Memory exhaustion in IBM Db2 11.5.x and 12.1.x allows an authenticated remote attacker to crash the database engine by submitting certain queries targeting Multi-Dimensional Clustering (MDC) tables, resulting in a denial of service. The vulnerability carries a CVSS 6.5 score with network-accessible attack vector and low-privilege requirement, meaning any valid database user can trigger it. No active exploitation has been identified at time of analysis; SSVC rates exploitation status as none and technical impact as partial.
Missing authorization in the AWP Classifieds WordPress plugin (versions through 4.4.5) exposes unauthenticated remote attackers to broken access control, enabling unauthorized modification and availability disruption of classified listing data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated privileges against any internet-facing WordPress site running the affected plugin. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS at 0.04% (11th percentile) indicates low observed exploitation probability, though the unauthenticated attack surface broadens theoretical exposure.
Insecure Direct Object Reference (IDOR) in the WP Wham Checkout Files Upload for WooCommerce WordPress plugin exposes uploaded checkout files to unauthenticated remote attackers who manipulate user-controlled object keys. All plugin versions through 2.2.5 are affected, with the CVSS vector confirming no authentication or user interaction is required. Despite the straightforward exploit path - flagged as automatable by the SSVC framework - real-world risk is tempered by a very low EPSS score of 0.04% (12th percentile), no public exploit code, and no active exploitation per CISA KEV.
Authentication bypass via SQL injection in OpenRapid RapidCMS v1.3.1 allows unauthenticated remote attackers to manipulate the application's authentication logic by injecting crafted SQL payloads into the `name` cookie parameter processed by the `/template/default/menu.php` component. The CVSS 6.5 (AV:N/AC:L/PR:N/UI:N) score reflects trivial remote exploitability with no prior authentication required, though the confidentiality and integrity impacts are rated Low and availability is unaffected. A public researcher writeup is linked in references, suggesting exploit techniques are documented, but no confirmed active exploitation (CISA KEV) has been recorded and EPSS sits at 0.03% (11th percentile), indicating low observed exploitation activity at time of analysis.
Stored XSS in the Booking Manager WordPress plugin (wpdevelop) versions through 2.1.18 allows authenticated low-privileged users to inject persistent malicious scripts that execute in other users' browsers. The CVSS scope change (S:C) indicates injected scripts can affect resources beyond the plugin itself - most critically, administrator sessions viewing booking data. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) signals minimal observed exploitation interest currently.
Stored Cross-Site Scripting in the WPComplete WordPress plugin (all versions through 2.9.5.4) allows authenticated low-privileged users to inject persistent malicious scripts that execute in other users' browsers upon viewing affected content. The CVSS changed scope (S:C) is the critical risk factor: a contributor- or author-level account can craft payloads that execute in the session of higher-privileged users, including administrators, enabling session hijacking or unauthorized admin actions. No public exploit identified at time of analysis, and an EPSS score of 0.03% (10th percentile) reflects low broad exploitation probability, though the admin-targeting potential elevates real-world concern for multi-user WordPress deployments.
DOM-Based Cross-Site Scripting in the Averta Master Slider WordPress plugin (versions through 3.10.8) enables authenticated low-privilege users to inject persistent malicious scripts that execute in the browsers of other site visitors. The CVSS Scope:Changed flag (S:C) confirms the injected payload can escape the plugin's context and affect the broader browser environment, enabling session hijacking or admin action forgery against higher-privileged users. No public exploit code exists and EPSS at 0.03% (10th percentile) aligns with SSVC's 'Exploitation: none' classification - this is a real but moderate-priority finding gated behind authentication and victim interaction requirements.
