Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticated users with low privileges to inject malicious scripts via invalid visit labels. The vulnerability arises because responses are JSON-encoded but lack a proper Content-Type header, causing browsers to interpret the payload as HTML. An attacker can trick a victim into following a crafted link to execute arbitrary JavaScript in the victim's browser context, potentially compromising sensitive neuroimaging research data. Fixed in versions 27.0.3 and 28.0.1.
WP Blockade WordPress plugin versions up to 0.9.14 allows authenticated users with Subscriber-level access or higher to execute arbitrary WordPress shortcodes due to missing authorization checks and nonce verification in the render_shortcode_preview() function. An attacker can supply malicious shortcodes via the 'wp-blockade-shortcode-render' admin_post action to achieve information disclosure, privilege escalation, or arbitrary actions depending on registered shortcodes. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in UiCore Elements WordPress plugin versions 1.3.14 and earlier allows authenticated users to inject malicious scripts into web pages, which execute in the browsers of other users viewing affected content. The vulnerability stems from improper input neutralization during page generation, affecting any WordPress installation using the plugin. No active exploitation has been confirmed, and the EPSS score of 0.03% indicates very low real-world exploitation probability despite the CVSS 6.5 score.
Stored cross-site scripting (XSS) in WPBITS Addons For Elementor Page Builder versions up to 1.8.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability stems from improper input sanitization during web page generation, enabling an attacker to persistently compromise site content and steal session tokens or perform administrative actions on behalf of legitimate users. EPSS exploitation probability is very low at 0.03%, indicating limited real-world attack likelihood despite moderate CVSS severity.
DOM-based cross-site scripting (XSS) in Wealcoder Animation Addons for Elementor through version 2.6.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the click of a link. The vulnerability stems from improper input neutralization during web page generation and affects all versions of the plugin up to and including 2.6.1. With an EPSS score of 0.03% and no confirmed active exploitation, this represents a lower-priority vulnerability despite the authenticated attack requirement.
DOM-Based cross-site scripting (XSS) in Elfsight WhatsApp Chat CC WordPress plugin versions up to 1.2.0 allows authenticated attackers with limited privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R per CVSS vector) and affects the plugin's DOM manipulation during web page generation. Real-world exploitation risk is low: EPSS score of 0.03% (8th percentile) reflects minimal demonstrated exploitation likelihood, no public proof-of-concept has been identified, and CISA SSVC assessment indicates exploitation is not yet observed and attack automation is infeasible.
Stored cross-site scripting (XSS) in tagDiv Composer WordPress plugin versions up to 5.4.3 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS exploitation probability is very low at 0.03% (8th percentile), and CISA SSVC assessment indicates no known exploitation, non-automatable attacks, and partial technical impact, suggesting this is a lower-priority vulnerability despite the CVSS 6.5 rating.
DOM-based cross-site scripting in MK Google Directions WordPress plugin versions up to 3.1.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper sanitization of user-supplied input during web page generation, enabling attackers to steal session cookies, perform actions on behalf of authenticated users, or deface plugin interface elements. With an EPSS score of 0.03% (8th percentile), real-world exploitation probability is minimal despite the medium CVSS score of 6.5.
DOM-Based XSS in Hello Bar Popup Builder WordPress plugin versions up to 1.5.1 allows authenticated attackers with low privileges to inject arbitrary scripts that execute in users' browsers with the affected site's context. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS score of 0.03% (8th percentile) and CISA SSVC assessment of non-automatable exploitation with partial technical impact indicate this is a low real-world priority despite moderate CVSS score, though authenticated access and user interaction requirements limit immediate threat surface.
DOM-based cross-site scripting (XSS) in Vladimir Prelovac SEO Friendly Images WordPress plugin version 3.0.5 and earlier allows authenticated attackers with low privileges to execute arbitrary JavaScript in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects the WordPress admin dashboard with cross-site scope, enabling session hijacking, credential theft, or malicious actions on behalf of compromised administrators. EPSS exploitation probability is minimal at 0.03%, indicating low real-world attack likelihood despite the moderate CVSS score.
