip
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25372 MEDIUM This Month

Kodezen Academy LMS versions up to 3.5.3 contain an access control misconfiguration that allows authenticated users to modify data they should not have permission to access. An attacker with valid credentials can exploit this missing authorization check to perform unauthorized changes, though no public exploit code or active exploitation has been reported. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-26320 MEDIUM PATCH This Month

OpenClaw macOS desktop client versions 2026.2.6 through 2026.2.13 fail to fully display message content in confirmation dialogs for deep links, allowing attackers to hide malicious payloads behind whitespace that users cannot see before execution. When a user approves the truncated preview and clicks "Run," the full hidden message executes, potentially leading to arbitrary command execution depending on the user's configured permissions. This affects beta versions of the OpenClaw AI assistant on macOS where the openclaw:// URL scheme is registered without proper authentication.

macOS AI / ML Openclaw
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-26203 MEDIUM PATCH This Month

PJSIP versions before 2.17 contain a use-after-free vulnerability in the H.264 packetizer that allows local attackers with user privileges to cause denial of service through malformed H.264 bitstreams lacking proper NAL unit markers. The flaw stems from inadequate pointer validation during packet processing, enabling out-of-bounds memory access that crashes the application. A patch is available in version 2.17 and later.

Use After Free Pjsip
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-26327 MEDIUM PATCH This Month

OpenClaw's mDNS/Bonjour discovery beacons transmit unauthenticated TXT records that iOS, macOS, and Android clients treat as authoritative for routing and TLS certificate pinning, allowing an attacker on a shared LAN to advertise a rogue service and redirect connections to attacker-controlled endpoints. An attacker can exploit this to bypass TLS pinning validation and potentially capture Gateway credentials through man-in-the-middle attacks. The vulnerability affects OpenClaw versions prior to 2026.2.14 and requires network proximity but no user interaction.

macOS Android iOS TLS AI / ML +2
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14983 MEDIUM This Month

The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-12448 MEDIUM This Month

The Smartsupp - live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS AI / ML PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2718 MEDIUM This Month

The Dealia - Request a Quote WordPress plugin through version 1.0.6 allows authenticated contributors and above to inject malicious scripts into pages via improperly escaped Gutenberg block attributes. An attacker with contributor-level access can embed arbitrary JavaScript that executes when users view the affected pages, potentially compromising user sessions and data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13732 MEDIUM This Month

The s2Member - Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13612 MEDIUM This Month

Album and Image Gallery plus Lightbox (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12375 MEDIUM This Month

The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the download_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can b...

WordPress SSRF PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14851 MEDIUM This Month

The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-27473 MEDIUM This Month

Stored XSS in SPIP before 4.4.9 allows authenticated attackers to inject malicious scripts through syndicated site URLs that execute in the private administrative area when other admins view syndication details. An attacker with the ability to configure a malicious syndication feed can achieve persistent code execution affecting other administrators. No patch is currently available for this vulnerability.

XSS Spip
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1646 MEDIUM This Month

Stored cross-site scripting in the Advance Block Extend WordPress plugin versions up to 1.0.4 allows authenticated contributors and above to inject malicious scripts through the TitleColor attribute in the Latest Posts block, which execute in the browsers of users viewing affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling persistent payload injection. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1373 MEDIUM This Month

Stored XSS in WordPress Easy Author Image plugin up to version 1.7 allows authenticated subscribers and above to inject malicious scripts through the author_profile_picture_url parameter due to inadequate input sanitization. Attackers can embed arbitrary JavaScript that executes when other users view affected pages, potentially compromising user sessions and data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0556 MEDIUM This Month

Stored XSS in the XO Event Calendar WordPress plugin through version 3.2.10 allows authenticated contributors and above to inject malicious scripts into pages via the 'xo_event_field' shortcode due to improper input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0549 MEDIUM This Month

Stored XSS in WordPress Groups plugin through the 'groups_group_info' shortcode allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via inadequate input validation. When other users access the compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking or account compromise. No patch is currently available for versions up to 3.10.0.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14445 MEDIUM This Month

The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13738 MEDIUM This Month

The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13617 MEDIUM This Month

Apollo13 Framework Extensions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13048 MEDIUM This Month

The StatCounter - Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12117 MEDIUM This Month

The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12116 MEDIUM This Month

The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-23803 MEDIUM This Month

Burhan Nasir Smart Auto Upload Images smart-auto-upload-images is affected by server-side request forgery (ssrf) (CVSS 6.4).

SSRF
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-69674 MEDIUM This Month

Buffer Overflow vulnerability in CDATA FD614GS3-R850 V3.2.7_P161006 (Build.0333.250211) allows an attacker to execute arbitrary code via the node_mac, node_opt, opt_param, and domainblk parameters of the mesh_node_config and domiainblk_config modules [CVSS 6.4 MEDIUM]

Buffer Overflow
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-22268 MEDIUM This Month

Dell PowerProtect Data Manager versions prior to 19.22 contain a privilege assignment flaw that allows low-privileged remote attackers to disrupt Enterprise Support connections, resulting in denial of service. Exploitation requires valid credentials and user interaction, and no patch is currently available. The vulnerability affects system availability rather than confidentiality or data integrity.

Denial Of Service Powerprotect Data Manager
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-2502 MEDIUM This Month

Stored cross-site scripting in the WordPress XML-RPC Attacks Blocker plugin up to version 1.0 allows unauthenticated attackers to inject malicious scripts via the X-Forwarded-For HTTP header, which are then executed when administrators access the debug log page. The vulnerability stems from improper handling of untrusted header data without output escaping. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-0561 MEDIUM This Month

Shield Security plugin for WordPress versions up to 21.0.8 contains a reflected XSS vulnerability in the 'message' parameter that allows unauthenticated attackers to inject malicious scripts through specially crafted links. Successful exploitation requires tricking users into clicking a malicious link, resulting in execution of arbitrary JavaScript in their browser context. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-14076 MEDIUM This Month

The iXML - Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-11706 MEDIUM This Month

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the dbstatus parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-15562 MEDIUM This Month

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker. [CVSS 6.1 MEDIUM]

RCE XSS Worktime
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2736 MEDIUM This Month

Reflected XSS in OpenCms v18.0 via the 'q' parameter in /search/index.html allows unauthenticated attackers to inject malicious scripts through crafted URLs. Successful exploitation enables session hijacking, credential theft, and arbitrary actions performed on behalf of authenticated users. No patch is currently available.

XSS Opencms
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-27474 MEDIUM This Month

Reflected XSS in SPIP versions before 4.4.9 permits attackers to execute arbitrary scripts in the private area through insufficiently sanitized input, form, button, and anchor HTML tags. An unauthenticated attacker can craft malicious payloads that bypass the incomplete anti-XSS protection introduced in version 4.4.8, affecting all SPIP installations without the patch.

XSS Spip
NVD
CVSS 3.1
6.1
EPSS
0.0%
Prev Page 2 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy