XSS
Monthly
Stored cross-site scripting (XSS) in Gora Tech Cooked WordPress plugin versions up to 1.11.3 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers. The vulnerability persists in the plugin's database and is triggered when affected content is viewed, enabling account compromise, session hijacking, or malware distribution to site visitors. This is a low-probability exploitation risk (EPSS 0.04%) but represents a meaningful concern for multi-user WordPress installations where contributor or editor-level accounts are delegated.
Stored cross-site scripting (XSS) in the eleopard Behance Portfolio Manager WordPress plugin versions 1.7.5 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other users visiting affected pages. The vulnerability stems from improper input sanitization during portfolio content generation, enabling attackers with contributor-level access or higher to compromise site visitors. No public exploit code or active exploitation has been reported, though the vulnerability carries a low EPSS score (0.04%, percentile 13%) suggesting limited real-world exploitation likelihood at time of analysis.
Stored XSS vulnerability in ikaes Accessibility Press plugin (ilogic-accessibility) versions through 1.0.2 allows authenticated attackers to inject arbitrary JavaScript that executes in the browsers of other site visitors, potentially compromising user sessions, stealing credentials, or defacing content. The vulnerability stems from improper input sanitization during web page generation and carries a low exploitation probability (EPSS 0.04th percentile) with no confirmed active exploitation.
Stored cross-site scripting (XSS) in Dashboard Beacon WordPress plugin versions up to 1.2.0 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage and execution across user sessions. No public exploit code or active exploitation has been confirmed.
Reflected cross-site scripting (XSS) in the LIVE TV WordPress plugin version 1.2 and below allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability exists due to improper neutralization of user input during page generation, enabling attackers to steal session cookies, redirect users, or perform actions on behalf of victims through crafted URLs. No active exploitation has been confirmed, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the XSS vector.
DOM-based cross-site scripting (XSS) in codetipi Valenti Engine through version 1.0.3 allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the WordPress plugin and is classified as improper neutralization of input during web page generation. With an EPSS score of 0.01% and no CVSS severity data available, real-world exploitation risk appears minimal, though the attack vector and prerequisites require confirmation from patch analysis.
Stored cross-site scripting (XSS) vulnerability in Wayne Allen Postie WordPress plugin through version 1.9.73 allows authenticated attackers to inject malicious scripts into web pages that execute in the context of other users' browsers. The vulnerability stems from improper input neutralization during web page generation, enabling persistence of injected payloads in the application's data store. No public exploit code or active exploitation has been identified at time of analysis, though the low EPSS score (0.04th percentile) suggests limited real-world exploitation interest despite the vulnerability's presence in a plugin with unknown user base size.
DOM-based cross-site scripting (XSS) in WooCommerce Parcelas WordPress plugin versions up to 1.3.5 allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While EPSS scoring indicates low exploitation probability (0.01%), the DOM-based nature and lack of authentication barriers make this a persistent client-side threat in environments where the vulnerable plugin remains deployed.
Stored cross-site scripting (XSS) vulnerability in SaifuMak Add Custom Codes WordPress plugin versions 4.80 and earlier allows authenticated attackers to inject malicious JavaScript that persists in the database and executes in the browsers of site administrators and other users. The vulnerability stems from improper input sanitization when storing custom code, enabling attackers with plugin access to compromise site integrity and steal administrative credentials or sessions.
Stored cross-site scripting (XSS) in nicashmu Post Video Players WordPress plugin through version 1.163 allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability exists in the video-playlist-and-gallery-plugin and affects all versions up to and including 1.163; no public exploit code has been identified, but the low EPSS score (0.01%) suggests limited real-world exploitation likelihood despite the vulnerability's persistent nature.
Stored cross-site scripting (XSS) in plainware Locatoraid Store Locator WordPress plugin versions up to 3.9.68 allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the plugin's input handling during web page generation, enabling persistent XSS attacks. With an EPSS score of 0.01% and no active exploitation confirmed, this represents a low-probability but persistent risk requiring plugin updates.
Stored cross-site scripting (XSS) in Soli WP Post Signature plugin through version 0.4.1 allows authenticated users to inject malicious scripts into post signatures, which execute in the browsers of administrators and other site visitors viewing affected posts. The vulnerability requires user interaction or administrative access to inject the payload but poses a risk to site integrity and user data. EPSS exploitation probability is minimal at 0.01%, suggesting low real-world attack likelihood despite the vulnerability class.
Stored cross-site scripting (XSS) in Imran Emu Logo Slider WordPress plugin versions 1.8.1 and earlier allows attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability affects the Logo Slider, Logo Carousel, Logo Showcase, and Client Logo plugin variants. An attacker with sufficient privileges to inject content (such as a contributor or compromised admin account) can embed arbitrary JavaScript to steal session tokens, deface pages, or redirect users to malicious sites. EPSS score of 0.01% indicates low exploitation probability in the wild, though the stored nature of the XSS elevates the persistence risk once injected.
DOM-based cross-site scripting in the ViitorCloud Technologies Add Featured Image Custom Link WordPress plugin (versions up to 2.0.0) allows unauthenticated attackers to inject arbitrary JavaScript into web pages through improper input sanitization. The vulnerability affects the custom URL handling mechanism for featured images, enabling malicious actors to steal session cookies, perform account takeover, or redirect users to phishing sites. EPSS score of 0.01% indicates minimal real-world exploitation probability despite the XSS classification.
DOM-based cross-site scripting (XSS) in SEO Slider WordPress plugin through version 1.1.1 allows authenticated or unauthenticated attackers to inject malicious scripts into the DOM, potentially enabling session hijacking, credential theft, or malware distribution. The vulnerability affects all versions up to and including 1.1.1 and has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the XSS attack vector. No public exploit code or active exploitation has been confirmed.
Stored cross-site scripting (XSS) in WPFactory Maximum Products per User for WooCommerce plugin through version 4.4.3 allows authenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects WordPress installations using this WooCommerce extension, with an EPSS score of 0.04% indicating low real-world exploitation probability despite the XSS attack vector. No active exploitation has been confirmed.
Stored cross-site scripting (XSS) vulnerability in Bootstrap Modals WordPress plugin versions up to 1.3.2 allows authenticated attackers to inject and execute arbitrary JavaScript code that persists in the database and executes for all site visitors. The vulnerability stems from improper input neutralization during web page generation, enabling attackers with plugin-relevant permissions to compromise user sessions and steal sensitive data from administrators and site visitors.
