Skip to main content

White Label Cms

4 CVEs product

Monthly

CVE-2026-11898 MEDIUM This Month

Stored Cross-Site Scripting in the White Label CMS WordPress plugin (versions through 2.7.12) permits authenticated administrators to persist arbitrary JavaScript payloads via plugin settings pages, which then execute in the browsers of other users who access affected pages. Exploitation is gated behind two hard constraints: the attacker must hold administrator-level WordPress credentials, and the target site must be either a WordPress multisite installation or a site where the unfiltered_html capability has been explicitly disabled. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress XSS White Label Cms
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2022-0422 MEDIUM POC PATCH This Month

The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS WordPress White Label Cms
NVD WPScan
CVSS 3.1
6.1
EPSS
8.1%
CVE-2012-5388 LOW POC PATCH Monitor

Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available.

WordPress PHP XSS White Label Cms
NVD Exploit-DB
CVSS 2.0
3.5
EPSS
0.8%
CVE-2012-5387 MEDIUM POC PATCH This Month

Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

CSRF PHP WordPress XSS White Label Cms
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
1.3%
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the White Label CMS WordPress plugin (versions through 2.7.12) permits authenticated administrators to persist arbitrary JavaScript payloads via plugin settings pages, which then execute in the browsers of other users who access affected pages. Exploitation is gated behind two hard constraints: the attacker must hold administrator-level WordPress credentials, and the target site must be either a WordPress multisite installation or a site where the unfiltered_html capability has been explicitly disabled. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress XSS White Label Cms
NVD VulDB
EPSS 8% CVSS 6.1
MEDIUM POC PATCH This Month

The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS WordPress White Label Cms
NVD WPScan
EPSS 1% CVSS 3.5
LOW POC PATCH Monitor

Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available.

WordPress PHP XSS +1
NVD Exploit-DB
EPSS 1% CVSS 6.8
MEDIUM POC PATCH This Month

Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

CSRF PHP WordPress +2
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy