WordPress
Monthly
Chatbot for WordPress by Collect.chat (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored XSS in the WordPress User Language Switch plugin through the 'tab_color_picker_language_switch' parameter allows authenticated administrators to inject malicious scripts on multi-site installations or when unfiltered_html is disabled. The injected scripts execute in the context of other users accessing affected pages. This vulnerability affects all versions up to 1.6.10, with no patch currently available.
Authenticated attackers with contributor-level access to WordPress sites can bypass authorization checks in the Accordion and Accordion Slider plugin (versions up to 1.4.5) to read and modify attachment metadata across the entire site. The vulnerability exists in improper permission validation within the attachment data handling functions, allowing unauthorized access to file paths, titles, captions, alt text, and custom links. No patch is currently available.
Allow HTML in Category Descriptions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Stored cross-site scripting in MasterStudy LMS WordPress Plugin versions up to 3.7.11 allows authenticated contributors and above to inject malicious scripts through the 'stm_lms_courses_grid_display' shortcode due to insufficient input sanitization and output escaping. When users access pages containing the injected payload, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available.
Stored XSS in WordPress WP Data Access plugin versions up to 5.5.63 allows authenticated contributors and higher to inject malicious scripts into pages via the 'wpda_app' shortcode due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
One to one user Chat by WPGuppy (WordPress plugin) is affected by missing authentication for critical function (CVSS 5.3).
The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. [CVSS 4.3 MEDIUM]
The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. [CVSS 4.3 MEDIUM]
Unauthenticated attackers can modify appointment statuses in the Bookr WordPress plugin (versions up to 1.0.2) due to a missing capability check on the REST API endpoint. This allows unauthorized data manipulation without authentication or user interaction. No patch is currently available for this vulnerability.
Privilege escalation in the Magic Login Mail or QR Code WordPress plugin (versions up to 2.05) allows unauthenticated attackers to hijack any user account, including administrator accounts, by exploiting a race condition in QR code file handling. The plugin creates QR code login images with predictable filenames in the public uploads directory and fails to delete them immediately after email transmission, enabling attackers to intercept the encoded login URLs. An attacker can trigger login requests for arbitrary users and extract valid authentication tokens during the window before file cleanup occurs.
AMP Enhancer plugin for WordPress versions up to 1.0.49 allows authenticated administrators to inject stored XSS payloads through the Custom CSS setting due to insufficient input sanitization, affecting multi-site installations and those with unfiltered_html disabled. An attacker with admin-level access can execute arbitrary JavaScript in the context of user browsers visiting affected pages. A security patch is not yet available.
Unauthorized event deletion in the WordPress SEATT plugin through version 1.5.0 stems from inadequate CSRF protections on the event removal function. An attacker can trick site administrators into clicking a malicious link to remove arbitrary events without authentication. No patch is currently available for this vulnerability.
Stored XSS in the Citations tools WordPress plugin (versions up to 0.3.2) allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized shortcode parameters, which execute in the browsers of users viewing affected pages. The vulnerability requires authentication but affects all site visitors who access pages containing the injected code. No patch is currently available.
Simple Wp colorfull Accordion (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The personal-authors-category WordPress plugin through version 0.3 contains a reflected XSS vulnerability in the URL path due to inadequate input validation and output encoding. Unauthenticated attackers can exploit this by crafting malicious links that, when clicked by victims, execute arbitrary JavaScript in their browsers. No patch is currently available for this vulnerability.
Stored XSS in the Easy Voice Mail WordPress plugin through version 1.2.5 allows authenticated administrators to inject malicious scripts via the message parameter due to inadequate input validation. An attacker with admin privileges can exploit this to execute arbitrary JavaScript in the browsers of users who access affected pages. No patch is currently available for this vulnerability.
Unauthenticated attackers can forge IPN payment notifications in the BlueSnap Payment Gateway for WooCommerce plugin by spoofing whitelisted IP addresses through header manipulation, allowing them to arbitrarily modify order statuses without authorization. The vulnerability stems from improper IP validation in all versions up to 3.3.0, affecting WordPress installations with this payment plugin active. No patch is currently available.
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the ...
Easy Form Builder (WordPress plugin) versions up to 3.9.3. is affected by missing authorization (CVSS 5.3).
The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contac...
The BFG Tools - Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. [CVSS 4.9 MEDIUM]
Stored XSS in WordPress PixelYourSite PRO plugin versions up to 12.4.0.2 allows unauthenticated attackers to inject malicious scripts through the 'pysTrafficSource' and 'pys_landing_page' parameters due to insufficient input validation and output encoding. When site visitors access pages containing injected payloads, the malicious scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.
Stored XSS in the PixelYourSite WordPress plugin through versions 11.2.0 allows unauthenticated attackers to inject malicious scripts via the 'pysTrafficSource' and 'pys_landing_page' parameters due to inadequate input sanitization and output escaping. When users visit pages containing injected payloads, the scripts execute in their browsers, potentially compromising sessions and stealing sensitive data. No patch is currently available, leaving all affected installations vulnerable.
The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srm_restore_options_defaults' function in all versions up to, and including, 3.1.19. [CVSS 8.8 HIGH]
The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above. [CVSS 4.3 MEDIUM]
FastDup WordPress plugin versions up to 2.7.1 fail to validate user permissions on REST API endpoints, allowing Contributor-level authenticated users to create and download complete site backups including databases and configuration files. This HIGH severity vulnerability (CVSS 8.8) affects all WordPress installations using the affected plugin versions, with no patch currently available. An attacker with basic authenticated access can extract sensitive data and obtain a full copy of the WordPress installation for further exploitation.
Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).
The Activity Log for WordPress plugin through version 1.2.8 fails to validate user permissions on the winter_activity_log_action() function, allowing authenticated subscribers and higher to access sensitive activity logs containing administrator credentials and other confidential data. An attacker with low-privilege WordPress access can exploit this missing capability check to read potentially sensitive information from exposed log files. No patch is currently available for this vulnerability.
Customer Reviews for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).
The Converter for Media WordPress plugin through version 6.5.1 contains a server-side request forgery vulnerability in the image loading function that allows unauthenticated attackers to make arbitrary web requests from the affected server. This could enable attackers to probe internal services and potentially read or modify sensitive data accessible from the web application. No patch is currently available.
Privilege escalation in Prime Listing Manager WordPress plugin through 1.1 allows unauthenticated administrative access.
The LatePoint Calendar Booking Plugin for WordPress versions up to 5.2.6 fails to validate user permissions on the load_step() function, allowing unauthenticated attackers to retrieve sensitive booking data such as customer names, emails, phone numbers, and appointment details. This network-accessible vulnerability requires no user interaction and affects all installations of the plugin without the patch. No patch is currently available to remediate this exposure.
Authentication bypass in AdForest WordPress theme (all versions through 6.0.12) allows unauthenticated attackers to take over any user account.
The Product Options and Price Calculation Formulas for WooCommerce - Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. [CVSS 5.8 MEDIUM]
WordPress Server Log Viewer 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unfiltered log file paths. Attackers can add log files with embedded XSS payloads that will execute when viewed in the WordPress admin interface. [CVSS 6.4 MEDIUM]
Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces. [CVSS 5.5 MEDIUM]
PHP object injection in wpForo Forum plugin versions up to 2.4.13 allows authenticated subscribers and above to deserialize untrusted data, potentially enabling arbitrary file deletion, data theft, or code execution if a POP chain exists in installed plugins or themes. The vulnerability requires an additional gadget chain to be exploitable, making its impact dependent on the broader plugin ecosystem of the target WordPress installation.
Unauthenticated attackers can extract protected post metadata from WordPress sites running WPZOOM Addons for Elementor plugin version 1.3.2 and earlier due to missing capability validation in an AJAX function. The vulnerability enables disclosure of draft, future, and pending post titles and excerpts that should remain hidden from anonymous users. No patch is currently available.
The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access t...
Stored XSS in WordPress Slideshow WP plugin through version 1.1 allows authenticated users with contributor-level access to inject malicious scripts via the 'sswpid' shortcode attribute due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling attackers to steal session data or perform unauthorized actions. No patch is currently available for this vulnerability.
Stored XSS in BuddyHolis ListSearch plugin for WordPress through version 1.1 allows authenticated contributors and above to inject malicious scripts into pages via inadequately sanitized shortcode attributes. When site visitors access compromised pages, the injected scripts execute in their browsers, potentially enabling account hijacking, session theft, or malicious redirects. No patch is currently available for this vulnerability.
The WaMate Confirm Order Confirmation WordPress plugin through version 2.0.1 fails to enforce proper authorization checks, allowing authenticated subscribers and higher-privileged users to manipulate phone number blocking settings that should be restricted to administrators. This improper access control vulnerability enables low-privileged attackers to disrupt phone number management functionality without administrative consent.
The Flask Micro code-editor plugin for WordPress through version 1.0.0 contains a stored cross-site scripting vulnerability in its codeflask shortcode due to inadequate input validation and output encoding. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute for all visitors accessing affected pages. No patch is currently available.
Stored XSS in OpenPOS Lite for WooCommerce plugin (versions up to 3.0) allows authenticated contributors and above to inject malicious scripts via the order_qrcode shortcode's width parameter, which execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling attackers to compromise page content without user interaction. No patch is currently available.
Stored cross-site scripting in the WordPress Microtango plugin through version 0.9.29 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'restkey' parameter that execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping in the mt_reservation shortcode. No patch is currently available.
Stored cross-site scripting in the HTML Tag Shortcodes WordPress plugin through version 1.1 allows authenticated contributors and above to execute arbitrary scripts on site pages through inadequately sanitized shortcode attributes. Affected users will run attacker-injected code whenever they visit compromised pages, potentially leading to session hijacking or malicious content injection.
Stored XSS in the WDES Responsive Popup WordPress plugin through version 1.3.6 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'wdes-popup-title' shortcode due to inadequate input sanitization. When victims visit affected pages containing the injected payload, the scripts execute in their browsers, potentially compromising site integrity and user data. No patch is currently available.
The Twitter posts to Blog plugin for WordPress versions up to 1.11.25 lacks proper access controls on the settings function, allowing unauthenticated attackers to modify plugin configuration including Twitter API credentials and post parameters. This capability check bypass could enable attackers to hijack the plugin's functionality or escalate privileges within WordPress installations. No patch is currently available for this vulnerability.
The Invoct PDF Invoices & Billing for WooCommerce plugin through version 1.6 fails to enforce capability checks, allowing authenticated Subscriber-level users to access sensitive data including invoice details, client information, and WordPress user email addresses. This privilege escalation vulnerability affects all WordPress installations using the affected plugin versions and has no available patch.
Remote code execution in the Custom Block Builder - Lazy Blocks WordPress plugin through version 4.2.0 allows authenticated users with Contributor privileges or higher to execute arbitrary code on the server via vulnerable functions in the LazyBlocks_Blocks class. This high-severity vulnerability (CVSS 8.8) affects all installations of the affected plugin versions with no patch currently available.
The MMA Call Tracking WordPress plugin through version 2.3.15 lacks proper CSRF protection on its admin configuration page, allowing attackers to modify call tracking settings by tricking site administrators into clicking malicious links. An unauthenticated attacker can alter plugin configurations without authorization through forged requests. No patch is currently available for this vulnerability.
Stored XSS in WordPress Category Image plugin through version 2.0 allows authenticated users with Editor access or higher to inject malicious scripts via the tag-image parameter due to insufficient input validation. When other users view affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or site defacement. No patch is currently available.
The WPlyr Media Block plugin for WordPress through version 1.3.0 contains a stored cross-site scripting vulnerability in the '_wplyr_accent_color' parameter due to inadequate input sanitization, allowing authenticated administrators to inject malicious scripts that execute in other users' browsers. This requires high-privilege access and manual user interaction but impacts site integrity and user security across affected pages.
The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
Unauthenticated arbitrary file upload in WPvivid Backup & Migration WordPress plugin. EPSS 0.44%.
WP eCommerce WordPre versions up to 3.15.1 is affected by deserialization of untrusted data (CVSS 6.5).
The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. [CVSS 6.5 MEDIUM]
Orbisius Random Name Generator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored cross-site scripting in Beaver Builder Page Builder plugin for WordPress through version 2.10.0.5 allows authenticated users with Custom-level access or higher to inject malicious scripts into global settings that execute for all site visitors. The vulnerability stems from missing capability checks and insufficient input sanitization in the save_global_settings() function. Attackers can exploit this to deface pages, steal credentials, or perform actions on behalf of other users viewing affected content.
The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. [CVSS 4.3 MEDIUM]
Lucky Wheel Giveaway (WordPress plugin) versions up to 1.0.22 is affected by code injection (CVSS 7.2).
The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]
Unauthenticated attackers can extract arbitrary post metadata from WordPress sites running Ninja Forms plugin versions up to 3.14.0 through improper merge tag filtering in repeater fields, potentially exposing sensitive data like API keys, billing information, and customer details. The vulnerability is exploitable remotely without authentication via the nf_ajax_submit AJAX action and currently lacks a patch.
Stored cross-site scripting in The Events Calendar Shortcode & Block plugin for WordPress up to version 3.1.2 allows authenticated users with contributor-level access to inject malicious scripts through the `ecs-list-events` shortcode's `message` attribute due to inadequate input sanitization. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. A patch is not currently available.
The Name Directory WordPress plugin through version 1.32.0 contains a stored cross-site scripting vulnerability in its sanitization logic that allows unauthenticated attackers to inject malicious scripts through the public submission form. Attackers can exploit this by submitting content with double-encoded HTML entities that bypass security filters, and the injected scripts will execute when administrators or users view the affected pages if the submission is approved or auto-publish is enabled. This affects all installations of the vulnerable plugin versions with no patch currently available.
The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. [CVSS 5.4 MEDIUM]
Unauthenticated attackers can exploit an authorization bypass in the WCFM Marketplace plugin for WordPress (versions up to 3.7.0) to create arbitrary refund requests via the wcfm-refund-requests-form AJAX endpoint. This IDOR vulnerability allows unauthorized refund submissions for any order, potentially resulting in financial losses if automatic refund processing is enabled. No patch is currently available.
Stored cross-site scripting in the Fluent Forms WordPress plugin's AI Form Builder module (versions up to 6.1.14) enables authenticated subscribers to inject malicious scripts that execute for all users viewing affected forms through missing authorization checks, leaked nonces, and insufficient input sanitization of AI-generated content. An attacker with subscriber-level access can exploit this to perform actions on behalf of administrators or steal sensitive information from form viewers. The vulnerability affects WordPress installations using this plugin and has no patch currently available.
Unauthorized option modification in WCFM - Frontend Manager for WooCommerce up to version 6.7.24 allows authenticated Shop Manager-level users to bypass capability checks and alter arbitrary WordPress settings. An attacker with these privileges can exploit this to change the default registration role to administrator and enable user registration, gaining full admin access to the site. No patch is currently available for this vulnerability.
WooCommerce Memberships for Multivendor Marketplace versions up to 2.11.8 is affected by authorization bypass through user-controlled key (CVSS 4.3).
Fluent Forms Pro Add On Pack (WordPress plugin) is affected by server-side request forgery (ssrf) (CVSS 5.4).
The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. [CVSS 8.8 HIGH]
Privilege escalation in JAY Login & Register WordPress plugin allows unauthenticated attackers to register as administrators. All versions up to 1.1.6 affected.
Advanced Country Blocker (WordPress plugin) versions up to 2.3.1 contains a security vulnerability (CVSS 5.3).
Reflected XSS in the WordPress MP-Ukagaka plugin through version 1.5.2 allows unauthenticated attackers to inject malicious scripts into web pages due to insufficient input sanitization and output escaping. An attacker can exploit this by tricking users into clicking a malicious link, causing arbitrary JavaScript to execute in their browsers. No patch is currently available for this vulnerability.
The Subitem AL Slider plugin for WordPress through version 1.0.0 fails to properly sanitize the PHP_SELF parameter, allowing unauthenticated attackers to inject malicious scripts through a crafted link. An attacker can trick users into clicking a malicious URL to execute arbitrary JavaScript in their browser sessions. No patch is currently available for this reflected XSS vulnerability.
Stored XSS in the Wonka Slide WordPress plugin (versions up to 1.3.3) allows authenticated users with contributor-level permissions to inject malicious scripts through the `list_class` shortcode attribute due to inadequate input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.
Stored XSS in WordPress Wikiloops Track Player plugin (versions up to 1.0.1) allows authenticated contributors and above to inject malicious scripts through the wikiloops shortcode due to inadequate input sanitization and output escaping. Injected scripts execute in the browsers of users viewing affected pages, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.
Stored cross-site scripting in the WordPress Video Onclick plugin through version 0.4.7 allows authenticated contributors and above to inject malicious scripts into pages via the youtube shortcode due to inadequate input sanitization. When users access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive information. No patch is currently available.
Stored XSS in the OMIGO WordPress plugin through version 3.3 allows authenticated contributors and above to inject malicious scripts via the omigo_donate_button shortcode due to inadequate input sanitization, executing arbitrary code when users view affected pages. The vulnerability requires low privileges but impacts all users accessing compromised content, with no available patch as of now.
Simple Bible Verse via Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The TITLE ANIMATOR plugin for WordPress lacks CSRF protection on its settings page, allowing unauthenticated attackers to modify plugin configuration through forged requests if a site administrator clicks a malicious link. This vulnerability affects all versions up to 1.0 and requires social engineering to exploit but poses a direct integrity risk to plugin functionality and site configuration.
The Premmerce WordPress plugin through version 1.3.20 contains a stored cross-site scripting vulnerability in the wizard AJAX endpoint due to inadequate input sanitization and output escaping on the state parameter. Authenticated users with subscriber-level permissions can inject malicious scripts that execute in the admin wizard interface when accessed by other users. No patch is currently available for this medium-severity vulnerability affecting plugin installations.