Excessive data exposure in DFIR-IRIS before version 2.4.28 enables authenticated low-privileged users to retrieve sensitive information from API responses that should be restricted or filtered server-side. The flaw (CWE-201) is part of a coordinated multi-vulnerability disclosure by SBA Research (SBA-ADV-20260126-04), which also identified an Open Redirect (CVE-2026-42329), Insecure File Upload (CVE-2026-42538), and Mass Assignment (CVE-2026-42540) in the same product version. No public exploit identified at time of analysis and no CISA KEV listing; however, the target platform stores highly sensitive digital forensics and incident response case data, elevating the practical impact of any confidentiality breach.
Arbitrary file read in the Xpro Elementor Addons - Pro WordPress plugin (versions ≤1.4.7) allows authenticated attackers with Contributor-level access to retrieve the contents of any file readable by the web server process, including credential-bearing files such as wp-config.php. The vulnerability originates in the Draw SVG widget, which passes user-controlled input to a server-side file read operation without adequate path restriction (CWE-73). No public exploit code has been identified at time of analysis, and CISA has not added this to the KEV catalog; however, successful exploitation fully compromises the confidentiality of server-side data.
Sensitive data exposure in the GenerateBlocks WordPress plugin (versions through 2.1.0) allows authenticated low-privilege users to retrieve embedded sensitive information via network requests. The vulnerability, classified under CWE-201, means the plugin inserts sensitive data into outbound responses where it can be intercepted or retrieved by parties with basic WordPress authentication. No public exploit code exists and CISA has not listed this in KEV, though the high confidentiality impact (CVSS C:H) indicates meaningful data leakage potential if exploited against unpatched installations.
Authenticated network-accessible denial of service in Tanium Server affects three active release branches, patched in versions 7.6.4.2190, 7.7.3.8274, and 7.8.2.1176. The vulnerability stems from a CWE-772 resource leak - allocated resources are not released after their effective lifetime, enabling a low-privileged authenticated attacker to exhaust server resources. A notable conflict exists in the available data: the CVSS vector reports C:H/I:N/A:N (high confidentiality impact, no availability impact) while the CVE description, ENISA EUVD tags, and vendor advisory title all characterize this as a denial of service; defenders should treat both confidentiality and availability as potentially affected until Tanium clarifies. No public exploit is identified and EPSS is low at 0.03%.
Improper authorization in Frappe HR (HRMS) prior to version 16.5.0 allows any authenticated employee to read the leave records of other employees without permission. The root cause is CWE-863 (Incorrect Authorization) - the application authenticates the user but fails to enforce that the requesting employee is authorized to view the target employee's data. With a CVSS score of 6.5 (Medium) and a High confidentiality impact, this is a horizontal privilege escalation issue; no public exploit has been identified at time of analysis and it does not appear in the CISA KEV catalog.
Credential exposure in IBM Guardium Data Protection's Long Term Retention (LTR) add-on feature allows authenticated network users to obtain sensitive credentials when the system is operating in debug mode. Affected versions are 12.2.1 (up to and including Fix Pack 4.4.7 Fix Pack 1) and 12.2.2. The high confidentiality impact (C:H) reflects that fully valid credentials - not just partial data - may be disclosed, potentially enabling lateral movement or privilege escalation within the data protection infrastructure. No public exploit has been identified at time of analysis, and SSVC assessment confirms no active exploitation.
Access control bypass in Samba allows authenticated SMB users who hold write permissions on the underlying filesystem to create or delete NTFS-style reparse point metadata on shares configured with 'read only = yes', defeating the read-only intent of the export. Because the necessary access checks are missing at the SMB layer, an attacker can change how files behave when accessed over SMB - for example, converting a regular file into a symbolic link or another reparse-point type - yielding an integrity and availability impact (CVSS 7.1). There is no public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as 'none', non-automatable, with partial technical impact.
Unauthorized jQuery downgrade in the Enable jQuery Migrate Helper WordPress plugin (all versions ≤1.4.1) allows any authenticated Subscriber-level user to replace the site-wide jQuery 3.7.1 with the legacy 1.12.4-wp release, which carries known security vulnerabilities. The root cause is a missing authorization check in the `downgrade_jquery_version()` function, which validates a nonce but never verifies user capabilities (CWE-862). No public exploit exists and CISA has not added this to KEV; however, the indirect impact is significant because a successful downgrade introduces a vulnerable jQuery version that could serve as a stepping stone for further exploitation of other weaknesses.
WORM protection bypass in Samba's vfs_worm VFS module allows authenticated share users to defeat data retention controls by renaming a newly created file over an existing WORM-protected file. Affected users are those operating Samba deployments that have explicitly enabled the vfs_worm module for write-once, read-many data protection - such as compliance, archival, or audit log shares. An attacker with low-privilege write access can silently overwrite files that should be immutable post-grace-period, with high integrity impact (CVSS I:H). No public exploit or CISA KEV listing is identified at time of analysis.
Authorization bypass in IBM Db2 12.1.0 through 12.1.4 enables authenticated low-privilege users to upload data to remote object storage paths that should be beyond their access scope by including a specially crafted query. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the attack is network-accessible, requires no user interaction, and demands only a low-privilege database account, while the I:H score indicates high integrity impact - unauthorized writes to restricted storage destinations. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Denial of service in GitLab CE/EE affects all versions from 17.1 through those prior to 18.10.7, 18.11.4, and 19.0.1, allowing a low-privileged authenticated user to crash or degrade service availability through insufficient input validation. The root cause is CWE-770 (resource allocation without limits or throttling), meaning a specially crafted request can exhaust server-side resources under certain conditions. Publicly available exploit code exists per SSVC assessment, though CISA has not added this to the Known Exploited Vulnerabilities catalog and automated mass exploitation is considered unlikely.
CSRF middleware bypass in Budibase Worker allows unauthenticated remote attackers to forge state-changing requests against any Worker API endpoint by injecting a public route pattern into the query string. Affected versions prior to 3.35.4 are exposed to privilege escalation actions including sending admin invites, modifying global configuration, and managing users - all without a valid CSRF token. User interaction is required (CVSS UI:R), limiting opportunistic mass exploitation, though proof-of-concept exploit code exists per SSVC assessment. No active exploitation has been confirmed by CISA KEV at time of analysis.
Stored Cross-Site Scripting in the Advanced Custom Fields: Font Awesome Field WordPress plugin (versions through 5.0.2) allows authenticated low-privileged users to inject persistent malicious scripts into web pages viewed by other users. The changed scope (S:C in CVSS) confirms that injected payloads execute in victims' browsers, potentially enabling session hijacking, credential theft, or unauthorized admin-level actions on the WordPress site. No public exploit code has been identified at time of analysis, and SSVC classifies exploitation as none with partial technical impact.
Stored Cross-Site Scripting in the Instant-Quote.co Quotation Page WordPress plugin (all versions ≤1.3.4) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via unsanitized shortcode attributes. The changed-scope CVSS vector (S:C) reflects that injected scripts execute in victim browsers rather than the server, and the plugin's shortcode is exploitable through the WordPress post review workflow - a contributor can embed a malicious shortcode in a draft submitted for editor or administrator review, causing the payload to execute when a privileged user previews the post. No public exploit has been identified and EPSS is very low at 0.04% (12th percentile), indicating limited opportunistic exploitation risk, though the cross-privilege escalation path warrants attention on multi-author WordPress sites.
Stored Cross-Site Scripting in the BitForm WordPress plugin (versions up to and including 1.1.0) allows authenticated attackers with contributor-level access or above to inject persistent malicious scripts via unsanitized 'width' and 'height' shortcode attributes in the Shortcode::shortcode() function, which are written directly into the style attribute of an iframe element without escaping. Any user who subsequently views a page containing the injected shortcode will trigger execution of the attacker's script in their browser session, enabling session hijacking, credential theft, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS places current exploitation probability at 0.03% (9th percentile), indicating this is currently a low-activity finding despite its network-accessible attack vector.
Stored Cross-Site Scripting in the Animate Your Content WordPress plugin (versions ≤ 1.0.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages via the 'animation-set' shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS (0.03%, 9th percentile) together with SSVC exploitation status of 'none' indicate this is currently a low-priority, low-activity vulnerability.
Stored Cross-Site Scripting in the Responsive Check WordPress plugin (versions ≤ 0.0.3) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the 'url' and 'button' attributes of the [rspcheck] shortcode. The payload executes in the browser of any user who visits an affected page, with a CVSS scope-change designation (S:C) reflecting cross-user impact. No public exploit has been identified and the EPSS score of 0.03% (9th percentile) places real-world exploitation probability firmly at the low end, though sites with open contributor registration remain meaningfully exposed.
Stored Cross-Site Scripting in the Splide Carousel Block WordPress plugin (all versions ≤ 1.7.1) allows authenticated attackers with contributor-level access to inject persistent JavaScript via the 'url' block attribute, executing against any visitor of the affected page. The attack requires the malicious post to be published by an editor or administrator before the payload fires, adding a social-engineering or workflow-abuse dependency. With an EPSS of 0.03% (9th percentile) and no current CISA KEV listing, real-world exploitation risk is low but non-negligible on sites permitting untrusted contributors to submit content.
Stored Cross-Site Scripting in the Github Shortcode plugin for WordPress (all versions through 0.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts via the 'repo' attribute of the 'github' shortcode. Any user who subsequently visits the injected page triggers execution of the attacker-controlled script in their browser context. No public exploit has been identified at time of analysis and EPSS places exploitation probability at 0.03% (9th percentile), though the low barrier to exploitation for any site permitting contributor accounts warrants attention.
Stored XSS in WPBakery Page Builder Addons by Livemesh (all versions through 3.9.4) allows authenticated WordPress contributors to inject persistent JavaScript into site pages via malformed shortcode attributes on the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcodes. The flaw arises from using `wp_json_encode()` instead of `esc_attr()` when embedding shortcode attributes into single-quoted HTML `data-settings` attributes, enabling an attacker to inject a literal single quote and escape the attribute boundary. No public exploit identified at time of analysis; EPSS of 0.03% (9th percentile) reflects low current exploitation interest, and the practical attack surface is constrained to WordPress sites where untrusted users hold Contributor-level access.
Stored Cross-Site Scripting in the Auto Thumbnail WordPress plugin (all versions up to and including 1.0) enables authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'width' and 'height' attributes of the 'thumbnails' shortcode. The injected payload executes in the browser of any subsequent visitor who loads the affected page, crossing trust boundaries from the WordPress server context into victims' sessions (CVSS S:C). No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog; EPSS of 0.03% (9th percentile) reflects low predicted exploitation probability, though the stored nature of the flaw amplifies impact relative to reflected XSS.
Stored Cross-Site Scripting in the Events In City WordPress plugin (versions ≤3.0) allows contributor-level authenticated users to inject persistent JavaScript payloads via unsanitized 'org-events' shortcode attributes handled by the org_event_scode() function. The CVSS scope is Changed (S:C), meaning injected scripts execute in victims' browsers outside the plugin's own context, enabling session hijacking, credential theft, or unauthorized actions against any user who views an affected page. No public exploit identified at time of analysis; EPSS score of 0.03% (9th percentile) reflects low current exploitation likelihood, though the contributor-level access requirement is a realistic attack surface on multi-author WordPress sites.
Stored Cross-Site Scripting in the Shortcode Buddy WordPress plugin (all versions ≤ 0.1.9.5) allows authenticated attackers with contributor-level access to permanently embed arbitrary JavaScript into pages via unsanitized shortcode attributes, executing in any visitor's browser upon page load. The Changed scope (S:C) in the CVSS vector confirms the injected payload escapes the plugin's context and affects users browsing the site, including administrators whose sessions could be hijacked. No public exploit code has been identified at time of analysis, and EPSS sits at 0.03% (9th percentile), indicating low observed exploitation probability, though the contributor-level entry bar makes this a realistic risk on sites with multiple editors.
