XSS

Stored cross-site scripting in MeshCore Card (Lovelace card for Home Assistant) prior to 0.3.3 allows any MeshCore radio node within direct or repeated mesh range to inject JavaScript into the Home Assistant frontend by setting a malicious node name. Exploitation requires a victim to view the card, and no public exploit has been identified at time of analysis, though the GHSA-5vrg-xpcj-xppc advisory confirms the issue and the 0.3.3 fix.

Stored XSS via bypass in Symfony's HtmlSanitizer component allows `javascript:` URIs to survive sanitization when applications use permissive configurations that admit `action`, `formaction`, `poster`, or `cite` attributes. The root cause is an incomplete attribute list in `UrlAttributeSanitizer::getSupportedAttributes()`, which caused `DomVisitor` to skip URI scheme validation entirely for those four attribute types. No public exploit identified at time of analysis and no CVSS score has been assigned, but successful exploitation enables JavaScript execution in victims' browsers - with the attack gated behind non-default sanitizer configuration choices made by the integrating application.

Stored cross-site scripting in TinyMCE rich text editor allows authenticated attackers to inject persistent JavaScript by forging mce:protected comments that bypass the editor's sanitization layer. Affected deployments are those using the protect configuration option in versions prior to 5.11.1, 7.9.3, and 8.5.1, where malicious scripts execute when previously stored content is restored into the editor context. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 8.7 (scope-changed) rating reflects high confidentiality and integrity impact against the user's browser session.

Stored cross-site scripting in TinyMCE's media plugin allows authenticated attackers to inject malicious JavaScript via crafted data-mce-* attributes that execute in victim browsers when the rendered content is viewed. Affects TinyMCE versions prior to 5.11.1, 7.9.3, and 8.5.1 where the media plugin is enabled, with no public exploit identified at time of analysis despite a high CVSS score of 8.7 driven by scope change and confidentiality/integrity impact.

Stored cross-site scripting in TinyMCE rich text editor versions prior to 5.11.1, 7.9.3, and 8.5.1 allows authenticated attackers to inject malicious payloads via unsanitized data-mce-href, data-mce-src, and data-mce-style attributes that override safe attributes during serialization. The scope-changing CVSS 8.7 score reflects that successful exploitation impacts other users viewing the rendered content, and no public exploit identified at time of analysis though the upstream GitHub advisory provides technical detail useful to researchers.

Stored/reflected cross-site scripting in TinyMCE rich text editor versions 6.8.0 through 7.0.x allows authenticated users to inject and execute arbitrary JavaScript in the context of any application embedding the editor. The flaw stems from improper SVG namespace scope handling in the built-in sanitizer, letting nested-element payloads bypass attribute sanitization. No public exploit identified at time of analysis, but the issue is disclosed via a GitHub security advisory with a CVSS of 8.7 reflecting scope change to the embedding application.

Stored Cross-Site Scripting in the Shariff Wrapper WordPress plugin (all versions ≤ 4.6.20) allows authenticated Contributors to inject persistent JavaScript payloads via the 'headline' parameter of the [shariff] shortcode, which then execute in any visitor's browser upon page load. The Changed scope (S:C in CVSS) means the injected payload escapes the plugin's context and runs inside victim browsers across the full WordPress front-end, enabling session theft, credential harvesting, or drive-by redirection. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and persistent nature of stored XSS make it a meaningful risk on multi-author or open-registration WordPress installations.

Stored cross-site scripting in the HT Contact Form - Drag & Drop Form Builder for WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote attackers to inject persistent JavaScript via the 'file_upload' parameter, which gets rendered via dangerouslySetInnerHTML in the admin entry viewer. The injected payload executes in the browser context of any administrator who opens the affected submission, enabling session theft, privilege abuse, or arbitrary admin actions. No public exploit identified at time of analysis, and the issue requires the plugin's 'Store Submissions' setting to be enabled for the unsanitized values to persist.

Reflected Cross-Site Scripting in the Easy Updates Manager WordPress plugin (versions ≤ 9.0.20) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'paged' parameter in the pagination() function of MPSUM_List_Table.php. Successful exploitation requires social engineering a logged-in WordPress administrator into clicking a crafted URL, after which the injected script executes in the admin's browser under the site's origin - enabling session hijacking, unauthorized admin actions, or credential theft. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Stored cross-site scripting in the a3 Lazy Load WordPress plugin (all versions through 2.7.6) allows authenticated Contributor-level users to inject persistent JavaScript into posts via a deliberately crafted <video> tag. Two compounding flaws drive the vulnerability: a regex bug in the _filter_videos() method that mishandles HTML attribute quoting, and unescaped output in the admin/views/form-data.php template. When any user - including a site administrator - views an affected post, the injected event-handler attributes (autofocus, onfocus) execute in the viewer's browser, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Stored cross-site scripting in the SlimStat Analytics WordPress plugin (versions through 5.4.11) allows unauthenticated attackers to inject arbitrary JavaScript via the User-Agent request header, which is persisted unsanitized and later rendered inside the admin Browsers report tooltip. Exploitation requires the non-default 'show_complete_user_agent_tooltip' setting to be enabled by an administrator, after which any admin viewing the affected report executes the attacker's script. No public exploit identified at time of analysis and no EPSS or CISA KEV signal is provided in the supplied data.

Stored XSS in MISP CTI Transmute's notification bell dropdown allows an attacker who can control convert names to inject arbitrary JavaScript that executes in authenticated users' browsers upon opening the notification panel. The vulnerability, tracked as EUVD-2026-32728 and reported by CIRCL, stems from innerHTML-based rendering of user-controlled notification content in base.html and affects all versions prior to upstream commit cf42409 - critically, only on the development branch, not production releases. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 6.3 with AT:P reflects that exploitation requires the attacker to first influence a convert name surfaced in a notification.

Stored Cross-Site Scripting in the LiveSmart Video Chat WordPress plugin (all versions through 1.2) allows authenticated contributors to inject persistent malicious scripts via the 'livesmart_widget' shortcode attribute, which execute in any visitor's browser upon page load. The CVSS Scope:Changed rating confirms cross-user impact - a contributor's injected payload can hijack administrator sessions, exfiltrate cookies, or perform unauthorized actions on behalf of higher-privileged victims. No public exploit code and no CISA KEV confirmation exist at time of analysis, but the low privilege bar (contributor-level) meaningfully widens the realistic attacker pool on multi-author WordPress deployments.

Stored cross-site scripting in the Login No Captcha reCAPTCHA WordPress plugin (versions up to and including 1.8.0) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in an administrator's browser session. The flaw, reported by Wordfence, stems from unsanitized handling of the PHP_SELF superglobal during failed logins via non-standard endpoints such as xmlrpc.php, with no public exploit identified at time of analysis and no CISA KEV listing.

HCL BigFix Remote Control Server WebUI versions 10.1.0.0442 and earlier expose a misconfigured Content Security Policy that omits fallback directives, permitting browsers to bypass intended origin restrictions and load unauthorized external resources. The Changed Scope (S:C) in the CVSS vector confirms that exploitation can affect resources or contexts beyond the vulnerable WebUI component itself - consistent with the XSS tag indicating potential cross-origin script injection. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, though the high-privilege and user-interaction prerequisites substantially constrain the realistic attack surface.

Stored XSS in Symfony's WebProfiler `CodeExtension::fileExcerpt()` allows JavaScript execution in a developer's browser when the profiler renders non-PHP files containing attacker-controlled content. Affected are symfony/symfony 6.4.24-6.4.39, 7.2.9-7.4.11, and 8.0.0-8.0.11, along with symfony/twig-bridge 6.4.24-6.4.39. The attack requires a separate write primitive to any file under the project root - log poisoning via `var/log/dev.log` is the canonical vector - after which exploitation is reliable and requires only developer interaction with the profiler. No public exploit has been identified at time of analysis, and the vulnerability is scoped to development environments only.

Stored cross-site scripting in the RELATE web courseware lets any enrolled student inject JavaScript that executes in an administrator's authenticated browser session, enabling full admin account takeover. The payload is planted via the freely editable first_name/last_name fields on the /profile/ page and fires when an admin opens the Participation list in the Django admin panel. No public exploit has been identified, but the root cause is confirmed in source and fixed upstream; with a CVSS of 8.7 and a scope-changing impact, this is a high-severity privilege-escalation issue.

Stored cross-site scripting in Budibase before 3.39.0 lets any low-privileged BASIC app user with WRITE access to a table inject persistent JavaScript that executes in the browser of anyone who later views the data. The flaw lives in the Text component's Markdown rendering, where untrusted column values are converted to HTML and written directly to the DOM without sanitization. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the issue is fixed in 3.39.0.

Stored cross-site scripting in creatorsofcode's simplephp admin panel allows authenticated low-privileged users to inject persistent malicious scripts via the /admin/config-module.php configuration endpoint. When an administrator or privileged user subsequently views the affected page, the stored payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. A proof-of-concept exists per SSVC intelligence; this CVE is not currently listed in CISA KEV.

Stored cross-site scripting in Webmin's mailboxes component (detach.cgi) allows a remote unauthenticated attacker to execute arbitrary JavaScript in the browser session of an authenticated Webmin user by sending an email containing a crafted SVG attachment. Because detach.cgi served SVG files with the image/svg+xml content type instead of a safe type, browsers treated the SVG as an active document on the Webmin origin, enabling script execution with full same-origin access to the Webmin interface. No public exploit has been identified and CISA has not listed this in KEV, but the attack surface is straightforward given the ubiquity of email as a delivery channel and Webmin's privileged system-administration context.

Stored Cross-Site Scripting in the Advanced Custom Fields: Font Awesome Field WordPress plugin (versions through 5.0.2) allows authenticated low-privileged users to inject persistent malicious scripts into web pages viewed by other users. The changed scope (S:C in CVSS) confirms that injected payloads execute in victims' browsers, potentially enabling session hijacking, credential theft, or unauthorized admin-level actions on the WordPress site. No public exploit code has been identified at time of analysis, and SSVC classifies exploitation as none with partial technical impact.

Stored cross-site scripting in Jenkins buildgraph-view Plugin 1.8 and earlier allows authenticated attackers with job or view configuration privileges to inject persistent malicious scripts via an unescaped build URL. Any Jenkins user who subsequently views the affected build graph page triggers execution of the attacker-controlled script in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is known; SSVC rates exploitation status as none with partial technical impact.

Stored cross-site scripting in Agent Zero before version 1.15 enables arbitrary JavaScript execution in the application origin by exploiting the image_get API endpoint's failure to set Content-Security-Policy, X-Content-Type-Options, or Content-Disposition headers when serving SVG files. An unauthenticated attacker (CVSS PR:N) who can write a crafted SVG to any filesystem path readable by the agent-zero process can then socially engineer an authenticated user into visiting the endpoint, causing the browser to execute embedded scripts, exfiltrate the csrf_token cookie, and issue unauthorized API calls on the victim's behalf. No public exploit has been identified at time of analysis, and SSVC classifies exploitation as none with automatable set to no, reflecting the mandatory user-interaction prerequisite.

Stored cross-site scripting (XSS) in the RabbitMQ Management Plugin web UI allows a high-privileged authenticated attacker to inject malicious script content that executes in the browser of another administrative user viewing the affected page. Affected deployments span RabbitMQ Server 3.7.0 through 4.0.12 and 4.1.0-alpha through 4.1.1. No public exploit code or active exploitation has been identified at time of analysis; however, successful exploitation can result in high confidentiality impact, consistent with session token theft or credential harvesting within the management console.

Cross-site scripting in IBM Cognos Analytics and IBM Cognos Transformer allows a remote authenticated attacker to inject arbitrary JavaScript into the web user interface, executing in the browser context of other users within a trusted session. Affected versions span IBM Cognos Analytics 11.2.0 through 12.1.0 and IBM Cognos Transformer 11.2.4 through 12.1.0. The primary risk is credential disclosure - an attacker who can plant a payload could harvest session tokens or credentials from other authenticated users. No public exploit code exists and CISA SSVC rates exploitation as none at time of analysis.

DOM-based cross-site scripting in the VikBooking Hotel Booking Engine & PMS WordPress plugin (all versions up to and including 1.8.9) lets a remote, unauthenticated attacker run arbitrary JavaScript in a victim's browser when the victim is lured into interacting with a crafted link or page. Because the script executes client-side with changed scope (S:C), it can affect resources beyond the vulnerable component, such as the WordPress admin or booking sessions. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis, so this is a real but lower-urgency client-side issue rather than a mass-exploitation threat.

Stored cross-site scripting in the Affiliate Super Assistent WordPress plugin (slug: amazonsimpleadmin, by Timo) affects all versions from initial release through 1.10.1, letting attackers persist malicious JavaScript that runs in the browser of any user who later loads the affected page. With a scope-changed CVSS of 7.1 (AV:N/AC:L/PR:N/UI:R), the payload can be planted without authentication but only fires when a victim views the rendered content. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis, consistent with CISA's SSVC rating of no observed exploitation.

Reflected cross-site scripting in the Favicon plugin by RealFaviconGenerator (phbernard) for WordPress affects all releases up to and including version 1.3.46, allowing unauthenticated attackers to deliver a crafted link that, when opened by a victim, executes attacker-controlled JavaScript in that user's browser session. The CVSS 3.1 base score is 7.1, driven largely by a scope change (S:C) that lets the injected script reach resources beyond the plugin itself, though exploitation requires user interaction. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; EPSS is very low at 0.03% (10th percentile), indicating little observed exploitation interest so far.

Stored XSS in the Booking Manager WordPress plugin (wpdevelop) versions through 2.1.18 allows authenticated low-privileged users to inject persistent malicious scripts that execute in other users' browsers. The CVSS scope change (S:C) indicates injected scripts can affect resources beyond the plugin itself - most critically, administrator sessions viewing booking data. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) signals minimal observed exploitation interest currently.

Stored Cross-Site Scripting in the WPComplete WordPress plugin (all versions through 2.9.5.4) allows authenticated low-privileged users to inject persistent malicious scripts that execute in other users' browsers upon viewing affected content. The CVSS changed scope (S:C) is the critical risk factor: a contributor- or author-level account can craft payloads that execute in the session of higher-privileged users, including administrators, enabling session hijacking or unauthorized admin actions. No public exploit identified at time of analysis, and an EPSS score of 0.03% (10th percentile) reflects low broad exploitation probability, though the admin-targeting potential elevates real-world concern for multi-user WordPress deployments.

DOM-based cross-site scripting in the Advanced IP Blocker WordPress plugin (IniLerm) affects all versions from initial release through 8.10.7, letting an unauthenticated remote attacker execute arbitrary JavaScript in a victim's browser when that victim is lured into triggering crafted input. Because the CVSS scope is marked changed (S:C), the injected script can affect resources beyond the vulnerable component, though confidentiality, integrity, and availability impacts are each rated low. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible at 0.03% (10th percentile).

Stored cross-site scripting in the Smart Online Order for Clover WordPress plugin by ZAYTECH (versions up to and including 1.6.0) lets attackers inject persistent JavaScript that executes when a victim - typically a store administrator - loads the affected page. Because the CVSS vector marks privileges as none (PR:N) but user interaction as required (UI:R), the malicious input can be planted without authentication and is triggered later when a privileged user views it. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 10th percentile), indicating exploitation is not currently widespread.

Reflected cross-site scripting in the Geo Mashup WordPress plugin (Dylan Kuhn) affects all versions up to and including 1.13.19, letting an unauthenticated attacker inject script that executes in a victim's browser when they click a crafted link. The CVSS 3.1 base score is 7.1 with a changed scope, reflecting that injected script can affect resources beyond the vulnerable component, though confidentiality, integrity, and availability impacts are each rated low. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis.

DOM-Based cross-site scripting in RealMag777's WPCS (Currency Switcher) WordPress plugin affects all versions through 1.3.1 (EUVD-2026-32184), allowing remote unauthenticated attackers to inject script that executes in a victim's browser when the victim is lured into a crafted interaction. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) reflects network-reachable, no-privilege exploitation that requires user interaction but crosses a security scope boundary. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 10th percentile), indicating little observed real-world targeting.

DOM-based cross-site scripting in the PropertyHive WordPress real-estate plugin (all versions up to and including 2.2.2) lets a remote, unauthenticated attacker inject script that executes in a victim's browser when they interact with a crafted link or page element. Reported through Patchstack's audit program and tracked as EUVD-2026-32180, the flaw carries a CVSS 7.1 rating driven largely by its changed scope, but EPSS rates exploitation probability at just 0.03% (10th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Stored cross-site scripting in the HT Contact Form 7 (ht-contactform) WordPress plugin by HT Plugins, affecting all versions up to and including 2.8.2, lets a remote unauthenticated attacker persist malicious script that later executes in the browser of a privileged user who views the stored data. The CVSS 3.1 base score is 7.1, elevated by a changed scope (S:C), but EPSS is only 0.03% (10th percentile) and there is no public exploit identified at time of analysis. Disclosed via Patchstack (audit@patchstack.com) and tracked as ENISA EUVD-2026-32186.

Reflected Cross-Site Scripting in the MinhNhut Link Gateway WordPress plugin (all versions ≤ 3.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'url' parameter on the plugin's redirect page. Successful exploitation requires tricking a WordPress user into clicking a specially crafted link, after which the malicious script executes in the victim's browser within the scope of the WordPress site - enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit has been identified at time of analysis; EPSS stands at 0.06% (19th percentile) and CISA SSVC rates exploitation status as none, indicating minimal real-world exploitation activity at this time.

Stored Cross-Site Scripting in the MinhNhut Link Gateway WordPress plugin (all versions through 3.6.1) allows authenticated administrators to persist malicious JavaScript payloads via the plugin's settings fields - including Description and Title - which then execute in the browsers of any user who accesses the plugin's redirect pages. The attack is constrained to multi-site WordPress deployments or single-site installations where unfiltered_html has been explicitly disabled, and requires Administrator-level credentials, substantially narrowing real-world exposure. No public exploit code has been identified at time of analysis, and EPSS stands at a very low 0.03% (8th percentile), consistent with the narrow exploitation window.

Stored Cross-Site Scripting in the myLinksDump WordPress plugin (all versions ≤1.6) allows authenticated administrators to permanently inject arbitrary JavaScript into pages via the unsanitized 'link_title' parameter, executing in any victim's browser upon page access. Exploitation is constrained to WordPress multi-site environments or single-site installs with unfiltered_html disabled, and requires administrator-level credentials plus victim interaction. EPSS is 0.03% (9th percentile) and SSVC confirms no known exploitation, placing this firmly in a low-priority tier despite the stored XSS class.

Stored Cross-Site Scripting in the rexCrawler WordPress plugin (versions ≤ 1.0.15) allows authenticated administrators to inject persistent malicious scripts into settings pages, which then execute in the browsers of any user who accesses those pages. The vulnerability originates in admin_main.php at two distinct injection points (lines 108 and 239) and is constrained to multi-site WordPress environments or single-site installs where the unfiltered_html capability has been explicitly disabled. With an EPSS of 0.02% (7th percentile), no CISA KEV listing, and SSVC exploitation status of 'none', this represents a low-urgency finding despite its network-accessible attack vector. No public exploit code has been identified at time of analysis.

DOM-Based Cross-Site Scripting in the Averta Master Slider WordPress plugin (versions through 3.10.8) enables authenticated low-privilege users to inject persistent malicious scripts that execute in the browsers of other site visitors. The CVSS Scope:Changed flag (S:C) confirms the injected payload can escape the plugin's context and affect the broader browser environment, enabling session hijacking or admin action forgery against higher-privileged users. No public exploit code exists and EPSS at 0.03% (10th percentile) aligns with SSVC's 'Exploitation: none' classification - this is a real but moderate-priority finding gated behind authentication and victim interaction requirements.

Reflected cross-site scripting in Jthemes' Themebox - Digital Products Ecommerce WordPress theme (versions through 1.4.2) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. With CVSS 7.1 (scope-changed, low impact across confidentiality, integrity and availability), successful exploitation can hijack session context or perform actions in the WordPress admin/store context, though it requires the victim to click an attacker-supplied URL. No public exploit identified at time of analysis, and EPSS is very low at 0.03% (10th percentile), indicating minimal observed exploitation interest.

Reflected cross-site scripting in the RiceTheme Felan Framework WordPress plugin (all versions through 1.1.3) lets a remote unauthenticated attacker inject script that executes in a victim's browser when the victim follows a crafted link. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity, network-reachable flaw requiring user interaction with a changed scope, scored 7.1. There is no public exploit identified at time of analysis, and EPSS is very low at 0.03% (10th percentile), consistent with the CISA SSVC assessment of no observed exploitation.

Cross-site scripting in Synology Contacts before version 1.0.10-20659 allows authenticated remote users to read or write specific files containing non-sensitive information by injecting malicious input through the contact functionality. The CVSS scope change (S:C) confirms the injected script executes in a context beyond the originating application, affecting any victim who views the crafted contact entry. No public exploit identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog.

Stored XSS in Synology Safe Access before 1.3.1-0329 on SRM (Synology Router Manager) allows remote authenticated administrators to inject malicious scripts that execute in the SRM context, enabling limited reads or writes of non-sensitive files and constrained denial-of-service conditions. The CVSS Scope:Changed rating confirms cross-component impact - the vulnerability originates in the Safe Access module but affects the broader SRM platform. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% and SSVC exploitation status of 'none' collectively indicate negligible current threat in the wild.

Stored cross-site scripting in the HBook hotel booking plugin for WordPress (all versions through 2.1.6) lets unauthenticated attackers persist arbitrary JavaScript through the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' booking parameters. The payload is stored server-side and fires in the privileged context of the HBook Customers admin page, so a no-privilege injection escalates into the administrator's browser session (reflected in the Scope:Changed rating that drives the 7.2 score). There is no public exploit identified at time of analysis and the EPSS probability is very low (0.06%, 17th percentile).

Stored Cross-Site Scripting in the Github Shortcode plugin for WordPress (all versions through 0.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts via the 'repo' attribute of the 'github' shortcode. Any user who subsequently visits the injected page triggers execution of the attacker-controlled script in their browser context. No public exploit has been identified at time of analysis and EPSS places exploitation probability at 0.03% (9th percentile), though the low barrier to exploitation for any site permitting contributor accounts warrants attention.

Stored Cross-Site Scripting in the Livemesh Addons for Beaver Builder WordPress plugin (all versions ≤3.9.2) allows authenticated attackers with Subscriber-level access or above to inject persistent malicious scripts via the `labb_admin_ajax` AJAX endpoint. The root flaw is a missing capability check - the handler validates a WordPress nonce (confirming form origin) but never verifies whether the requesting user holds privileges to modify plugin settings, effectively granting any registered user write access to plugin configuration. Injected scripts execute in the browser of administrators who visit the settings page or against any frontend visitor, enabling session hijacking or privilege escalation against admins. No public exploit code or active exploitation has been identified at time of analysis; EPSS is very low at 0.03% (8th percentile).

Stored Cross-Site Scripting in the Livemesh SiteOrigin Widgets WordPress plugin (all versions through 3.9.2) allows any authenticated subscriber-level user to permanently inject malicious scripts into plugin settings via the unprotected `lsow_admin_ajax` AJAX endpoint. The injected payload executes against administrators when they access the plugin settings page, and against any site visitor on the frontend - enabling session hijacking, credential theft, or unauthorized admin actions. No public exploit has been identified at time of analysis and CISA has not added this to the KEV catalog, but the low privilege bar (subscriber) makes it an attractive target on sites with open registration.

Stored Cross-Site Scripting in the WPBakery Page Builder Addons by Livemesh WordPress plugin (all versions through 3.9.4) allows authenticated attackers with as little as Subscriber-level access to permanently inject malicious JavaScript into plugin settings via the unprotected lvca_admin_ajax AJAX endpoint. The injected payload executes both when administrators access the plugin settings page and when any frontend visitor loads affected pages, achieving Changed Scope impact beyond the attacker's own session. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE, though the low authentication bar makes it a realistic risk on WordPress sites with open user registration.

Stored cross-site scripting in the LiteSpeed Cache plugin for WordPress (all versions through 7.7) lets attackers persist arbitrary JavaScript into a site's frontend by abusing the unauthenticated /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST endpoints, which store QUIC.cloud-supplied CSS to disk and later render it inline without escaping. Exploitation is conditional: the endpoints are protected by IP-based access control that only becomes bypassable in certain reverse-proxy, load-balancer, or CDN deployments. No public exploit identified at time of analysis, and EPSS is low (0.07%, 20th percentile), consistent with CISA SSVC marking exploitation status as 'none' despite 'automatable: yes'.

Reflected Cross-Site Scripting in the Gutenverse plugin for WordPress (all versions through 3.4.6) allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting a malicious search URL. The vulnerability arises from the plugin's search-result-title block outputting the raw search query string directly into page HTML without sanitization. Exploitation requires user interaction (victim must click a crafted link) and the gutenverse/search-result-title block must be present on the site's search results template. No public exploit code has been identified at time of analysis, and CISA KEV confirmation of active exploitation is absent.

Stored XSS in WPBakery Page Builder Addons by Livemesh (all versions through 3.9.4) allows authenticated WordPress contributors to inject persistent JavaScript into site pages via malformed shortcode attributes on the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcodes. The flaw arises from using `wp_json_encode()` instead of `esc_attr()` when embedding shortcode attributes into single-quoted HTML `data-settings` attributes, enabling an attacker to inject a literal single quote and escape the attribute boundary. No public exploit identified at time of analysis; EPSS of 0.03% (9th percentile) reflects low current exploitation interest, and the practical attack surface is constrained to WordPress sites where untrusted users hold Contributor-level access.

Stored Cross-Site Scripting in the Auto Thumbnail WordPress plugin (all versions up to and including 1.0) enables authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'width' and 'height' attributes of the 'thumbnails' shortcode. The injected payload executes in the browser of any subsequent visitor who loads the affected page, crossing trust boundaries from the WordPress server context into victims' sessions (CVSS S:C). No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog; EPSS of 0.03% (9th percentile) reflects low predicted exploitation probability, though the stored nature of the flaw amplifies impact relative to reflected XSS.

Stored Cross-Site Scripting in the Events In City WordPress plugin (versions ≤3.0) allows contributor-level authenticated users to inject persistent JavaScript payloads via unsanitized 'org-events' shortcode attributes handled by the org_event_scode() function. The CVSS scope is Changed (S:C), meaning injected scripts execute in victims' browsers outside the plugin's own context, enabling session hijacking, credential theft, or unauthorized actions against any user who views an affected page. No public exploit identified at time of analysis; EPSS score of 0.03% (9th percentile) reflects low current exploitation likelihood, though the contributor-level access requirement is a realistic attack surface on multi-author WordPress sites.

Stored Cross-Site Scripting in the Shortcode Buddy WordPress plugin (all versions ≤ 0.1.9.5) allows authenticated attackers with contributor-level access to permanently embed arbitrary JavaScript into pages via unsanitized shortcode attributes, executing in any visitor's browser upon page load. The Changed scope (S:C) in the CVSS vector confirms the injected payload escapes the plugin's context and affects users browsing the site, including administrators whose sessions could be hijacked. No public exploit code has been identified at time of analysis, and EPSS sits at 0.03% (9th percentile), indicating low observed exploitation probability, though the contributor-level entry bar makes this a realistic risk on sites with multiple editors.

Stored Cross-Site Scripting in the iWR Tooltip WordPress plugin (versions up to and including 1.0) permits authenticated attackers holding contributor-level accounts or higher to plant persistent malicious scripts via the plugin's `iwrtooltip` shortcode. The root cause is direct string concatenation of the user-supplied `title` attribute into an HTML attribute inside the `iwr_tooltip()` handler at lines 37 and 41 of iwr-tooltip.php, with no call to `esc_attr()` or equivalent escaping. Any site visitor who subsequently loads a page containing the poisoned shortcode will execute the injected script in their browser, with scope-changed impact that can target session tokens, credentials, or site administrative functions. EPSS is 0.03% (9th percentile), and no public exploit or CISA KEV listing exists at time of analysis.

Stored Cross-Site Scripting in the BitForm WordPress plugin (versions up to and including 1.1.0) allows authenticated attackers with contributor-level access or above to inject persistent malicious scripts via unsanitized 'width' and 'height' shortcode attributes in the Shortcode::shortcode() function, which are written directly into the style attribute of an iframe element without escaping. Any user who subsequently views a page containing the injected shortcode will trigger execution of the attacker's script in their browser session, enabling session hijacking, credential theft, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS places current exploitation probability at 0.03% (9th percentile), indicating this is currently a low-activity finding despite its network-accessible attack vector.

Stored Cross-Site Scripting in the Listen Shortcode WordPress plugin (versions ≤ 1.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages via unsanitized shortcode attributes. The vulnerability exists in the listenEmbedJS() function, which echoes user-supplied src, start, and end attributes directly into a single-quoted HTML attribute context without escaping, enabling script injection that executes in the browsers of any user who later visits the affected page. EPSS is low (0.03%, 9th percentile) and no public exploit or CISA KEV listing has been identified at time of analysis, suggesting limited current exploitation activity.

Stored Cross-Site Scripting in the hk_shortcode WordPress plugin (versions ≤1.0) enables authenticated contributors to inject persistent malicious scripts via the unsanitized 'title' attribute of the 'title-plane' shortcode. The vulnerability stems from direct HTML concatenation of unescaped user input inside the huankong_post_short_title_plane() function - once a crafted post is saved, the payload executes in the browsers of all users who visit the affected page, crossing into their sessions (CVSS S:C). No public exploit code has been identified at time of analysis, and with an EPSS of 0.03% (9th percentile), mass automated exploitation is unlikely; however, multi-author WordPress sites with open contributor registration carry meaningful exposure.

Stored Cross-Site Scripting in the Instant-Quote.co Quotation Page WordPress plugin (all versions ≤1.3.4) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via unsanitized shortcode attributes. The changed-scope CVSS vector (S:C) reflects that injected scripts execute in victim browsers rather than the server, and the plugin's shortcode is exploitable through the WordPress post review workflow - a contributor can embed a malicious shortcode in a draft submitted for editor or administrator review, causing the payload to execute when a privileged user previews the post. No public exploit has been identified and EPSS is very low at 0.04% (12th percentile), indicating limited opportunistic exploitation risk, though the cross-privilege escalation path warrants attention on multi-author WordPress sites.

Stored Cross-Site Scripting in the Responsive Video Embedder WordPress plugin (versions ≤ 0.1) allows authenticated attackers with contributor-level access or above to persistently inject arbitrary JavaScript into WordPress pages via unsanitized shortcode attributes. The root cause is direct, unescaped concatenation of user-supplied 'id' and 'list' attributes into an HTML iframe src attribute inside the video_shortcode() function. Because the CVSS scope is Changed (S:C), injected scripts execute in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or malicious redirects against site visitors. No active exploitation has been confirmed and EPSS is very low (0.03%, 9th percentile), but the contributor-level entry bar makes this relevant on multi-author WordPress sites.

Stored Cross-Site Scripting in the Easy Prism Syntax Highlighter WordPress plugin (versions ≤1.0.2) enables authenticated attackers with Contributor-level access to inject persistent JavaScript into WordPress pages via the 'code' or 'c' shortcode. The flaw resides in the shortcode() function, which concatenates the first positional shortcode attribute directly into the class attribute of generated <pre> and <code> HTML elements without invoking esc_attr() or any equivalent escaping - enabling HTML attribute breakout and arbitrary script injection. No public exploit has been identified and EPSS is very low (0.03%, 9th percentile), but the Contributor-level authentication threshold makes this accessible on any multi-author WordPress site without additional barrier.

Stored Cross-Site Scripting in the Content Slideshow WordPress plugin (all versions through 2.4.1) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via shortcode attributes. The vulnerability resides in slideshow-widget-shortcode.php at multiple points (lines 14 and 143) where shortcode attribute values are passed without adequate sanitization or output escaping. The CVSS scope is Changed (S:C), meaning injected scripts execute in the victim's browser context and can affect resources beyond the plugin itself, such as stealing session tokens or performing actions as the visiting user. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS sits at a very low 0.03%.

Stored Cross-Site Scripting in the Animate Your Content WordPress plugin (versions ≤ 1.0.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages via the 'animation-set' shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS (0.03%, 9th percentile) together with SSVC exploitation status of 'none' indicate this is currently a low-priority, low-activity vulnerability.

Stored Cross-Site Scripting in the Formidable Kinetic WordPress plugin (versions ≤1.1.01) allows authenticated attackers with contributor-level access to permanently inject malicious scripts into pages via the 'kinetic_link' shortcode. The FrmKinetic::link() function concatenates user-supplied shortcode attributes ('window', 'class', 'label') directly into anchor tag HTML attributes without sanitization or output escaping, meaning any visitor who loads an injected page triggers execution of the attacker's payload in their browser. No active exploitation is confirmed in CISA KEV, and the EPSS score of 0.03% (9th percentile) reflects low automated exploitation probability, but the Changed scope (S:C) in the CVSS vector indicates the impact crosses the plugin's security boundary into the broader WordPress page context.

Stored Cross-Site Scripting in the Team Master WordPress plugin (all versions ≤ 1.1.2) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via shortcode attributes into WordPress pages, executing against any visitor who subsequently loads the affected page. The scope change (S:C in CVSS) reflects cross-session impact - a low-privileged contributor can compromise higher-privileged users including administrators. No public exploit identified at time of analysis, and EPSS of 0.03% (9th percentile) indicates low current exploitation probability.

Stored Cross-Site Scripting in the Mutual Funds Data WordPress plugin (versions ≤ 1.2.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts into any page using the affected shortcode. The unsanitized 'title' attribute in the mfd_shortcode() function is written directly into a HTML caption element without escaping, meaning injected payloads execute in the browsers of any user who subsequently views the affected page. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects a low current probability of widespread exploitation.

Stored Cross-Site Scripting in the Single Mailchimp WordPress plugin (all versions through 1.4) allows authenticated attackers with contributor-level access to inject persistent JavaScript into WordPress pages via unsanitized shortcode attributes. The six affected attributes - autocomplete, label, placeholder, btn_text, success_msg, and error_msg - are concatenated directly into HTML output by the single_mailchimp() function in shortcodes.php without sanitization or output escaping. No public exploit code exists and EPSS places exploitation probability at 0.03% (9th percentile), indicating low real-world exploitation pressure at this time.

Stored Cross-Site Scripting in the Post Category Gallery WordPress plugin (versions ≤1.0.0) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via unsanitized shortcode attributes. The injected payload executes in the browsers of any user who visits the affected page, enabling session hijacking, credential theft, or privilege escalation against higher-privileged users such as administrators. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) indicates very low automated exploitation probability.

Stored Cross-Site Scripting in the jQuery googleslides WordPress plugin (all versions through 1.3) allows authenticated attackers holding contributor-level access or higher to inject persistent malicious scripts via the 'googleslides' shortcode. The vulnerability is confirmed by Wordfence (ENISA EUVD-2026-32069) and traces to the `googleslides_handler()` function directly interpolating ten shortcode attribute values into HTML without the WordPress-standard `esc_attr()` sanitization. The CVSS Changed Scope (S:C) reflects that injected scripts execute in victims' browsers outside the plugin's own domain; EPSS at 0.03% (9th percentile) and absence from CISA KEV indicate no public exploit or confirmed active exploitation at time of analysis.

Stored Cross-Site Scripting in the Dideo plugin for WordPress version 1.0 allows authenticated contributors to inject persistent malicious scripts into any page using the 'dideo' shortcode. The 'id' shortcode attribute is interpolated directly into an HTML iframe 'src' attribute without sanitization or output escaping in the dideo() handler, meaning injected payloads execute automatically in the browser of any user who visits the affected page. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects low current exploitation interest, but the stored nature and scope-changed CVSS vector (S:C) elevate concern for multi-author WordPress deployments.

Stored Cross-Site Scripting in the Tuxquote WordPress plugin (versions up to and including 1.3) enables authenticated attackers holding Contributor-level access or above to inject persistent malicious scripts into WordPress pages via unsanitized shortcode attributes. The `tuxquote_build_format()` function concatenates user-supplied `title`, `align`, and `width` attributes from the TUXQUOTE shortcode directly into rendered HTML without passing them through WordPress's built-in `esc_attr()` or `esc_html()` escaping functions, allowing the payload to persist and execute in any visitor's browser. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects minimal real-world exploitation activity to date.

Stored Cross-Site Scripting in the Islamic Database WordPress plugin (versions ≤ 1.0) allows authenticated contributors to persistently inject arbitrary JavaScript into WordPress pages via the 'islamicDB-roqya' shortcode's 'width' and 'height' attributes. The flaw originates in the islamicDB_sc_quran_qari_roqya() function, which concatenates these shortcode attribute values directly into HTML iframe attribute values without sanitization or output escaping. No public exploit has been identified and EPSS sits at 0.03% (9th percentile), reflecting low current exploitation probability, though the contributor-level access requirement is a realistic barrier given how many WordPress sites grant that role to content editors.

Stored Cross-Site Scripting in the Responsive Check WordPress plugin (versions ≤ 0.0.3) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the 'url' and 'button' attributes of the [rspcheck] shortcode. The payload executes in the browser of any user who visits an affected page, with a CVSS scope-change designation (S:C) reflecting cross-user impact. No public exploit has been identified and the EPSS score of 0.03% (9th percentile) places real-world exploitation probability firmly at the low end, though sites with open contributor registration remain meaningfully exposed.

Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'gplusnamelink' shortcode's 'id' and 'name' attributes. The root cause is the absence of WordPress output-escaping functions (esc_attr() or esc_html()) in the gplusnamelink_generate() function, permitting raw attribute values to be concatenated directly into rendered HTML. Scope is Changed (S:C) per CVSS, meaning the injected script executes in victims' browser sessions outside the plugin's own security context. No public exploit or CISA KEV listing has been identified at time of analysis; EPSS score of 0.03% (9th percentile) reflects low observed exploitation probability.

Stored Cross-Site Scripting in the WP Iframe Geo Style for Amazon affiliates WordPress plugin (all versions ≤1.1) allows authenticated attackers holding contributor-level roles to persist malicious JavaScript in page content via the unsanitized 'adid' shortcode attribute. The injected script executes automatically in any visitor's browser upon page load, with changed scope (S:C) confirming the payload crosses the attacker's own security boundary to impact other users. No public exploit identified at time of analysis, and an EPSS score of 0.03% (9th percentile) reflects low current exploitation probability, though the contributor-level access requirement is achievable on many open-registration WordPress sites.

Reflected Cross-Site Scripting in the NS Product icon badge WordPress plugin (all versions through 1.2.4) enables unauthenticated remote attackers to inject arbitrary JavaScript via the PHP_SELF superglobal, which is reflected into page output without sanitization or escaping across at least four code locations in ns_addNewOptionsPage.php. Exploitation requires convincing a victim (typically an authenticated WordPress admin) to click a crafted link, limiting mass exploitation but enabling targeted session hijacking or credential theft against site administrators. No active exploitation is confirmed (not in CISA KEV), and EPSS at 0.09% (26th percentile) indicates low current exploitation probability.

Stored Cross-Site Scripting in the Endless Scroll WordPress plugin (all versions ≤1.0.0) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via shortcode attributes, which execute in any visitor's browser upon page load. The CVSS scope change (S:C) confirms the payload crosses security boundaries - executing outside the WordPress application context - enabling session theft, credential harvesting, or malicious redirects against site visitors. No public exploit has been identified at time of analysis, and EPSS at 0.03% (9th percentile) reflects very low current exploitation probability, though the low privilege bar (contributor role) elevates risk on sites with open or loosely managed user registration.

Stored Cross-Site Scripting in the GBI To Print WordPress plugin version 1.0 allows authenticated attackers with contributor-level access to inject persistent malicious scripts into WordPress pages via the unsanitized 'div' attribute of the 'gbitoprint' shortcode. The root cause is a direct concatenation of raw shortcode attribute input into HTML output inside gbi_toprint_shortcode() at gbitoprint.php line 86, with no call to esc_attr() or equivalent WordPress sanitization. Any site visitor loading a page containing the injected shortcode will execute the attacker-controlled script in their browser, enabling session theft, credential harvesting, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS signals low near-term mass exploitation probability.

Stored cross-site scripting in the GNTT Post Title Ticker WordPress plugin version 1.0 allows authenticated contributors to inject persistent malicious JavaScript via unsanitized shortcode attributes across three display functions. The vulnerability arises from direct HTML concatenation of user-controlled values - including border, width, height, header_background, header_text_color, and id - without any escaping in gntt_title_ticker_slide(), gntt_title_ticker_fade(), and gntt_title_ticker_typing(). No public exploit has been identified at time of analysis, and the EPSS exploitation probability stands at a low 0.03%, suggesting limited real-world interest despite an accessible contributor-level attack surface on multi-author WordPress sites.

Stored Cross-Site Scripting in the Cryptocurrency Prijsvergelijking Widget WordPress plugin (version 1.0) allows authenticated attackers holding contributor-level access to inject persistent JavaScript into any page where the plugin shortcode is placed, executing silently in the browsers of all subsequent visitors including administrators. The root cause is the as_get_coin_shortcode() function writing user-controlled 'width' and 'height' shortcode attributes directly into an iframe's HTML style attribute without calling esc_attr(), enabling style-context breakout via crafted attribute-termination payloads. No public exploit has been independently listed at time of analysis and EPSS stands at 0.03% (9th percentile), indicating low observed exploitation probability, though the CVSS Changed Scope designation means a single injected payload can compromise sessions of any user - including site administrators - who loads the affected page.

Stored Cross-Site Scripting in the My Email Shortcode WordPress plugin (versions up to and including 0.91) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts via the 'subject' attribute of the 'my-email' shortcode. The Changed scope in the CVSS vector (S:C) confirms that successful exploitation crosses security boundaries, affecting visiting users' browser sessions regardless of their own privilege level. No active exploitation has been identified (not in CISA KEV), and the EPSS score of 0.03% at the 9th percentile indicates low observed exploitation probability at time of analysis.

Stored Cross-Site Scripting in the faq shortcode WordPress plugin (all versions up to and including 1.0) permits authenticated contributors to persist arbitrary JavaScript into site pages via the unsanitized 'color' attribute of the [faq] shortcode, with the payload executing in any visitor's browser upon page load. The vulnerability stems from missing input sanitization and output escaping in faq.php at line 65, and the changed scope (S:C in CVSS) confirms cross-user impact beyond the attacker's own session. No public exploit has been identified and EPSS sits at 0.03% (9th percentile), reflecting low current exploitation activity.

Reflected cross-site scripting in the EventPress WordPress theme (all versions before 22.2) lets unauthenticated attackers inject arbitrary JavaScript by abusing the unsanitized 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler, which echoes the value back into the response without escaping. An attacker who lures a logged-in user (typically an administrator working in the Customizer/admin context) to a crafted link executes script in that user's session, enabling actions such as session/cookie theft or admin-context operations. EPSS exploitation probability is very low (0.05%, 17th percentile), there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Stored Cross-Site Scripting in ShopLentor (WordPress plugin, versions ≤ 3.3.8) allows authenticated contributors to permanently embed malicious JavaScript into WordPress pages via the 'blockUniqId' attribute of Product Grid blocks. Any user who subsequently visits an injected page triggers script execution in their browser, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. EPSS is negligible at 0.03% (9th percentile), no CISA KEV listing exists, and no public exploit has been identified at time of analysis.

Stored Cross-Site Scripting in the Splide Carousel Block WordPress plugin (all versions ≤ 1.7.1) allows authenticated attackers with contributor-level access to inject persistent JavaScript via the 'url' block attribute, executing against any visitor of the affected page. The attack requires the malicious post to be published by an editor or administrator before the payload fires, adding a social-engineering or workflow-abuse dependency. With an EPSS of 0.03% (9th percentile) and no current CISA KEV listing, real-world exploitation risk is low but non-negligible on sites permitting untrusted contributors to submit content.

Stored cross-site scripting in ZTE ZXUniPOS NDS-LTE enables an authenticated high-privilege attacker to persist malicious JavaScript within the system, which executes automatically in the browsers of other users who access the affected pages. Affected versions include V24.30.40CP02 and V24.40.40 and their respective earlier releases, confirmed via ENISA EUVD-2026-32041 and ZTE's own security bulletin. No public exploit identified at time of analysis, and an EPSS score of 0.03% (9th percentile) reflects a very low automated exploitation probability.

Cross-site scripting in QianFox FoxCMS versions 1.2.0 through 1.2.6 allows a high-privileged attacker to inject malicious JavaScript via the /Tag/edit endpoint in the Administrator Backend, executing in the context of another user's browser session upon interaction. A proof-of-concept exploit has been publicly disclosed via a GitHub issue report, though the vendor has not yet acknowledged or responded to the disclosure. The CVSS 4.0 score of 1.9 and EPSS of 0.03% (9th percentile) reflect the severe prerequisite constraints - administrator-level authentication and passive user interaction - which sharply limit real-world exploitability.

Stored Cross-Site Scripting in Style Kits for Elementor (analogwp-templates) WordPress plugin versions up to and including 2.5.0 allows authenticated attackers with contributor-level access to inject persistent JavaScript payloads via the kit title parameter at the /wp-json/agwp/v1/tokens/save REST API endpoint. The injected script executes in the browser of any user who subsequently visits an affected page, with a Changed scope (S:C) indicating cross-user impact that can reach administrators. No public exploit identified at time of analysis; EPSS of 0.03% (9th percentile) signals low observed exploitation probability, though the contributor-level barrier is low on multi-author WordPress sites.