Stored cross-site scripting (XSS) in bozdoz Leaflet Map WordPress plugin versions up to 3.4.4 allows authenticated attackers with low privileges to inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, or website defacement. The vulnerability has a low EPSS score (0.03%, 8th percentile) suggesting minimal real-world exploitation likelihood despite moderate CVSS severity, and no public exploit code or active exploitation has been confirmed.
Stored cross-site scripting (XSS) in Livemesh Addons for Elementor through version 9.0 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of administrators and other site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling attackers to persistently compromise site functionality and steal administrative credentials or session tokens. CVSS 6.5 reflects moderate severity; EPSS 0.03% indicates very low real-world exploitation probability, suggesting this requires specific user interaction and authenticated access to exploit effectively.
DOM-based cross-site scripting (XSS) in Ronald Huereca Custom Query Blocks WordPress plugin version 5.5.0 and earlier allows authenticated users to inject malicious scripts via the post-type-archive-mapping functionality. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability across site boundaries (S:C). With EPSS at 0.03% and no confirmed active exploitation, this is a low-probability risk despite the medium CVSS score, indicating exploitation requires specific preconditions unlikely to occur in typical deployments.
DOM-Based Cross-Site Scripting (XSS) in A WP Life Blog Filter WordPress plugin versions 1.7.6 and earlier allows authenticated attackers with low privileges to inject malicious scripts that execute in victims' browsers when they interact with crafted web pages. The vulnerability stems from improper neutralization of user input during page generation and requires user interaction to trigger. No public exploit code or active exploitation has been identified at the time of analysis, with an EPSS score of 0.03% indicating low exploitation probability.
DOM-based cross-site scripting (XSS) in Advanced Coupons for WooCommerce Coupons plugin (versions up to 4.7.1.1) allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the same privileges as the site context, affecting confidentiality, integrity, and availability of the WordPress installation. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating low real-world exploitation probability despite the moderate CVSS 6.5 rating.
Stored Cross-Site Scripting (XSS) in Themesflat Addons for Elementor up to version 2.3.2 allows authenticated users with low privileges to inject malicious scripts that execute in the context of site visitors' browsers. An attacker with contributor-level access or higher can craft input fields within the plugin's admin interface to persistently store JavaScript code, which then executes whenever other users (including administrators) view the affected content. The vulnerability has low real-world exploitation risk (EPSS 0.03%, percentile 8%) despite its CVSS 6.5 rating, as it requires authenticated user interaction and user-initiated viewing of affected pages.
Stored cross-site scripting (XSS) in VK All in One Expansion Unit WordPress plugin through version 9.113.3 allows authenticated attackers to inject malicious JavaScript that executes in the browsers of other users, potentially compromising site administrators and visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate mass exploitation but remaining a significant risk for compromised or malicious user accounts. No public exploit code or active exploitation has been reported; the EPSS score of 0.03% reflects the authentication and user-interaction requirements that reduce real-world exploitation probability.
DOM-based cross-site scripting (XSS) in PublishPress Post Expirator WordPress plugin versions 4.9.4 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of higher-privileged administrators viewing affected pages, potentially leading to unauthorized actions or credential theft. The vulnerability requires user interaction (administrator viewing the malicious content) and is confined to the application context, making it a medium-severity risk despite the high CVSS score-EPSS scoring of 0.03% percentile indicates low real-world exploitation probability.
Domain spoofing via incorrect security UI in Google Chrome on Windows prior to version 147.0.7727.55 allows unauthenticated remote attackers to deceive users through crafted HTML pages that exploit flawed permission display mechanisms. The attack requires user interaction (clicking or viewing a malicious page) but carries moderate real-world risk due to low EPSS exploitation probability (0.03%, 7th percentile) despite the high CVSS impact score, suggesting the vulnerability requires specific user actions or conditions to successfully exploit.