The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode `category` and `id` attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]
The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. [CVSS 4.3 MEDIUM]
The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks [CVSS 5.5 MEDIUM]
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
Chatbot for WordPress by Collect.chat (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored XSS in the WordPress User Language Switch plugin through the 'tab_color_picker_language_switch' parameter allows authenticated administrators to inject malicious scripts on multi-site installations or when unfiltered_html is disabled. The injected scripts execute in the context of other users accessing affected pages. This vulnerability affects all versions up to 1.6.10, with no patch currently available.
Authenticated attackers with contributor-level access to WordPress sites can bypass authorization checks in the Accordion and Accordion Slider plugin (versions up to 1.4.5) to read and modify attachment metadata across the entire site. The vulnerability exists in improper permission validation within the attachment data handling functions, allowing unauthorized access to file paths, titles, captions, alt text, and custom links. No patch is currently available.
Allow HTML in Category Descriptions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Stored cross-site scripting in MasterStudy LMS WordPress Plugin versions up to 3.7.11 allows authenticated contributors and above to inject malicious scripts through the 'stm_lms_courses_grid_display' shortcode due to insufficient input sanitization and output escaping. When users access pages containing the injected payload, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available.
Stored XSS in WordPress WP Data Access plugin versions up to 5.5.63 allows authenticated contributors and higher to inject malicious scripts into pages via the 'wpda_app' shortcode due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
One to one user Chat by WPGuppy (WordPress plugin) is affected by missing authentication for critical function (CVSS 5.3).
The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. [CVSS 4.3 MEDIUM]
The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. [CVSS 4.3 MEDIUM]
Unauthenticated attackers can modify appointment statuses in the Bookr WordPress plugin (versions up to 1.0.2) due to a missing capability check on the REST API endpoint. This allows unauthorized data manipulation without authentication or user interaction. No patch is currently available for this vulnerability.
Privilege escalation in the Magic Login Mail or QR Code WordPress plugin (versions up to 2.05) allows unauthenticated attackers to hijack any user account, including administrator accounts, by exploiting a race condition in QR code file handling. The plugin creates QR code login images with predictable filenames in the public uploads directory and fails to delete them immediately after email transmission, enabling attackers to intercept the encoded login URLs. An attacker can trigger login requests for arbitrary users and extract valid authentication tokens during the window before file cleanup occurs.
AMP Enhancer plugin for WordPress versions up to 1.0.49 allows authenticated administrators to inject stored XSS payloads through the Custom CSS setting due to insufficient input sanitization, affecting multi-site installations and those with unfiltered_html disabled. An attacker with admin-level access can execute arbitrary JavaScript in the context of user browsers visiting affected pages. A security patch is not yet available.
Unauthorized event deletion in the WordPress SEATT plugin through version 1.5.0 stems from inadequate CSRF protections on the event removal function. An attacker can trick site administrators into clicking a malicious link to remove arbitrary events without authentication. No patch is currently available for this vulnerability.
Stored XSS in the Citations tools WordPress plugin (versions up to 0.3.2) allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized shortcode parameters, which execute in the browsers of users viewing affected pages. The vulnerability requires authentication but affects all site visitors who access pages containing the injected code. No patch is currently available.
Simple Wp colorfull Accordion (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The personal-authors-category WordPress plugin through version 0.3 contains a reflected XSS vulnerability in the URL path due to inadequate input validation and output encoding. Unauthenticated attackers can exploit this by crafting malicious links that, when clicked by victims, execute arbitrary JavaScript in their browsers. No patch is currently available for this vulnerability.
Stored XSS in the Easy Voice Mail WordPress plugin through version 1.2.5 allows authenticated administrators to inject malicious scripts via the message parameter due to inadequate input validation. An attacker with admin privileges can exploit this to execute arbitrary JavaScript in the browsers of users who access affected pages. No patch is currently available for this vulnerability.
Unauthenticated attackers can forge IPN payment notifications in the BlueSnap Payment Gateway for WooCommerce plugin by spoofing whitelisted IP addresses through header manipulation, allowing them to arbitrarily modify order statuses without authorization. The vulnerability stems from improper IP validation in all versions up to 3.3.0, affecting WordPress installations with this payment plugin active. No patch is currently available.
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the ...
Easy Form Builder (WordPress plugin) versions up to 3.9.3. is affected by missing authorization (CVSS 5.3).
The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contac...
The BFG Tools - Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. [CVSS 4.9 MEDIUM]
Stored XSS in WordPress PixelYourSite PRO plugin versions up to 12.4.0.2 allows unauthenticated attackers to inject malicious scripts through the 'pysTrafficSource' and 'pys_landing_page' parameters due to insufficient input validation and output encoding. When site visitors access pages containing injected payloads, the malicious scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.
Stored XSS in the PixelYourSite WordPress plugin through versions 11.2.0 allows unauthenticated attackers to inject malicious scripts via the 'pysTrafficSource' and 'pys_landing_page' parameters due to inadequate input sanitization and output escaping. When users visit pages containing injected payloads, the scripts execute in their browsers, potentially compromising sessions and stealing sensitive data. No patch is currently available, leaving all affected installations vulnerable.
The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srm_restore_options_defaults' function in all versions up to, and including, 3.1.19. [CVSS 8.8 HIGH]
The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above. [CVSS 4.3 MEDIUM]
FastDup WordPress plugin versions up to 2.7.1 fail to validate user permissions on REST API endpoints, allowing Contributor-level authenticated users to create and download complete site backups including databases and configuration files. This HIGH severity vulnerability (CVSS 8.8) affects all WordPress installations using the affected plugin versions, with no patch currently available. An attacker with basic authenticated access can extract sensitive data and obtain a full copy of the WordPress installation for further exploitation.
Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).
The Activity Log for WordPress plugin through version 1.2.8 fails to validate user permissions on the winter_activity_log_action() function, allowing authenticated subscribers and higher to access sensitive activity logs containing administrator credentials and other confidential data. An attacker with low-privilege WordPress access can exploit this missing capability check to read potentially sensitive information from exposed log files. No patch is currently available for this vulnerability.
Customer Reviews for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).
The Converter for Media WordPress plugin through version 6.5.1 contains a server-side request forgery vulnerability in the image loading function that allows unauthenticated attackers to make arbitrary web requests from the affected server. This could enable attackers to probe internal services and potentially read or modify sensitive data accessible from the web application. No patch is currently available.
Privilege escalation in Prime Listing Manager WordPress plugin through 1.1 allows unauthenticated administrative access.
The LatePoint Calendar Booking Plugin for WordPress versions up to 5.2.6 fails to validate user permissions on the load_step() function, allowing unauthenticated attackers to retrieve sensitive booking data such as customer names, emails, phone numbers, and appointment details. This network-accessible vulnerability requires no user interaction and affects all installations of the plugin without the patch. No patch is currently available to remediate this exposure.
Authentication bypass in AdForest WordPress theme (all versions through 6.0.12) allows unauthenticated attackers to take over any user account.
The Product Options and Price Calculation Formulas for WooCommerce - Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. [CVSS 5.8 MEDIUM]
WordPress Server Log Viewer 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unfiltered log file paths. Attackers can add log files with embedded XSS payloads that will execute when viewed in the WordPress admin interface. [CVSS 6.4 MEDIUM]
Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces. [CVSS 5.5 MEDIUM]
PHP object injection in wpForo Forum plugin versions up to 2.4.13 allows authenticated subscribers and above to deserialize untrusted data, potentially enabling arbitrary file deletion, data theft, or code execution if a POP chain exists in installed plugins or themes. The vulnerability requires an additional gadget chain to be exploitable, making its impact dependent on the broader plugin ecosystem of the target WordPress installation.
Unauthenticated attackers can extract protected post metadata from WordPress sites running WPZOOM Addons for Elementor plugin version 1.3.2 and earlier due to missing capability validation in an AJAX function. The vulnerability enables disclosure of draft, future, and pending post titles and excerpts that should remain hidden from anonymous users. No patch is currently available.
The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access t...
Stored XSS in WordPress Slideshow WP plugin through version 1.1 allows authenticated users with contributor-level access to inject malicious scripts via the 'sswpid' shortcode attribute due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling attackers to steal session data or perform unauthorized actions. No patch is currently available for this vulnerability.
Stored XSS in BuddyHolis ListSearch plugin for WordPress through version 1.1 allows authenticated contributors and above to inject malicious scripts into pages via inadequately sanitized shortcode attributes. When site visitors access compromised pages, the injected scripts execute in their browsers, potentially enabling account hijacking, session theft, or malicious redirects. No patch is currently available for this vulnerability.
The WaMate Confirm Order Confirmation WordPress plugin through version 2.0.1 fails to enforce proper authorization checks, allowing authenticated subscribers and higher-privileged users to manipulate phone number blocking settings that should be restricted to administrators. This improper access control vulnerability enables low-privileged attackers to disrupt phone number management functionality without administrative consent.
The Flask Micro code-editor plugin for WordPress through version 1.0.0 contains a stored cross-site scripting vulnerability in its codeflask shortcode due to inadequate input validation and output encoding. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute for all visitors accessing affected pages. No patch is currently available.