Stored cross-site scripting (XSS) vulnerability in Livemesh Addons for Beaver Builder WordPress plugin versions 3.9.2 and earlier allows attackers to inject malicious scripts into web pages that execute in the browsers of site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling authenticated or privileged users to store malicious payloads that persist in the plugin's content. With an EPSS score of 0.04% (14th percentile), real-world exploitation likelihood is minimal, though the stored nature of the XSS means injected content could affect multiple end users if compromised.
Stored cross-site scripting (XSS) in Chris Steman Page Title Splitter WordPress plugin versions through 2.5.9 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators and visitors. The vulnerability exists in page generation functionality where user input is not properly sanitized before being rendered in web pages. EPSS score of 0.04% indicates low exploitation probability at present, with no confirmed active exploitation or public proof-of-concept identified.
Stored cross-site scripting (XSS) in MyBookTable Bookstore WordPress plugin version 3.6.0 and earlier allows authenticated or unauthenticated attackers to inject malicious scripts into web pages that execute in the context of other users' browsers. The vulnerability exists in the web page generation process where user input is not properly neutralized before being stored and rendered. No public exploit code has been identified, and the EPSS score of 0.04% suggests low real-world exploitation probability despite the XSS classification.
Stored cross-site scripting (XSS) in Curator.io WordPress plugin through version 1.9.5 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise user sessions and steal sensitive data. While EPSS scoring indicates low exploitation probability (0.04%), the persistent nature of stored XSS and potential for privilege escalation warrant prompt patching.
Stored cross-site scripting (XSS) in Custom Background Changer WordPress plugin through version 3.0 allows authenticated attackers to inject malicious JavaScript that persists in the database and executes for all users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the vulnerability's technical severity.
Stored cross-site scripting (XSS) in the kcseopro AdWords Conversion Tracking Code WordPress plugin version 1.0 and earlier allows attackers to inject malicious scripts into web pages, which are then executed in the browsers of other users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling persistent XSS attacks that can compromise user sessions, steal credentials, or redirect visitors to malicious sites. EPSS score of 0.04% indicates low exploitation probability despite the stored XSS vector.
Stored cross-site scripting (XSS) in webvitaly Extra Shortcodes WordPress plugin through version 2.2 allows authenticated attackers to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability stems from improper input neutralization during web page generation, enabling persistence of arbitrary JavaScript code within the plugin's shortcode processing. The low EPSS score (0.04%) and lack of public exploit code suggest limited practical exploitation likelihood, though the stored nature of the vulnerability means injected payloads affect all subsequent visitors until remediated.
Stored cross-site scripting (XSS) in the Audiomack WordPress plugin through version 1.4.8 allows authenticated attackers to inject malicious scripts into web pages, enabling session hijacking, credential theft, or defacement. No active exploitation detected (EPSS 0.04%, low percentile), but the vulnerability affects all installations of the vulnerable plugin versions and persists across page loads due to its stored nature.
Stored cross-site scripting in thinkupthemes Consulting WordPress theme versions through 1.5.0 enables authenticated users or malicious admins to inject persistent JavaScript payloads that execute in the browsers of other site visitors or administrators. The vulnerability allows arbitrary script execution within the context of the affected WordPress installation, potentially leading to account compromise, malware distribution, or session hijacking. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in thinkupthemes Minamaze WordPress theme versions up to 1.10.1 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability has an EPSS score of 0.01% (3rd percentile), indicating minimal likelihood of exploitation in practice, though it represents a privilege-escalation pathway for authenticated attackers with contributor-level access or higher.
DOM-based cross-site scripting (XSS) in WebMan Amplifier WordPress plugin through version 1.5.12 allows attackers to inject malicious scripts that execute in users' browsers. The vulnerability stems from improper neutralization of user input during web page generation, enabling stored or reflected XSS attacks depending on the specific injection vector. With an EPSS score of 0.01% (3rd percentile) and no evidence of active exploitation, this represents a low real-world risk despite the XSS classification, though remediation is still recommended for all affected installations.
DOM-based cross-site scripting (XSS) in The Moneytizer WordPress plugin up to version 10.0.9 allows attackers to inject malicious scripts into web pages through improper input neutralization. The vulnerability affects WordPress sites running the vulnerable plugin versions and could enable session hijacking, credential theft, or malware distribution targeting site administrators and visitors. No public exploit code or active exploitation has been confirmed at this time, though the EPSS score of 0.01% suggests minimal real-world exploitation probability.
DOM-based cross-site scripting (XSS) in Kalender.digital WordPress plugin through version 1.0.13 allows unauthenticated attackers to inject malicious scripts via improper input neutralization during web page generation. The vulnerability affects all versions up to and including 1.0.13, with an EPSS score of 0.01% indicating very low exploitation likelihood in practice despite the high-severity CWE-79 classification.
DOM-based cross-site scripting (XSS) in Bainternet User Specific Content WordPress plugin versions 1.0.6 and earlier allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While no public exploit code or active exploitation has been confirmed, the extremely low EPSS score (0.01%) and lack of CVSS vector data suggest limited real-world exploitability or specificity to attack scenarios, despite the XSS classification.
DOM-based cross-site scripting (XSS) in Genetech Products Web and WooCommerce Addons for WPBakery Builder (vc-addons-by-bit14) plugin versions up to 1.5 allows unauthenticated attackers to inject malicious scripts that execute in the context of affected user sessions. The vulnerability stems from improper neutralization of user-supplied input during web page generation. EPSS scoring (0.01%, percentile 3%) indicates very low real-world exploitation probability despite the nature of the flaw, and no public exploit code or active exploitation has been confirmed.
DOM-based cross-site scripting (XSS) vulnerability in the Responsive Block Control WordPress plugin through version 1.3.0 allows attackers to inject malicious scripts that execute in users' browsers. Exploitation requires user interaction with a malicious link or form, but once triggered, the vulnerability enables session hijacking, credential theft, or defacement. The vulnerability has an exceptionally low EPSS score (0.01th percentile) suggesting minimal real-world exploitation likelihood despite public disclosure.
DOM-based cross-site scripting (XSS) vulnerability in Ruhul Amin Content Fetcher WordPress plugin versions 1.1 and earlier allows authenticated attackers to inject arbitrary JavaScript code into web pages, potentially compromising site integrity and user sessions. The vulnerability resides in improper input neutralization during web page generation, enabling malicious scripts to execute in the context of affected websites. EPSS exploitation probability is extremely low at 0.01% (3rd percentile), indicating minimal real-world attack likelihood despite the XSS vector.
Stored cross-site scripting (XSS) in Tomas WordPress Tooltips plugin versions 10.9.3 and earlier allows authenticated attackers to inject malicious scripts into tooltip content that execute in the browsers of site administrators and other users. The vulnerability affects WordPress Tooltips through version 10.9.3, and exploitation requires an authenticated user with permissions to create or modify tooltips. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in wpforchurch Sermon Manager WordPress plugin through version 2.30.0 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site administrators and other users. The vulnerability affects sermon content input validation, enabling attackers with contributor or editor privileges to compromise website integrity and steal sensitive data from higher-privileged users.
Stored cross-site scripting (XSS) vulnerability in BasePress Knowledge Base documentation & wiki plugin versions through 2.17.0.1 allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of other users viewing affected content. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise user sessions, steal credentials, or deface documentation within WordPress installations using BasePress. With EPSS exploitation probability at 0.04% (14th percentile), real-world exploitation risk is currently low, though the stored nature of the XSS makes it a persistence risk if discovered by threat actors.
Stored cross-site scripting (XSS) in BuddyDev BuddyPress Activity Shortcode plugin through version 1.1.8 allows attackers to inject and persist malicious scripts that execute in users' browsers. The vulnerability affects WordPress sites using this plugin, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and active exploitation has not been confirmed.
Stored cross-site scripting (XSS) in the Justin Tadlock Series WordPress plugin up to version 2.0.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage within the plugin's data structures. With an EPSS score of 0.04% and low exploitation probability, this represents a lower-priority but still exploitable vulnerability in a plugin with active distribution.
DOM-based cross-site scripting (XSS) in Funnelforms Free WordPress plugin version 3.8 and earlier allows authenticated attackers to inject malicious scripts through improper input neutralization during web page generation. The vulnerability has a low EPSS score (0.04%, 14th percentile) and no confirmed active exploitation, suggesting limited real-world attack probability despite the XSS classification.
Stored XSS vulnerability in MX Time Zone Clocks WordPress plugin versions up to 5.1.1 allows authenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input sanitization during web page generation, enabling persistent cross-site scripting attacks that could compromise site visitors, steal session tokens, or deface content. EPSS score of 0.04% indicates low real-world exploitation probability, though the stored nature of the XSS makes it a medium-priority remediation target for affected WordPress administrators.
Stored cross-site scripting (XSS) in Shuttle WordPress theme through version 1.5.0 allows authenticated users to inject malicious scripts that persist in the application and execute in the browsers of other users who view the affected content. The vulnerability has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the moderate attack surface typical of stored XSS flaws. No public exploit code or active exploitation has been confirmed.
Stored cross-site scripting (XSS) vulnerability in the Melos WordPress theme through version 1.6.0 allows attackers to inject and execute arbitrary JavaScript code that persists in the application and executes in the browsers of other users. The vulnerability affects all versions up to and including 1.6.0, and while no CVSS vector or EPSS exploitation probability is formally assigned, the low EPSS score (0.04th percentile) suggests minimal real-world exploitation likelihood despite the stored nature of the flaw.
Stored XSS vulnerability in Zoho ZeptoMail transmail WordPress plugin through version 3.3.1 can be triggered via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of all users who access affected pages. The vulnerability affects the transmail plugin for Zoho Mail integration and carries low exploitation probability (EPSS 0.02%) despite the high-impact nature of stored XSS.
Cross-site request forgery (CSRF) vulnerability in the WordPress Custom Post Status plugin up to version 1.1.0 enables attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The CSRF protection bypass allows unauthenticated attackers to craft malicious requests that, when clicked by an admin, result in persistent JavaScript injection into the WordPress database. This is a chained vulnerability where CSRF-enabled request forgery leads to XSS payload storage.
Stored XSS vulnerability in the Recent Posts From Each Category WordPress plugin through version 1.4 exploitable via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that execute in the context of site administrators and visitors. The vulnerability combines a CSRF flaw with inadequate input sanitization, enabling persistent payload storage that affects all users viewing affected plugin output.
Cross-site request forgery (CSRF) in the Marcin Kijak Noindex by Path WordPress plugin through version 1.0 allows unauthenticated attackers to perform unauthorized administrative actions such as modifying plugin settings via crafted HTML or JavaScript on attacker-controlled sites. The vulnerability chaining with stored XSS enables attackers to inject malicious scripts that persist in the plugin's data, affecting all users who access the compromised settings. No public exploit code has been identified, and real-world exploitation risk is minimal (EPSS 0.02%), indicating this is primarily a theoretical risk in low-traffic or neglected WordPress installations.
WP-EasyArchives WordPress plugin versions 3.1.2 and earlier contains a cross-site request forgery (CSRF) vulnerability that enables stored cross-site scripting (XSS) attacks. An unauthenticated attacker can craft a malicious request to trick authenticated administrators into performing unintended actions, potentially injecting persistent JavaScript payloads that execute in the browsers of all site visitors. With an EPSS score of 0.02% (5th percentile), this vulnerability represents minimal real-world exploitation probability despite the attack chain complexity.
Cross-site request forgery (CSRF) vulnerability in reneade SensitiveTagCloud WordPress plugin through version 1.4.1 allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially combined with stored XSS to inject malicious content. The vulnerability affects all versions up to and including 1.4.1, with no CVSS vector provided, but EPSS data suggests low real-world exploitation probability (0.02% percentile).
Cross-site request forgery (CSRF) vulnerability in the Social Profilr WordPress plugin version 1.0 and earlier allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The vulnerability affects the social-profilr-display-social-network-profile plugin and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or confirmed active exploitation identified at the time of analysis.
Cross-Site Request Forgery (CSRF) in the Custom Style WordPress plugin up to version 1.0 enables attackers to perform unauthorized administrative actions, potentially leading to stored cross-site scripting (XSS) injection. The vulnerability affects all versions from initial release through 1.0, with no CVSS score published but an EPSS score of 0.02% indicating minimal observed exploitation probability. No active KEV status or public exploit code has been identified.
Stored XSS via CSRF in eleopard Behance Portfolio Manager WordPress plugin versions up to 1.7.5 allows authenticated attackers to inject malicious scripts through cross-site request forgery mechanisms, potentially compromising site administrators and visitors. The EPSS score of 0.02% indicates low exploitation probability, though the vulnerability type suggests a chainable attack vector when combined with social engineering. No CVSS score was assigned, limiting quantification of attack complexity and privilege requirements.
Cross-site request forgery (CSRF) vulnerability in Simple Archive Generator WordPress plugin through version 5.2 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored XSS injection. The vulnerability requires tricking an administrator into visiting a malicious page but carries low exploitation probability (EPSS 0.02%) despite being simple to execute, suggesting limited real-world weaponization.
WP-CalDav2ICS WordPress plugin through version 1.3.4 contains a Cross-Site Request Forgery (CSRF) vulnerability that enables Stored XSS attacks. The vulnerability allows unauthenticated attackers to craft malicious requests that, when executed by a logged-in administrator or user, inject persistent malicious scripts into the plugin's stored data. This combined CSRF+XSS chain can lead to persistent compromise of the WordPress site through script injection.
DOM-based cross-site scripting (XSS) in WPCal.io WordPress plugin versions 0.9.5.9 and earlier allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation, enabling attackers to execute arbitrary JavaScript in the context of affected websites. No CVSS score is available, but the EPSS score of 0.04% (14th percentile) indicates low practical exploitation likelihood despite the XSS vector being a common attack class.
Stored cross-site scripting (XSS) in Yada Wiki WordPress plugin through version 3.5 allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling persistent XSS attacks that could compromise site integrity, steal credentials, or perform actions on behalf of administrators. EPSS exploitation probability is very low at 0.04%, but the stored nature of the vulnerability means injected payloads persist across sessions.
DOM-based cross-site scripting (XSS) in 8theme XStore Core plugin (et-core-plugin) versions below 5.6 allows attackers to inject malicious scripts that execute in users' browsers during web page generation. The vulnerability affects WordPress installations using the vulnerable plugin, and while no CVSS score was assigned, the extremely low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the XSS classification.
Stored cross-site scripting (XSS) in webcreations907 WBC907 Core WordPress plugin versions up to 3.4.1 allows attackers to inject and execute malicious JavaScript that persists in the application, potentially compromising users who view affected pages. The vulnerability stems from improper input neutralization during web page generation. No public exploit code or active exploitation has been identified at the time of analysis, though the attack vector and complexity depend on the specific injection point within the plugin.
Stored cross-site scripting (XSS) in CodeFlavors Featured Video for WordPress (VideographyWP) plugin version 1.0.18 and earlier allows authenticated attackers to inject malicious scripts that execute in the browsers of other site users, potentially compromising administrator accounts and site integrity. The vulnerability stems from improper input sanitization during web page generation, and no public exploit code has been identified at the time of analysis.
Stored Cross-Site Scripting (XSS) in Magnigenie RestroPress WordPress plugin through version 3.2.8.4 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or defacing content. The vulnerability requires user interaction (UI:R) and affects only authenticated attackers (PR:L), limiting immediate exploitation risk despite the moderate CVSS score of 6.5. No public exploit code or active exploitation has been confirmed at time of analysis.
DOM-based cross-site scripting (XSS) in Crocoblock JetTabs WordPress plugin versions up to 2.2.12 allows attackers to inject malicious scripts that execute in users' browsers when viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling stored or reflected XSS attacks without requiring authentication. With an EPSS score of 0.04% (14th percentile), exploitation likelihood is very low despite the publicly documented vulnerability.
Reflected cross-site scripting (XSS) in the Off Page SEO WordPress plugin through version 3.0.3 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, redirect users, or perform actions on behalf of victims through crafted URLs. No public exploit code has been identified, and the low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the moderate theoretical attack surface.
Reflected cross-site scripting (XSS) in the Product Puller WordPress plugin through version 1.5.1 allows unauthenticated attackers to inject malicious JavaScript into web pages viewed by other users. The vulnerability stems from improper input sanitization in the plugin's request handling, enabling attackers to craft malicious URLs that execute arbitrary scripts in victim browsers. No public exploit code has been identified, and the EPSS score of 0.04% indicates low exploitation probability in the wild, though the vulnerability remains remotely exploitable without authentication.
Reflected XSS in Sleekplan WordPress plugin through version 0.2.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability exists in the plugin's input handling during web page generation, enabling attackers to steal session cookies, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. No active exploitation has been confirmed, but the attack vector is network-based with low complexity.
Reflected cross-site scripting (XSS) in the Rakessh Ads24 Lite WordPress plugin (wp-ad-management) up to version 1.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers when visited, potentially compromising user sessions, stealing credentials, or defacing content. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the straightforward attack vector.
Stored cross-site scripting (XSS) in WordPress Custom Field Template plugin through version 2.7.7 allows authenticated users to inject malicious scripts that execute in the browsers of other users who view affected content, potentially compromising site security and user data. The vulnerability has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the high-impact nature of stored XSS on WordPress sites.
DOM-based cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin through version 3.5.16 allows attackers to inject malicious scripts into the search interface that execute in users' browsers. The vulnerability affects the plugin's web page generation when processing search input, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of authenticated users without requiring authentication themselves. No CVSS score was available at analysis time, but the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the XSS vector.
Stored cross-site scripting (XSS) in codeaffairs Wp Text Slider Widget plugin for WordPress versions 1.0 and earlier enables authenticated attackers to inject malicious scripts that execute in the browsers of site administrators and other users. The vulnerability arises from improper input sanitization during widget configuration, allowing persistent code injection through the plugin's admin interface.
Reflected cross-site scripting (XSS) in the Content Grid Slider WordPress plugin through version 1.5 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a malicious URL containing script payloads that execute in the victim's browser when the page is rendered, potentially enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; the EPSS score of 0.04% indicates minimal real-world exploitation likelihood despite the vulnerability's technical severity.
Reflected cross-site scripting (XSS) in Advanced Custom CSS WordPress plugin versions through 1.1.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session tokens, credentials, or perform actions on behalf of victims through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04th percentile) suggests limited real-world exploitation risk despite the straightforward attack vector.
Reflected cross-site scripting (XSS) in INVELITY Invelity SPS connect WordPress plugin through version 1.0.8 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation and carries an extremely low exploitation probability (EPSS 0.04th percentile), suggesting minimal real-world attack motivation despite the CVSS scoring absence.
Stored XSS in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions <= 2.3.23) allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user data. The vulnerability requires user interaction (viewing a page with the injected content) and affects the site's security context (SameSite:Changed per CVSS:3.1/S:C). EPSS score of 0.04% indicates low real-world exploitation probability despite CVE publication.
Stored cross-site scripting (XSS) in Live Composer page builder plugin for WordPress (versions through 2.1.11) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages. An attacker with contributor or editor access can store XSS payloads that persist in the database and execute when administrators or other site visitors interact with the affected content, potentially leading to session hijacking, credential theft, or malware distribution.
Stored cross-site scripting (XSS) in BlueGlass Interactive AG Jobs for WordPress plugin versions 2.8.1 and earlier allows authenticated users with low privileges to inject malicious scripts into job postings that execute in the browsers of other site visitors. The vulnerability requires user interaction (clicking a crafted link) and affects website visitors with cross-site request forgery capabilities, resulting in limited confidentiality and integrity impact but no availability impact. The issue has a low exploitation probability (EPSS 0.04%) despite publicly disclosed details.
Stored cross-site scripting (XSS) in WordPress plugin My auctions allegro (versions up to 3.6.35) allows authenticated users to inject malicious scripts that execute in other users' browsers when viewing auction content. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected WordPress installations, though with limited scope within the plugin context. No public exploit code or active exploitation has been identified; real-world risk is moderate given the requirement for authenticated access and user interaction.
Cross-site scripting (XSS) vulnerability in CodexThemes TheGem Theme Elements (for Elementor) plugin through version 5.10.5.1 allows improper neutralization of input during web page generation. Attackers can inject malicious scripts that execute in the context of other users' browsers, potentially compromising WordPress site visitors and administrators. No active exploitation has been confirmed at time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the vulnerability's presence in a widely-used Elementor theme plugin.
Stored cross-site scripting (XSS) in WebCodingPlace Responsive Posts Carousel Pro WordPress plugin versions 15.2 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise site integrity and steal sensitive user data. EPSS exploitation probability is notably low (0.04%, 14th percentile), suggesting limited real-world attack incentive despite the stored nature of the flaw.
Stored cross-site scripting (XSS) in Void Elementor WHMCS Elements for Elementor Page Builder through version 2.0.1.2 allows authenticated attackers to inject malicious scripts into web pages generated by the plugin, potentially compromising site visitors and administrators. The vulnerability stems from improper input sanitization in page generation functions. No public exploit code or active exploitation has been identified, but the low EPSS score (0.04%) reflects limited real-world attack probability despite the high-impact nature of XSS vulnerabilities.
Stored cross-site scripting (XSS) in HappyDevs TempTool WordPress plugin version 1.3.1 and earlier allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of other users who view affected pages. The vulnerability exists in the [Show Current Template Info] functionality and affects the current-template-name component; exploitation requires an authenticated user with appropriate plugin permissions but can compromise all site visitors who interact with the injected content.
Stored cross-site scripting (XSS) in WP Microdata WordPress plugin version 1.0 and earlier allows authenticated users or lower-privileged administrators to inject malicious scripts that execute in the browsers of site visitors, potentially leading to credential theft, session hijacking, or malware distribution. The vulnerability stems from improper input sanitization during web page generation. EPSS score of 0.04% indicates low exploitation probability in real-world conditions.
Stored XSS in SlimStat Analytics for WordPress allows unauthenticated attackers to inject malicious scripts via unsanitized 'outbound_resource' parameter in slimtrack AJAX action (versions ≤5.3.2). Injected scripts execute when any user accesses the compromised page, enabling session hijacking, credential theft, or privilege escalation. Affects all installations with publicly accessible AJAX endpoints. No public exploit identified at time of analysis.
DOM-based cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin versions up to 2.7.12 allows attackers to inject malicious scripts into web pages through improper input neutralization during page generation. The vulnerability affects WordPress sites using this Elementor page builder extension and can enable session hijacking, credential theft, or malware distribution against site visitors. EPSS exploitation probability is low at 0.04%, but the attack vector is likely network-based requiring no authentication.
Stored HTML injection in Nozomi Networks CMC and Guardian Asset List functionality allows unauthenticated remote attackers to inject malicious HTML tags into asset attributes via crafted network packets, enabling phishing and open redirect attacks when victims view affected assets. CVSS 5.3 (medium severity) with user interaction required; exploitation is bounded by existing Content Security Policy and input validation that prevent full XSS and direct information disclosure.
Stored cross-site scripting in Nozomi Networks CMC and Guardian allows authenticated users with report privileges to inject malicious JavaScript payloads into report definitions. When victims view or import these weaponized reports, the XSS executes in their browser context, enabling attackers to modify application data, disrupt availability, and access sensitive information. The vulnerability requires low-privilege authentication and user interaction (CVSS:4.0 score 7.1, PR:L/UI:P), with high integrity and availability impacts but limited confidentiality exposure. No public exploit identified at time of analysis, though the attack technique is well-understood and straightforward given the stored XSS nature.
Stored HTML injection in Nozomi Networks CMC and Guardian Time Machine Snapshot Diff feature allows unauthenticated attackers to inject HTML tags into asset attributes across snapshots via specially crafted network packets. When a victim uses the Snapshot Diff feature and performs specific GUI actions, the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is mitigated by input validation and Content Security Policy. This vulnerability has not been confirmed as actively exploited, requires high attack complexity (multiple preconditions), and results in low integrity impact with limited scope.
Stored cross-site scripting (XSS) in VK Google Job Posting Manager WordPress plugin versions up to 1.2.22 allows authenticated users with low privileges to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators. The vulnerability requires user interaction (clicking a link or viewing a malicious page) to trigger payload execution and affects the plugin's web page generation functionality. EPSS probability of exploitation is notably low at 0.04%, suggesting this is primarily a theoretical risk without documented active exploitation.
Stored cross-site scripting (XSS) in Premio Stars Testimonials WordPress plugin versions 3.3.4 and below allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators or visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate risk, but the stored nature means injected payloads persist and affect multiple users. No public exploit code or active KEV status is documented, though the 6.5 CVSS score reflects moderate severity when considering cross-site impact.