SQL Injection in User Registration & Membership plugin for WordPress (versions up to 5.1.2) allows authenticated Subscriber-level attackers to extract sensitive database information via unsanitized 'membership_ids[]' parameter. The vulnerability stems from insufficient escaping and lack of prepared statements in SQL query construction, enabling attackers to append arbitrary SQL commands to existing queries. No public exploit code or active exploitation has been identified at the time of analysis.
Google Chrome prior to 147.0.7727.55 contains insufficient validation of untrusted input in WebSockets that allows a remote attacker with a compromised renderer process to bypass same-origin policy via a crafted HTML page. This vulnerability requires prior renderer compromise and user interaction, limiting real-world exploitability despite the high CVSS score. EPSS scoring (0.02%, 6th percentile) and Chromium's own Low severity classification indicate minimal practical risk despite the integrity impact rating.
Denial of service in GitLab EE 18.2-18.10 allows authenticated users to crash the GitLab instance through improper input validation in GraphQL queries. GitLab EE versions 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 are affected. An authenticated attacker with any valid GitLab account can trigger the vulnerability by submitting a malformed GraphQL query, causing the instance to become unavailable. No public exploit code has been identified at the time of analysis, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
TotalSuite Total Poll Lite plugin for WordPress versions up to 4.12.0 allows authenticated users to bypass access controls and modify poll data due to missing authorization checks on administrative functions. An authenticated attacker with low privileges can exploit incorrectly configured access control security levels to read, modify, or delete poll content without proper authorization, achieving a CVSS score of 6.3 with low exploitation probability (EPSS 0.02%).
RPS Include Content WordPress plugin through version 1.2.2 fails to properly enforce access control, allowing authenticated users to modify content they should not have permission to alter. The vulnerability stems from missing authorization checks that validate user permissions before allowing content modifications, affecting all installations of the plugin up to and including version 1.2.2. While the CVSS score of 6.5 reflects moderate severity, the low EPSS score (0.02% percentile 4%) suggests limited real-world exploitation probability, likely due to the requirement for authenticated access and the plugin's relatively narrow user base.
Broken access control in AA Web Servant 12 Step Meeting List plugin version 3.19.9 and earlier allows authenticated users to view sensitive information by exploiting misconfigured access control security levels. An attacker with low-level privileges can enumerate or access data they should not be permitted to view, exposing confidential meeting or user information. The vulnerability has an EPSS score of 0.02% (4th percentile), indicating low real-world exploitation probability despite the moderate CVSS score of 6.5.
Missing authorization controls in SureCart WordPress plugin versions up to 4.0.2 allow authenticated attackers to access or modify restricted data due to incorrectly configured access control security levels. With CVSS 6.3 (authenticated attack, low complexity, confidentiality/integrity/availability impact) and EPSS 0.02% exploitation probability, this represents a moderate-severity flaw affecting plugin deployments where user role separation is security-critical; no public exploit code or active exploitation has been confirmed.
Bypass of iframe sandbox navigation restrictions in Google Chrome prior to version 147.0.7727.55 allows remote attackers to circumvent security boundaries via a crafted HTML page combined with specific user UI gestures. The vulnerability affects the IFrameSandbox security mechanism, which is designed to prevent iframes from navigating the top-level window; successful exploitation requires user interaction but results in direct integrity impact through unauthorized navigation. This is a low-severity issue with minimal exploitation probability (EPSS 0.02%, percentile 3%) and no confirmed active exploitation.
Google Chrome versions prior to 147.0.7727.55 contain a policy bypass vulnerability in the LocalNetworkAccess feature that allows remote attackers to circumvent navigation restrictions by delivering a crafted HTML page. An unauthenticated attacker requires only user interaction (clicking or viewing the malicious page) to trigger the bypass, resulting in integrity compromise of network access policies. EPSS exploitation probability is low at 0.02%, and no public exploit code or active exploitation has been reported.
Cross-Site Request Forgery in BEAR - Bulk Editor and Products Manager Professional for WooCommerce (all versions up to 1.1.5) allows unauthenticated attackers to modify WooCommerce product data including prices, descriptions, and other fields by tricking administrators or shop managers into clicking a malicious link, due to missing nonce validation in the woobe_redraw_table_row() function. CVSS 6.5 reflects the high integrity impact; no public exploit code or active exploitation has been confirmed at analysis time.
