Reflected cross-site scripting in the NooTheme Jobmonster WordPress job-board theme (versions up to and including 4.8.5) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the flaw carries a scope change (S:C), successful exploitation can affect resources beyond the vulnerable component, such as the authenticated WordPress session of an administrator who is lured into clicking. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Stored cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions through 8.3.7) lets an attacker persist malicious script that executes in another user's browser when the affected page is viewed. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates a network-reachable, unauthenticated injection point that requires a victim to load the poisoned content and crosses a privilege boundary into the rendering context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
DOM-based cross-site scripting in the ElementInvader Addons for Elementor WordPress plugin (all versions up to and including 1.4.3) lets remote attackers inject client-side script that executes in a victim's browser when they interact with a crafted link or page. Reported by Patchstack and classified CWE-79 with a CVSS 7.1, the scope-changing flaw can lead to session hijacking or defacement in the WordPress context. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Reflected cross-site scripting in the Themify Builder WordPress plugin (versions up to and including 7.7.4) lets remote attackers inject arbitrary script that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 base score of 7.1 reflects unauthenticated exploitation with a scope change, though it requires user interaction. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized request parameter names and values reflected into JavaScript-string and HTML-attribute contexts on endpoints such as /FamilyCustomFieldsEditor.php, /PaddleNumList.php, and /admin/system/church-info. When a victim (especially an administrator) follows a crafted link, the payload executes in their session, enabling session-token theft, account takeover, and exposure of church member data. No public exploit identified at time of analysis, and the CVSS 4.0 vector (PR:N/UI:A) indicates unauthenticated triggering but requires victim interaction.