Reflected cross-site scripting (XSS) in WPS Visitor Counter WordPress plugin through version 1.4.8 allows remote attackers to inject malicious scripts via the REQUEST_URI parameter, which is output without sanitization in HTML attributes. The vulnerability has a CVSS score of 5.8 and requires user interaction (clicking a crafted link), with exploitation limited primarily to older web browsers due to modern XSS protections. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in WP Job Portal plugin for WordPress up to version 2.4.4 allows authenticated attackers with Editor-level access or higher to inject arbitrary JavaScript into job description fields by exploiting explicit whitelisting of the `<script>` tag in the WPJOBPORTAL_ALLOWED_TAGS configuration. The injected scripts execute when users view affected job listings, enabling session hijacking, credential theft, and other malicious activities. Impact is limited to multi-site installations or sites with unfiltered_html disabled. CVSS score of 4.4 reflects the high privilege requirement (PR:H) and high attack complexity (AC:H), though the vulnerability affects a potentially large number of WordPress installations.
Stored Cross-Site Scripting in Bold Timeline Lite WordPress plugin up to version 1.2.7 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'bold_timeline_group' shortcode, executing malicious scripts whenever users view affected pages. CVSS 6.4 reflects moderate impact (confidentiality and integrity compromise across trust boundaries); EPSS 0.04% indicates low real-world exploitation probability. No public exploit code or active exploitation confirmed.
Stored cross-site scripting (XSS) in Gora Tech Cooked WordPress plugin versions up to 1.11.3 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers. The vulnerability persists in the plugin's database and is triggered when affected content is viewed, enabling account compromise, session hijacking, or malware distribution to site visitors. This is a low-probability exploitation risk (EPSS 0.04%) but represents a meaningful concern for multi-user WordPress installations where contributor or editor-level accounts are delegated.
Stored cross-site scripting (XSS) in the eleopard Behance Portfolio Manager WordPress plugin versions 1.7.5 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other users visiting affected pages. The vulnerability stems from improper input sanitization during portfolio content generation, enabling attackers with contributor-level access or higher to compromise site visitors. No public exploit code or active exploitation has been reported, though the vulnerability carries a low EPSS score (0.04%, percentile 13%) suggesting limited real-world exploitation likelihood at time of analysis.
Stored XSS vulnerability in ikaes Accessibility Press plugin (ilogic-accessibility) versions through 1.0.2 allows authenticated attackers to inject arbitrary JavaScript that executes in the browsers of other site visitors, potentially compromising user sessions, stealing credentials, or defacing content. The vulnerability stems from improper input sanitization during web page generation and carries a low exploitation probability (EPSS 0.04th percentile) with no confirmed active exploitation.
Stored cross-site scripting (XSS) in Dashboard Beacon WordPress plugin versions up to 1.2.0 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage and execution across user sessions. No public exploit code or active exploitation has been confirmed.
Reflected cross-site scripting (XSS) in the LIVE TV WordPress plugin version 1.2 and below allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability exists due to improper neutralization of user input during page generation, enabling attackers to steal session cookies, redirect users, or perform actions on behalf of victims through crafted URLs. No active exploitation has been confirmed, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the XSS vector.
DOM-based cross-site scripting (XSS) in codetipi Valenti Engine through version 1.0.3 allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the WordPress plugin and is classified as improper neutralization of input during web page generation. With an EPSS score of 0.01% and no CVSS severity data available, real-world exploitation risk appears minimal, though the attack vector and prerequisites require confirmation from patch analysis.
Stored cross-site scripting (XSS) vulnerability in Wayne Allen Postie WordPress plugin through version 1.9.73 allows authenticated attackers to inject malicious scripts into web pages that execute in the context of other users' browsers. The vulnerability stems from improper input neutralization during web page generation, enabling persistence of injected payloads in the application's data store. No public exploit code or active exploitation has been identified at time of analysis, though the low EPSS score (0.04th percentile) suggests limited real-world exploitation interest despite the vulnerability's presence in a plugin with unknown user base size.
DOM-based cross-site scripting (XSS) in WooCommerce Parcelas WordPress plugin versions up to 1.3.5 allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While EPSS scoring indicates low exploitation probability (0.01%), the DOM-based nature and lack of authentication barriers make this a persistent client-side threat in environments where the vulnerable plugin remains deployed.
Stored cross-site scripting (XSS) vulnerability in SaifuMak Add Custom Codes WordPress plugin versions 4.80 and earlier allows authenticated attackers to inject malicious JavaScript that persists in the database and executes in the browsers of site administrators and other users. The vulnerability stems from improper input sanitization when storing custom code, enabling attackers with plugin access to compromise site integrity and steal administrative credentials or sessions.
Stored cross-site scripting (XSS) in nicashmu Post Video Players WordPress plugin through version 1.163 allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability exists in the video-playlist-and-gallery-plugin and affects all versions up to and including 1.163; no public exploit code has been identified, but the low EPSS score (0.01%) suggests limited real-world exploitation likelihood despite the vulnerability's persistent nature.
Stored cross-site scripting (XSS) in plainware Locatoraid Store Locator WordPress plugin versions up to 3.9.68 allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the plugin's input handling during web page generation, enabling persistent XSS attacks. With an EPSS score of 0.01% and no active exploitation confirmed, this represents a low-probability but persistent risk requiring plugin updates.
Stored cross-site scripting (XSS) in Soli WP Post Signature plugin through version 0.4.1 allows authenticated users to inject malicious scripts into post signatures, which execute in the browsers of administrators and other site visitors viewing affected posts. The vulnerability requires user interaction or administrative access to inject the payload but poses a risk to site integrity and user data. EPSS exploitation probability is minimal at 0.01%, suggesting low real-world attack likelihood despite the vulnerability class.
Stored cross-site scripting (XSS) in Imran Emu Logo Slider WordPress plugin versions 1.8.1 and earlier allows attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability affects the Logo Slider, Logo Carousel, Logo Showcase, and Client Logo plugin variants. An attacker with sufficient privileges to inject content (such as a contributor or compromised admin account) can embed arbitrary JavaScript to steal session tokens, deface pages, or redirect users to malicious sites. EPSS score of 0.01% indicates low exploitation probability in the wild, though the stored nature of the XSS elevates the persistence risk once injected.
DOM-based cross-site scripting in the ViitorCloud Technologies Add Featured Image Custom Link WordPress plugin (versions up to 2.0.0) allows unauthenticated attackers to inject arbitrary JavaScript into web pages through improper input sanitization. The vulnerability affects the custom URL handling mechanism for featured images, enabling malicious actors to steal session cookies, perform account takeover, or redirect users to phishing sites. EPSS score of 0.01% indicates minimal real-world exploitation probability despite the XSS classification.
DOM-based cross-site scripting (XSS) in SEO Slider WordPress plugin through version 1.1.1 allows authenticated or unauthenticated attackers to inject malicious scripts into the DOM, potentially enabling session hijacking, credential theft, or malware distribution. The vulnerability affects all versions up to and including 1.1.1 and has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the XSS attack vector. No public exploit code or active exploitation has been confirmed.
Stored cross-site scripting (XSS) in WPFactory Maximum Products per User for WooCommerce plugin through version 4.4.3 allows authenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects WordPress installations using this WooCommerce extension, with an EPSS score of 0.04% indicating low real-world exploitation probability despite the XSS attack vector. No active exploitation has been confirmed.
Stored cross-site scripting (XSS) vulnerability in Bootstrap Modals WordPress plugin versions up to 1.3.2 allows authenticated attackers to inject and execute arbitrary JavaScript code that persists in the database and executes for all site visitors. The vulnerability stems from improper input neutralization during web page generation, enabling attackers with plugin-relevant permissions to compromise user sessions and steal sensitive data from administrators and site visitors.
Stored cross-site scripting (XSS) vulnerability in Livemesh Addons for Beaver Builder WordPress plugin versions 3.9.2 and earlier allows attackers to inject malicious scripts into web pages that execute in the browsers of site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling authenticated or privileged users to store malicious payloads that persist in the plugin's content. With an EPSS score of 0.04% (14th percentile), real-world exploitation likelihood is minimal, though the stored nature of the XSS means injected content could affect multiple end users if compromised.
Stored cross-site scripting (XSS) in Chris Steman Page Title Splitter WordPress plugin versions through 2.5.9 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators and visitors. The vulnerability exists in page generation functionality where user input is not properly sanitized before being rendered in web pages. EPSS score of 0.04% indicates low exploitation probability at present, with no confirmed active exploitation or public proof-of-concept identified.
Stored cross-site scripting (XSS) in MyBookTable Bookstore WordPress plugin version 3.6.0 and earlier allows authenticated or unauthenticated attackers to inject malicious scripts into web pages that execute in the context of other users' browsers. The vulnerability exists in the web page generation process where user input is not properly neutralized before being stored and rendered. No public exploit code has been identified, and the EPSS score of 0.04% suggests low real-world exploitation probability despite the XSS classification.
Stored cross-site scripting (XSS) in Curator.io WordPress plugin through version 1.9.5 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise user sessions and steal sensitive data. While EPSS scoring indicates low exploitation probability (0.04%), the persistent nature of stored XSS and potential for privilege escalation warrant prompt patching.
Stored cross-site scripting (XSS) in Custom Background Changer WordPress plugin through version 3.0 allows authenticated attackers to inject malicious JavaScript that persists in the database and executes for all users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the vulnerability's technical severity.
Stored cross-site scripting (XSS) in the kcseopro AdWords Conversion Tracking Code WordPress plugin version 1.0 and earlier allows attackers to inject malicious scripts into web pages, which are then executed in the browsers of other users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling persistent XSS attacks that can compromise user sessions, steal credentials, or redirect visitors to malicious sites. EPSS score of 0.04% indicates low exploitation probability despite the stored XSS vector.
Stored cross-site scripting (XSS) in webvitaly Extra Shortcodes WordPress plugin through version 2.2 allows authenticated attackers to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability stems from improper input neutralization during web page generation, enabling persistence of arbitrary JavaScript code within the plugin's shortcode processing. The low EPSS score (0.04%) and lack of public exploit code suggest limited practical exploitation likelihood, though the stored nature of the vulnerability means injected payloads affect all subsequent visitors until remediated.
Stored cross-site scripting (XSS) in the Audiomack WordPress plugin through version 1.4.8 allows authenticated attackers to inject malicious scripts into web pages, enabling session hijacking, credential theft, or defacement. No active exploitation detected (EPSS 0.04%, low percentile), but the vulnerability affects all installations of the vulnerable plugin versions and persists across page loads due to its stored nature.
Stored cross-site scripting in thinkupthemes Consulting WordPress theme versions through 1.5.0 enables authenticated users or malicious admins to inject persistent JavaScript payloads that execute in the browsers of other site visitors or administrators. The vulnerability allows arbitrary script execution within the context of the affected WordPress installation, potentially leading to account compromise, malware distribution, or session hijacking. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in thinkupthemes Minamaze WordPress theme versions up to 1.10.1 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability has an EPSS score of 0.01% (3rd percentile), indicating minimal likelihood of exploitation in practice, though it represents a privilege-escalation pathway for authenticated attackers with contributor-level access or higher.
DOM-based cross-site scripting (XSS) in WebMan Amplifier WordPress plugin through version 1.5.12 allows attackers to inject malicious scripts that execute in users' browsers. The vulnerability stems from improper neutralization of user input during web page generation, enabling stored or reflected XSS attacks depending on the specific injection vector. With an EPSS score of 0.01% (3rd percentile) and no evidence of active exploitation, this represents a low real-world risk despite the XSS classification, though remediation is still recommended for all affected installations.
DOM-based cross-site scripting (XSS) in The Moneytizer WordPress plugin up to version 10.0.9 allows attackers to inject malicious scripts into web pages through improper input neutralization. The vulnerability affects WordPress sites running the vulnerable plugin versions and could enable session hijacking, credential theft, or malware distribution targeting site administrators and visitors. No public exploit code or active exploitation has been confirmed at this time, though the EPSS score of 0.01% suggests minimal real-world exploitation probability.
DOM-based cross-site scripting (XSS) in Kalender.digital WordPress plugin through version 1.0.13 allows unauthenticated attackers to inject malicious scripts via improper input neutralization during web page generation. The vulnerability affects all versions up to and including 1.0.13, with an EPSS score of 0.01% indicating very low exploitation likelihood in practice despite the high-severity CWE-79 classification.
DOM-based cross-site scripting (XSS) in Bainternet User Specific Content WordPress plugin versions 1.0.6 and earlier allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While no public exploit code or active exploitation has been confirmed, the extremely low EPSS score (0.01%) and lack of CVSS vector data suggest limited real-world exploitability or specificity to attack scenarios, despite the XSS classification.