Insufficient policy enforcement in Google Chrome's DevTools allows unauthenticated attackers who convince users to install a malicious extension to bypass enterprise host restrictions and modify cookies, affecting Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction to install the malicious extension but grants attackers the ability to circumvent security policies protecting sensitive cookie data. With an EPSS score of 0.01% and Chromium severity rated as Low, real-world exploitation is unlikely despite the moderate CVSS score of 6.5.
Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre theme versions up to 2.5.4 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through maliciously crafted requests. The vulnerability requires user interaction (clicking a malicious link) but carries a high integrity impact (CVSS 6.5). Despite a high CVSS score, the extremely low EPSS score (0.01%) suggests minimal real-world exploitation probability at time of analysis.
Cross-site request forgery (CSRF) in ThemeGoods Grand Car Rental WordPress theme versions up to 3.6.9 allows authenticated attackers to perform unauthorized actions on behalf of users through malicious web pages. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with low impact. EPSS exploitation probability is 0.01% (1st percentile), indicating minimal real-world exploitation likelihood despite the moderate CVSS score of 6.5.
Cross-Site Request Forgery (CSRF) in ThemeGoods Grand Blog theme through version 3.1 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users via specially crafted requests. The vulnerability requires user interaction (clicking a malicious link or visiting a compromised page) but carries a high integrity impact, enabling attackers to modify site content, settings, or user accounts without the victim's knowledge.
Stored Cross-Site Scripting in Columns by BestWebSoft WordPress plugin (versions up to 1.0.3) allows authenticated contributors and above to inject arbitrary JavaScript via the 'id' shortcode attribute of [print_clmns], which is embedded unsanitized into HTML id attributes and inline CSS. The vulnerability requires at least one column to exist in the plugin database but affects any user viewing a page containing the injected shortcode, with a CVSS score of 6.4 reflecting moderate impact across confidentiality and integrity. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting in PrivateContent Free WordPress plugin versions up to 1.2.0 allows authenticated contributors and above to inject arbitrary JavaScript through the 'align' shortcode attribute in [pc-login-form], which executes when any user visits an affected page. The vulnerability stems from the 'align' parameter being concatenated directly into an HTML class attribute without proper escaping (esc_attr), enabling persistent XSS attacks. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in WP Visitor Statistics plugin versions up to 8.4 allows authenticated contributors and higher-privileged users to inject arbitrary JavaScript through the 'wsm_showDayStatsGraph' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user accessing the affected page, potentially compromising site visitors and enabling account takeover or malware distribution. No public exploit code or active exploitation has been confirmed at this time.
Stored Cross-Site Scripting in Pinterest Site Verification Plugin Using Meta Tag for WordPress up to version 1.8 allows authenticated attackers with subscriber-level access to inject arbitrary JavaScript via the 'post_var' parameter due to insufficient input sanitization and output escaping. The vulnerability has a CVSS score of 6.4 with cross-site scope, enabling persistent script injection that executes in the browsers of any user visiting affected pages. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored cross-site scripting in Robo Gallery for WordPress up to version 5.1.3 allows authenticated Author-level users to inject arbitrary JavaScript via the Loading Label gallery setting. The vulnerability exploits a custom marker pattern (`|***...***|`) in the `fixJsFunction()` method that converts JSON-wrapped strings into raw JavaScript code; input validation with `sanitize_text_field()` fails to strip the markers, enabling script injection that executes whenever the gallery shortcode is rendered. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in Extensions for Leaflet Map plugin for WordPress allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'elevation-track' shortcode due to insufficient input sanitization and output escaping, enabling arbitrary script execution whenever users access injected pages. The vulnerability affects all versions up to and including 4.14, with a CVSS score of 6.4 reflecting the moderate but significant impact across multiple users of the same WordPress installation.