Stored Cross-Site Scripting in the iWR Tooltip WordPress plugin (versions up to and including 1.0) permits authenticated attackers holding contributor-level accounts or higher to plant persistent malicious scripts via the plugin's `iwrtooltip` shortcode. The root cause is direct string concatenation of the user-supplied `title` attribute into an HTML attribute inside the `iwr_tooltip()` handler at lines 37 and 41 of iwr-tooltip.php, with no call to `esc_attr()` or equivalent escaping. Any site visitor who subsequently loads a page containing the poisoned shortcode will execute the injected script in their browser, with scope-changed impact that can target session tokens, credentials, or site administrative functions. EPSS is 0.03% (9th percentile), and no public exploit or CISA KEV listing exists at time of analysis.
Stored Cross-Site Scripting in the Listen Shortcode WordPress plugin (versions ≤ 1.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages via unsanitized shortcode attributes. The vulnerability exists in the listenEmbedJS() function, which echoes user-supplied src, start, and end attributes directly into a single-quoted HTML attribute context without escaping, enabling script injection that executes in the browsers of any user who later visits the affected page. EPSS is low (0.03%, 9th percentile) and no public exploit or CISA KEV listing has been identified at time of analysis, suggesting limited current exploitation activity.
Stored Cross-Site Scripting in the hk_shortcode WordPress plugin (versions ≤1.0) enables authenticated contributors to inject persistent malicious scripts via the unsanitized 'title' attribute of the 'title-plane' shortcode. The vulnerability stems from direct HTML concatenation of unescaped user input inside the huankong_post_short_title_plane() function - once a crafted post is saved, the payload executes in the browsers of all users who visit the affected page, crossing into their sessions (CVSS S:C). No public exploit code has been identified at time of analysis, and with an EPSS of 0.03% (9th percentile), mass automated exploitation is unlikely; however, multi-author WordPress sites with open contributor registration carry meaningful exposure.
Stored Cross-Site Scripting in the Responsive Video Embedder WordPress plugin (versions ≤ 0.1) allows authenticated attackers with contributor-level access or above to persistently inject arbitrary JavaScript into WordPress pages via unsanitized shortcode attributes. The root cause is direct, unescaped concatenation of user-supplied 'id' and 'list' attributes into an HTML iframe src attribute inside the video_shortcode() function. Because the CVSS scope is Changed (S:C), injected scripts execute in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or malicious redirects against site visitors. No active exploitation has been confirmed and EPSS is very low (0.03%, 9th percentile), but the contributor-level entry bar makes this relevant on multi-author WordPress sites.
Stored Cross-Site Scripting in the Easy Prism Syntax Highlighter WordPress plugin (versions ≤1.0.2) enables authenticated attackers with Contributor-level access to inject persistent JavaScript into WordPress pages via the 'code' or 'c' shortcode. The flaw resides in the shortcode() function, which concatenates the first positional shortcode attribute directly into the class attribute of generated <pre> and <code> HTML elements without invoking esc_attr() or any equivalent escaping - enabling HTML attribute breakout and arbitrary script injection. No public exploit has been identified and EPSS is very low (0.03%, 9th percentile), but the Contributor-level authentication threshold makes this accessible on any multi-author WordPress site without additional barrier.
Stored Cross-Site Scripting in the Content Slideshow WordPress plugin (all versions through 2.4.1) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via shortcode attributes. The vulnerability resides in slideshow-widget-shortcode.php at multiple points (lines 14 and 143) where shortcode attribute values are passed without adequate sanitization or output escaping. The CVSS scope is Changed (S:C), meaning injected scripts execute in the victim's browser context and can affect resources beyond the plugin itself, such as stealing session tokens or performing actions as the visiting user. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS sits at a very low 0.03%.
Stored Cross-Site Scripting in the Formidable Kinetic WordPress plugin (versions ≤1.1.01) allows authenticated attackers with contributor-level access to permanently inject malicious scripts into pages via the 'kinetic_link' shortcode. The FrmKinetic::link() function concatenates user-supplied shortcode attributes ('window', 'class', 'label') directly into anchor tag HTML attributes without sanitization or output escaping, meaning any visitor who loads an injected page triggers execution of the attacker's payload in their browser. No active exploitation is confirmed in CISA KEV, and the EPSS score of 0.03% (9th percentile) reflects low automated exploitation probability, but the Changed scope (S:C) in the CVSS vector indicates the impact crosses the plugin's security boundary into the broader WordPress page context.
Stored Cross-Site Scripting in the Team Master WordPress plugin (all versions ≤ 1.1.2) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via shortcode attributes into WordPress pages, executing against any visitor who subsequently loads the affected page. The scope change (S:C in CVSS) reflects cross-session impact - a low-privileged contributor can compromise higher-privileged users including administrators. No public exploit identified at time of analysis, and EPSS of 0.03% (9th percentile) indicates low current exploitation probability.
Stored Cross-Site Scripting in the Mutual Funds Data WordPress plugin (versions ≤ 1.2.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts into any page using the affected shortcode. The unsanitized 'title' attribute in the mfd_shortcode() function is written directly into a HTML caption element without escaping, meaning injected payloads execute in the browsers of any user who subsequently views the affected page. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects a low current probability of widespread exploitation.
Stored Cross-Site Scripting in the Single Mailchimp WordPress plugin (all versions through 1.4) allows authenticated attackers with contributor-level access to inject persistent JavaScript into WordPress pages via unsanitized shortcode attributes. The six affected attributes - autocomplete, label, placeholder, btn_text, success_msg, and error_msg - are concatenated directly into HTML output by the single_mailchimp() function in shortcodes.php without sanitization or output escaping. No public exploit code exists and EPSS places exploitation probability at 0.03% (9th percentile), indicating low real-world exploitation pressure at this time.
Stored Cross-Site Scripting in the Post Category Gallery WordPress plugin (versions ≤1.0.0) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via unsanitized shortcode attributes. The injected payload executes in the browsers of any user who visits the affected page, enabling session hijacking, credential theft, or privilege escalation against higher-privileged users such as administrators. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) indicates very low automated exploitation probability.
Stored Cross-Site Scripting in the jQuery googleslides WordPress plugin (all versions through 1.3) allows authenticated attackers holding contributor-level access or higher to inject persistent malicious scripts via the 'googleslides' shortcode. The vulnerability is confirmed by Wordfence (ENISA EUVD-2026-32069) and traces to the `googleslides_handler()` function directly interpolating ten shortcode attribute values into HTML without the WordPress-standard `esc_attr()` sanitization. The CVSS Changed Scope (S:C) reflects that injected scripts execute in victims' browsers outside the plugin's own domain; EPSS at 0.03% (9th percentile) and absence from CISA KEV indicate no public exploit or confirmed active exploitation at time of analysis.
Stored Cross-Site Scripting in the Dideo plugin for WordPress version 1.0 allows authenticated contributors to inject persistent malicious scripts into any page using the 'dideo' shortcode. The 'id' shortcode attribute is interpolated directly into an HTML iframe 'src' attribute without sanitization or output escaping in the dideo() handler, meaning injected payloads execute automatically in the browser of any user who visits the affected page. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects low current exploitation interest, but the stored nature and scope-changed CVSS vector (S:C) elevate concern for multi-author WordPress deployments.
