Monthly
Stored cross-site scripting in the RPB Chessboard WordPress plugin (all versions through 8.1.2) lets unauthenticated attackers plant persistent JavaScript through comment content that executes in the browser of anyone who later views the affected page. The novel aspect, per Wordfence, is that WordPress's normal save-time kses sanitization is bypassed because the payload uses only kses-allowed tags/attributes (an <a> element with title and href) and the dangerous attribute-breaking markup is assembled entirely at render time by the plugin's own comment_text filter. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-interaction entry point makes it a practical drive-by injection risk.
Reflected Cross-Site Scripting in the Product Feed Manager For WooCommerce WordPress plugin (all versions through 7.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unescaped 's' search parameter, which executes in a victim's browser upon interaction with a crafted link. The vulnerability is rooted in insufficient sanitization and output escaping within the plugin's admin-facing PHP classes, as confirmed by Wordfence with direct source code references to class-rex-product-feed-actions.php and class-rex-product-feed.php. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog.
Stored Cross-Site Scripting in the Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin (all versions ≤ 3.1.6) enables authenticated attackers holding contributor-level WordPress roles to inject persistent JavaScript payloads via the unsanitized 'align' block attribute. The injected script executes in the browser of any user - including administrators - who views the affected page, making session hijacking and privilege escalation realistic follow-on impacts. No public exploit code or CISA KEV listing has been identified at time of analysis, but Wordfence source code references pinpoint the exact vulnerable lines, substantially lowering the barrier to exploitation.
Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the Wordfence disclosure includes direct source code references confirming the unsanitized evaluation path.
Stored Cross-Site Scripting in the MxChat AI Chatbot & Content Generation WordPress plugin (versions up to and including 3.2.10) enables authenticated administrators to persist malicious scripts through admin settings panels. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, narrowing the realistic attack surface significantly. No public exploit code or active exploitation (CISA KEV) has been identified; CVSS 4.4 Medium reflects the restricted conditions and high privilege requirement.
Stored/reflected XSS in the ViewComponent Rails gem (versions >= 4.0.0, < 4.12.0) arises because HTML-unsafe strings returned from a component's around_render hook bypass the automatic escaping applied to normal #call output, letting attacker-controlled data reach the browser as raw HTML. The flaw is amplified in collection rendering, where Collection#render_in joins per-item output and blindly marks it html_safe, laundering unsafe content into a trusted SafeBuffer. Publicly available exploit code exists (a detailed PoC in the GitHub advisory), but there is no public exploit identified as actively used in the wild; a vendor patch is available in v4.12.0.
Stored DOM cross-site scripting in WWBN AVideo's YPTSocket plugin (all versions prior to 29.0) lets any unauthenticated remote attacker run arbitrary JavaScript in the browser session of any administrator viewing the YPTSocket online-users debug panel. Because the malicious WebSocket metadata is broadcast to every connected client and rendered without escaping, a single anonymous WebSocket connection can be escalated into full administrative account takeover via the admin's own session and CSRF token. No public exploit identified at time of analysis; the flaw carries a CVSS 9.6 (Critical) rating driven by the scope change into the privileged admin origin.
Stored cross-site scripting in DataEase's template static resource pipeline allows authenticated users to persist malicious JavaScript inside SVG files served at the application's same origin, executing in victims' browsers upon resource access. Versions prior to 2.10.23 are affected; the root cause is that StaticResourceServer.saveFilesToServe and saveSingleFileToServe decoded attacker-supplied Base64 content and wrote it directly to disk without validating extension, MIME type, decoded bytes, or SVG scriptability. No public exploit code or CISA KEV listing exists at time of analysis, but the stored, same-origin nature of the XSS and the low bar for triggering it (any authenticated user) make this a meaningful risk in shared or multi-tenant DataEase deployments.
Stored cross-site scripting in MantisBT (versions <= 2.28.3) lets an authenticated user inject arbitrary HTML/JavaScript through a crafted image-attachment filename that breaks out of an IMG tag's alt attribute. The payload executes when any user (including higher-privileged reviewers) renders the Word/HTML export view at print_all_bug_page_word.php?type_page=html&export=1, though real-world impact is constrained by MantisBT's Content Security Policy. There is no public exploit identified at time of analysis, and the flaw is fixed in 2.28.4.
Reflected cross-site scripting in MantisBT 2.28.3 and earlier lets remote attackers inject HTML into the unauthenticated /admin/install.php installer page through six user-supplied parameters echoed via an unescaped printf format string. Because the application ships a script-src 'self' Content Security Policy that lacks a form-action directive, an attacker cannot run inline JavaScript but can render fake credential-harvesting login forms, perform <meta>-based open redirects, and overlay attacker HTML via CSS injection on the legitimate admin page. There is no public exploit identified at time of analysis, no CISA KEV listing, and no CVSS/EPSS score in the provided data; the issue was reported by watchTowr and fixed in 2.28.4.
Stored cross-site scripting in the RPB Chessboard WordPress plugin (all versions through 8.1.2) lets unauthenticated attackers plant persistent JavaScript through comment content that executes in the browser of anyone who later views the affected page. The novel aspect, per Wordfence, is that WordPress's normal save-time kses sanitization is bypassed because the payload uses only kses-allowed tags/attributes (an <a> element with title and href) and the dangerous attribute-breaking markup is assembled entirely at render time by the plugin's own comment_text filter. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-interaction entry point makes it a practical drive-by injection risk.
Reflected Cross-Site Scripting in the Product Feed Manager For WooCommerce WordPress plugin (all versions through 7.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unescaped 's' search parameter, which executes in a victim's browser upon interaction with a crafted link. The vulnerability is rooted in insufficient sanitization and output escaping within the plugin's admin-facing PHP classes, as confirmed by Wordfence with direct source code references to class-rex-product-feed-actions.php and class-rex-product-feed.php. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog.
Stored Cross-Site Scripting in the Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin (all versions ≤ 3.1.6) enables authenticated attackers holding contributor-level WordPress roles to inject persistent JavaScript payloads via the unsanitized 'align' block attribute. The injected script executes in the browser of any user - including administrators - who views the affected page, making session hijacking and privilege escalation realistic follow-on impacts. No public exploit code or CISA KEV listing has been identified at time of analysis, but Wordfence source code references pinpoint the exact vulnerable lines, substantially lowering the barrier to exploitation.
Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the Wordfence disclosure includes direct source code references confirming the unsanitized evaluation path.
Stored Cross-Site Scripting in the MxChat AI Chatbot & Content Generation WordPress plugin (versions up to and including 3.2.10) enables authenticated administrators to persist malicious scripts through admin settings panels. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, narrowing the realistic attack surface significantly. No public exploit code or active exploitation (CISA KEV) has been identified; CVSS 4.4 Medium reflects the restricted conditions and high privilege requirement.
Stored/reflected XSS in the ViewComponent Rails gem (versions >= 4.0.0, < 4.12.0) arises because HTML-unsafe strings returned from a component's around_render hook bypass the automatic escaping applied to normal #call output, letting attacker-controlled data reach the browser as raw HTML. The flaw is amplified in collection rendering, where Collection#render_in joins per-item output and blindly marks it html_safe, laundering unsafe content into a trusted SafeBuffer. Publicly available exploit code exists (a detailed PoC in the GitHub advisory), but there is no public exploit identified as actively used in the wild; a vendor patch is available in v4.12.0.
Stored DOM cross-site scripting in WWBN AVideo's YPTSocket plugin (all versions prior to 29.0) lets any unauthenticated remote attacker run arbitrary JavaScript in the browser session of any administrator viewing the YPTSocket online-users debug panel. Because the malicious WebSocket metadata is broadcast to every connected client and rendered without escaping, a single anonymous WebSocket connection can be escalated into full administrative account takeover via the admin's own session and CSRF token. No public exploit identified at time of analysis; the flaw carries a CVSS 9.6 (Critical) rating driven by the scope change into the privileged admin origin.
Stored cross-site scripting in DataEase's template static resource pipeline allows authenticated users to persist malicious JavaScript inside SVG files served at the application's same origin, executing in victims' browsers upon resource access. Versions prior to 2.10.23 are affected; the root cause is that StaticResourceServer.saveFilesToServe and saveSingleFileToServe decoded attacker-supplied Base64 content and wrote it directly to disk without validating extension, MIME type, decoded bytes, or SVG scriptability. No public exploit code or CISA KEV listing exists at time of analysis, but the stored, same-origin nature of the XSS and the low bar for triggering it (any authenticated user) make this a meaningful risk in shared or multi-tenant DataEase deployments.
Stored cross-site scripting in MantisBT (versions <= 2.28.3) lets an authenticated user inject arbitrary HTML/JavaScript through a crafted image-attachment filename that breaks out of an IMG tag's alt attribute. The payload executes when any user (including higher-privileged reviewers) renders the Word/HTML export view at print_all_bug_page_word.php?type_page=html&export=1, though real-world impact is constrained by MantisBT's Content Security Policy. There is no public exploit identified at time of analysis, and the flaw is fixed in 2.28.4.
Reflected cross-site scripting in MantisBT 2.28.3 and earlier lets remote attackers inject HTML into the unauthenticated /admin/install.php installer page through six user-supplied parameters echoed via an unescaped printf format string. Because the application ships a script-src 'self' Content Security Policy that lacks a form-action directive, an attacker cannot run inline JavaScript but can render fake credential-harvesting login forms, perform <meta>-based open redirects, and overlay attacker HTML via CSS injection on the legitimate admin page. There is no public exploit identified at time of analysis, no CISA KEV listing, and no CVSS/EPSS score in the provided data; the issue was reported by watchTowr and fixed in 2.28.4.