Stored XSS in OpenPOS Lite for WooCommerce plugin (versions up to 3.0) allows authenticated contributors and above to inject malicious scripts via the order_qrcode shortcode's width parameter, which execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling attackers to compromise page content without user interaction. No patch is currently available.
Stored cross-site scripting in the WordPress Microtango plugin through version 0.9.29 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'restkey' parameter that execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping in the mt_reservation shortcode. No patch is currently available.
Stored cross-site scripting in the HTML Tag Shortcodes WordPress plugin through version 1.1 allows authenticated contributors and above to execute arbitrary scripts on site pages through inadequately sanitized shortcode attributes. Affected users will run attacker-injected code whenever they visit compromised pages, potentially leading to session hijacking or malicious content injection.
Stored XSS in the WDES Responsive Popup WordPress plugin through version 1.3.6 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'wdes-popup-title' shortcode due to inadequate input sanitization. When victims visit affected pages containing the injected payload, the scripts execute in their browsers, potentially compromising site integrity and user data. No patch is currently available.
The Twitter posts to Blog plugin for WordPress versions up to 1.11.25 lacks proper access controls on the settings function, allowing unauthenticated attackers to modify plugin configuration including Twitter API credentials and post parameters. This capability check bypass could enable attackers to hijack the plugin's functionality or escalate privileges within WordPress installations. No patch is currently available for this vulnerability.
The Invoct PDF Invoices & Billing for WooCommerce plugin through version 1.6 fails to enforce capability checks, allowing authenticated Subscriber-level users to access sensitive data including invoice details, client information, and WordPress user email addresses. This privilege escalation vulnerability affects all WordPress installations using the affected plugin versions and has no available patch.
Remote code execution in the Custom Block Builder - Lazy Blocks WordPress plugin through version 4.2.0 allows authenticated users with Contributor privileges or higher to execute arbitrary code on the server via vulnerable functions in the LazyBlocks_Blocks class. This high-severity vulnerability (CVSS 8.8) affects all installations of the affected plugin versions with no patch currently available.
The MMA Call Tracking WordPress plugin through version 2.3.15 lacks proper CSRF protection on its admin configuration page, allowing attackers to modify call tracking settings by tricking site administrators into clicking malicious links. An unauthenticated attacker can alter plugin configurations without authorization through forged requests. No patch is currently available for this vulnerability.
Stored XSS in WordPress Category Image plugin through version 2.0 allows authenticated users with Editor access or higher to inject malicious scripts via the tag-image parameter due to insufficient input validation. When other users view affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or site defacement. No patch is currently available.
The WPlyr Media Block plugin for WordPress through version 1.3.0 contains a stored cross-site scripting vulnerability in the '_wplyr_accent_color' parameter due to inadequate input sanitization, allowing authenticated administrators to inject malicious scripts that execute in other users' browsers. This requires high-privilege access and manual user interaction but impacts site integrity and user security across affected pages.
The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
Unauthenticated arbitrary file upload in WPvivid Backup & Migration WordPress plugin. EPSS 0.44%.
WP eCommerce WordPre versions up to 3.15.1 is affected by deserialization of untrusted data (CVSS 6.5).
The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. [CVSS 6.5 MEDIUM]
Orbisius Random Name Generator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored cross-site scripting in Beaver Builder Page Builder plugin for WordPress through version 2.10.0.5 allows authenticated users with Custom-level access or higher to inject malicious scripts into global settings that execute for all site visitors. The vulnerability stems from missing capability checks and insufficient input sanitization in the save_global_settings() function. Attackers can exploit this to deface pages, steal credentials, or perform actions on behalf of other users viewing affected content.
The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. [CVSS 4.3 MEDIUM]
Lucky Wheel Giveaway (WordPress plugin) versions up to 1.0.22 is affected by code injection (CVSS 7.2).
The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]
Unauthenticated attackers can extract arbitrary post metadata from WordPress sites running Ninja Forms plugin versions up to 3.14.0 through improper merge tag filtering in repeater fields, potentially exposing sensitive data like API keys, billing information, and customer details. The vulnerability is exploitable remotely without authentication via the nf_ajax_submit AJAX action and currently lacks a patch.
Stored cross-site scripting in The Events Calendar Shortcode & Block plugin for WordPress up to version 3.1.2 allows authenticated users with contributor-level access to inject malicious scripts through the `ecs-list-events` shortcode's `message` attribute due to inadequate input sanitization. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. A patch is not currently available.
The Name Directory WordPress plugin through version 1.32.0 contains a stored cross-site scripting vulnerability in its sanitization logic that allows unauthenticated attackers to inject malicious scripts through the public submission form. Attackers can exploit this by submitting content with double-encoded HTML entities that bypass security filters, and the injected scripts will execute when administrators or users view the affected pages if the submission is approved or auto-publish is enabled. This affects all installations of the vulnerable plugin versions with no patch currently available.