Stored cross-site scripting (XSS) in the pdfl.io WordPress plugin allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'text' attribute of the 'pdflio' shortcode, which is executed in the browsers of all site visitors due to missing output escaping. All versions up to and including 1.0.5 are affected, and the vulnerability requires Contributor-level WordPress access but no user interaction beyond page access. No public exploit code or active exploitation has been confirmed; the attack relies on insufficient input sanitization in the output_shortcode() function.
Stored Cross-Site Scripting in Investi WordPress plugin versions up to 1.0.26 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript through the 'maximum-num-years' attribute of the 'investi-announcements-accordion' shortcode. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent XSS payloads that execute when users access affected pages. No public exploit code or active exploitation has been confirmed at this time.
Stored Cross-Site Scripting in LatePoint Calendar Booking Plugin for WordPress up to version 5.3.0 allows authenticated contributors and above to inject arbitrary JavaScript via the 'button_caption' parameter in the [latepoint_resources] shortcode when 'items' is set to 'bundles'. The injected scripts execute for all users viewing the affected page. No public exploit code or active exploitation has been identified, though the vulnerability requires only contributor-level access and automatic exploitation is feasible.
Stored Cross-Site Scripting in Prime Slider - Addons for Elementor plugin allows authenticated users with Author-level access to inject arbitrary JavaScript through the 'follow_us_text' setting in the Mount widget. The vulnerability exists in all versions up to 4.1.10 due to missing output escaping in the render_social_link() function, enabling attackers to execute malicious scripts whenever pages containing the injected widget are viewed. No public exploit code or active exploitation has been confirmed at this time.
Stored Cross-Site Scripting in TableOn - WordPress Posts Table Filterable plugin versions up to 1.0.4.4 allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript via unescaped shortcode attributes ('class', 'help_link', 'popup_title', 'help_title') in the 'tableon_button' shortcode. The vulnerability results from the do_shortcode_button() function extracting attributes without sanitization and the TABLEON_HELPER::draw_html_item() function concatenating these values directly into HTML output without escaping, enabling malicious scripts to execute in the browsers of users viewing affected pages. No public exploit code or active exploitation has been reported at this time.
Stored Cross-Site Scripting in LearnPress WordPress LMS Plugin up to version 4.3.3 allows authenticated contributors to inject malicious scripts via the 'skin' attribute of the learn_press_courses shortcode, which lacks proper output escaping. The injected scripts execute whenever any user visits a page containing the malicious shortcode, affecting all sites using vulnerable versions. No evidence of active exploitation exists at time of analysis.
Stored cross-site scripting in Element Pack Addons for Elementor plugin versions up to 8.4.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via malicious SVG files through the SVG Image Widget. The vulnerability exists in the render_svg() function, which fetches remote SVG content and echoes it directly to pages without proper sanitization, enabling persistent XSS attacks affecting all users who view pages containing the compromised widget. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in Post Blocks & Tools WordPress plugin versions up to 1.3.0 allows authenticated attackers with author-level access to inject arbitrary JavaScript through the 'sliderStyle' block attribute in the Posts Slider block, which executes in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent payload injection that affects any site administrator or editor visiting a compromised post.
Stored Cross-Site Scripting in Wavr WordPress plugin up to version 0.2.6 allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, with malicious scripts executing for all users who view affected pages. CVSS 6.4 reflects moderate severity with network-accessible attack vector and cross-site impact; no public exploit code or active exploitation confirmed at time of analysis.
Stored Cross-Site Scripting (XSS) in Magic Conversation For Gravity Forms plugin allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes, executing malicious scripts in pages viewed by any visitor. The vulnerability affects all versions up to and including 3.0.97 and requires no user interaction from the victim. With an EPSS score context of 6.4 CVSS and confirmed patch availability, this represents a moderate-to-significant risk to WordPress sites with untrusted contributor accounts.
Stored Cross-Site Scripting in Beaver Builder Page Builder plugin for WordPress up to version 2.10.1.1 allows authenticated attackers with author-level access or higher to inject arbitrary JavaScript through the 'settings[js]' parameter due to insufficient input sanitization and output escaping. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site integrity and user accounts. No public exploit code or active CISA KEV status reported at analysis time.