Stored Cross-Site Scripting in the Tuxquote WordPress plugin (versions up to and including 1.3) enables authenticated attackers holding Contributor-level access or above to inject persistent malicious scripts into WordPress pages via unsanitized shortcode attributes. The `tuxquote_build_format()` function concatenates user-supplied `title`, `align`, and `width` attributes from the TUXQUOTE shortcode directly into rendered HTML without passing them through WordPress's built-in `esc_attr()` or `esc_html()` escaping functions, allowing the payload to persist and execute in any visitor's browser. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects minimal real-world exploitation activity to date.
Stored Cross-Site Scripting in the Islamic Database WordPress plugin (versions ≤ 1.0) allows authenticated contributors to persistently inject arbitrary JavaScript into WordPress pages via the 'islamicDB-roqya' shortcode's 'width' and 'height' attributes. The flaw originates in the islamicDB_sc_quran_qari_roqya() function, which concatenates these shortcode attribute values directly into HTML iframe attribute values without sanitization or output escaping. No public exploit has been identified and EPSS sits at 0.03% (9th percentile), reflecting low current exploitation probability, though the contributor-level access requirement is a realistic barrier given how many WordPress sites grant that role to content editors.
Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'gplusnamelink' shortcode's 'id' and 'name' attributes. The root cause is the absence of WordPress output-escaping functions (esc_attr() or esc_html()) in the gplusnamelink_generate() function, permitting raw attribute values to be concatenated directly into rendered HTML. Scope is Changed (S:C) per CVSS, meaning the injected script executes in victims' browser sessions outside the plugin's own security context. No public exploit or CISA KEV listing has been identified at time of analysis; EPSS score of 0.03% (9th percentile) reflects low observed exploitation probability.
Stored Cross-Site Scripting in the WP Iframe Geo Style for Amazon affiliates WordPress plugin (all versions ≤1.1) allows authenticated attackers holding contributor-level roles to persist malicious JavaScript in page content via the unsanitized 'adid' shortcode attribute. The injected script executes automatically in any visitor's browser upon page load, with changed scope (S:C) confirming the payload crosses the attacker's own security boundary to impact other users. No public exploit identified at time of analysis, and an EPSS score of 0.03% (9th percentile) reflects low current exploitation probability, though the contributor-level access requirement is achievable on many open-registration WordPress sites.
Stored Cross-Site Scripting in the Endless Scroll WordPress plugin (all versions ≤1.0.0) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via shortcode attributes, which execute in any visitor's browser upon page load. The CVSS scope change (S:C) confirms the payload crosses security boundaries - executing outside the WordPress application context - enabling session theft, credential harvesting, or malicious redirects against site visitors. No public exploit has been identified at time of analysis, and EPSS at 0.03% (9th percentile) reflects very low current exploitation probability, though the low privilege bar (contributor role) elevates risk on sites with open or loosely managed user registration.
Stored Cross-Site Scripting in the GBI To Print WordPress plugin version 1.0 allows authenticated attackers with contributor-level access to inject persistent malicious scripts into WordPress pages via the unsanitized 'div' attribute of the 'gbitoprint' shortcode. The root cause is a direct concatenation of raw shortcode attribute input into HTML output inside gbi_toprint_shortcode() at gbitoprint.php line 86, with no call to esc_attr() or equivalent WordPress sanitization. Any site visitor loading a page containing the injected shortcode will execute the attacker-controlled script in their browser, enabling session theft, credential harvesting, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS signals low near-term mass exploitation probability.
Stored cross-site scripting in the GNTT Post Title Ticker WordPress plugin version 1.0 allows authenticated contributors to inject persistent malicious JavaScript via unsanitized shortcode attributes across three display functions. The vulnerability arises from direct HTML concatenation of user-controlled values - including border, width, height, header_background, header_text_color, and id - without any escaping in gntt_title_ticker_slide(), gntt_title_ticker_fade(), and gntt_title_ticker_typing(). No public exploit has been identified at time of analysis, and the EPSS exploitation probability stands at a low 0.03%, suggesting limited real-world interest despite an accessible contributor-level attack surface on multi-author WordPress sites.