The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. [CVSS 5.4 MEDIUM]
Unauthenticated attackers can exploit an authorization bypass in the WCFM Marketplace plugin for WordPress (versions up to 3.7.0) to create arbitrary refund requests via the wcfm-refund-requests-form AJAX endpoint. This IDOR vulnerability allows unauthorized refund submissions for any order, potentially resulting in financial losses if automatic refund processing is enabled. No patch is currently available.
Stored cross-site scripting in the Fluent Forms WordPress plugin's AI Form Builder module (versions up to 6.1.14) enables authenticated subscribers to inject malicious scripts that execute for all users viewing affected forms through missing authorization checks, leaked nonces, and insufficient input sanitization of AI-generated content. An attacker with subscriber-level access can exploit this to perform actions on behalf of administrators or steal sensitive information from form viewers. The vulnerability affects WordPress installations using this plugin and has no patch currently available.
Unauthorized option modification in WCFM - Frontend Manager for WooCommerce up to version 6.7.24 allows authenticated Shop Manager-level users to bypass capability checks and alter arbitrary WordPress settings. An attacker with these privileges can exploit this to change the default registration role to administrator and enable user registration, gaining full admin access to the site. No patch is currently available for this vulnerability.
WooCommerce Memberships for Multivendor Marketplace versions up to 2.11.8 is affected by authorization bypass through user-controlled key (CVSS 4.3).
Fluent Forms Pro Add On Pack (WordPress plugin) is affected by server-side request forgery (ssrf) (CVSS 5.4).
The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. [CVSS 8.8 HIGH]
Privilege escalation in JAY Login & Register WordPress plugin allows unauthenticated attackers to register as administrators. All versions up to 1.1.6 affected.
Advanced Country Blocker (WordPress plugin) versions up to 2.3.1 contains a security vulnerability (CVSS 5.3).
Reflected XSS in the WordPress MP-Ukagaka plugin through version 1.5.2 allows unauthenticated attackers to inject malicious scripts into web pages due to insufficient input sanitization and output escaping. An attacker can exploit this by tricking users into clicking a malicious link, causing arbitrary JavaScript to execute in their browsers. No patch is currently available for this vulnerability.
The Subitem AL Slider plugin for WordPress through version 1.0.0 fails to properly sanitize the PHP_SELF parameter, allowing unauthenticated attackers to inject malicious scripts through a crafted link. An attacker can trick users into clicking a malicious URL to execute arbitrary JavaScript in their browser sessions. No patch is currently available for this reflected XSS vulnerability.
Stored XSS in the Wonka Slide WordPress plugin (versions up to 1.3.3) allows authenticated users with contributor-level permissions to inject malicious scripts through the `list_class` shortcode attribute due to inadequate input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.
Stored XSS in WordPress Wikiloops Track Player plugin (versions up to 1.0.1) allows authenticated contributors and above to inject malicious scripts through the wikiloops shortcode due to inadequate input sanitization and output escaping. Injected scripts execute in the browsers of users viewing affected pages, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.
Stored cross-site scripting in the WordPress Video Onclick plugin through version 0.4.7 allows authenticated contributors and above to inject malicious scripts into pages via the youtube shortcode due to inadequate input sanitization. When users access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive information. No patch is currently available.
Stored XSS in the OMIGO WordPress plugin through version 3.3 allows authenticated contributors and above to inject malicious scripts via the omigo_donate_button shortcode due to inadequate input sanitization, executing arbitrary code when users view affected pages. The vulnerability requires low privileges but impacts all users accessing compromised content, with no available patch as of now.
Simple Bible Verse via Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The TITLE ANIMATOR plugin for WordPress lacks CSRF protection on its settings page, allowing unauthenticated attackers to modify plugin configuration through forged requests if a site administrator clicks a malicious link. This vulnerability affects all versions up to 1.0 and requires social engineering to exploit but poses a direct integrity risk to plugin functionality and site configuration.
The Premmerce WordPress plugin through version 1.3.20 contains a stored cross-site scripting vulnerability in the wizard AJAX endpoint due to inadequate input sanitization and output escaping on the state parameter. Authenticated users with subscriber-level permissions can inject malicious scripts that execute in the admin wizard interface when accessed by other users. No patch is currently available for this medium-severity vulnerability affecting plugin installations.
The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode `category` and `id` attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]
The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. [CVSS 4.3 MEDIUM]
The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks [CVSS 5.5 MEDIUM]
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]