DOM-based cross-site scripting (XSS) in Genetech Products Web and WooCommerce Addons for WPBakery Builder (vc-addons-by-bit14) plugin versions up to 1.5 allows unauthenticated attackers to inject malicious scripts that execute in the context of affected user sessions. The vulnerability stems from improper neutralization of user-supplied input during web page generation. EPSS scoring (0.01%, percentile 3%) indicates very low real-world exploitation probability despite the nature of the flaw, and no public exploit code or active exploitation has been confirmed.
DOM-based cross-site scripting (XSS) vulnerability in the Responsive Block Control WordPress plugin through version 1.3.0 allows attackers to inject malicious scripts that execute in users' browsers. Exploitation requires user interaction with a malicious link or form, but once triggered, the vulnerability enables session hijacking, credential theft, or defacement. The vulnerability has an exceptionally low EPSS score (0.01th percentile) suggesting minimal real-world exploitation likelihood despite public disclosure.
DOM-based cross-site scripting (XSS) vulnerability in Ruhul Amin Content Fetcher WordPress plugin versions 1.1 and earlier allows authenticated attackers to inject arbitrary JavaScript code into web pages, potentially compromising site integrity and user sessions. The vulnerability resides in improper input neutralization during web page generation, enabling malicious scripts to execute in the context of affected websites. EPSS exploitation probability is extremely low at 0.01% (3rd percentile), indicating minimal real-world attack likelihood despite the XSS vector.
Stored cross-site scripting (XSS) in Tomas WordPress Tooltips plugin versions 10.9.3 and earlier allows authenticated attackers to inject malicious scripts into tooltip content that execute in the browsers of site administrators and other users. The vulnerability affects WordPress Tooltips through version 10.9.3, and exploitation requires an authenticated user with permissions to create or modify tooltips. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in wpforchurch Sermon Manager WordPress plugin through version 2.30.0 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site administrators and other users. The vulnerability affects sermon content input validation, enabling attackers with contributor or editor privileges to compromise website integrity and steal sensitive data from higher-privileged users.
Stored cross-site scripting (XSS) vulnerability in BasePress Knowledge Base documentation & wiki plugin versions through 2.17.0.1 allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of other users viewing affected content. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise user sessions, steal credentials, or deface documentation within WordPress installations using BasePress. With EPSS exploitation probability at 0.04% (14th percentile), real-world exploitation risk is currently low, though the stored nature of the XSS makes it a persistence risk if discovered by threat actors.
Stored cross-site scripting (XSS) in BuddyDev BuddyPress Activity Shortcode plugin through version 1.1.8 allows attackers to inject and persist malicious scripts that execute in users' browsers. The vulnerability affects WordPress sites using this plugin, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and active exploitation has not been confirmed.
Stored cross-site scripting (XSS) in the Justin Tadlock Series WordPress plugin up to version 2.0.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage within the plugin's data structures. With an EPSS score of 0.04% and low exploitation probability, this represents a lower-priority but still exploitable vulnerability in a plugin with active distribution.
DOM-based cross-site scripting (XSS) in Funnelforms Free WordPress plugin version 3.8 and earlier allows authenticated attackers to inject malicious scripts through improper input neutralization during web page generation. The vulnerability has a low EPSS score (0.04%, 14th percentile) and no confirmed active exploitation, suggesting limited real-world attack probability despite the XSS classification.
Stored XSS vulnerability in MX Time Zone Clocks WordPress plugin versions up to 5.1.1 allows authenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input sanitization during web page generation, enabling persistent cross-site scripting attacks that could compromise site visitors, steal session tokens, or deface content. EPSS score of 0.04% indicates low real-world exploitation probability, though the stored nature of the XSS makes it a medium-priority remediation target for affected WordPress administrators.
Stored cross-site scripting (XSS) in Shuttle WordPress theme through version 1.5.0 allows authenticated users to inject malicious scripts that persist in the application and execute in the browsers of other users who view the affected content. The vulnerability has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the moderate attack surface typical of stored XSS flaws. No public exploit code or active exploitation has been confirmed.
Stored cross-site scripting (XSS) vulnerability in the Melos WordPress theme through version 1.6.0 allows attackers to inject and execute arbitrary JavaScript code that persists in the application and executes in the browsers of other users. The vulnerability affects all versions up to and including 1.6.0, and while no CVSS vector or EPSS exploitation probability is formally assigned, the low EPSS score (0.04th percentile) suggests minimal real-world exploitation likelihood despite the stored nature of the flaw.
Stored XSS vulnerability in Zoho ZeptoMail transmail WordPress plugin through version 3.3.1 can be triggered via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of all users who access affected pages. The vulnerability affects the transmail plugin for Zoho Mail integration and carries low exploitation probability (EPSS 0.02%) despite the high-impact nature of stored XSS.
Cross-site request forgery (CSRF) vulnerability in the WordPress Custom Post Status plugin up to version 1.1.0 enables attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The CSRF protection bypass allows unauthenticated attackers to craft malicious requests that, when clicked by an admin, result in persistent JavaScript injection into the WordPress database. This is a chained vulnerability where CSRF-enabled request forgery leads to XSS payload storage.
Stored XSS vulnerability in the Recent Posts From Each Category WordPress plugin through version 1.4 exploitable via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that execute in the context of site administrators and visitors. The vulnerability combines a CSRF flaw with inadequate input sanitization, enabling persistent payload storage that affects all users viewing affected plugin output.
Cross-site request forgery (CSRF) in the Marcin Kijak Noindex by Path WordPress plugin through version 1.0 allows unauthenticated attackers to perform unauthorized administrative actions such as modifying plugin settings via crafted HTML or JavaScript on attacker-controlled sites. The vulnerability chaining with stored XSS enables attackers to inject malicious scripts that persist in the plugin's data, affecting all users who access the compromised settings. No public exploit code has been identified, and real-world exploitation risk is minimal (EPSS 0.02%), indicating this is primarily a theoretical risk in low-traffic or neglected WordPress installations.
WP-EasyArchives WordPress plugin versions 3.1.2 and earlier contains a cross-site request forgery (CSRF) vulnerability that enables stored cross-site scripting (XSS) attacks. An unauthenticated attacker can craft a malicious request to trick authenticated administrators into performing unintended actions, potentially injecting persistent JavaScript payloads that execute in the browsers of all site visitors. With an EPSS score of 0.02% (5th percentile), this vulnerability represents minimal real-world exploitation probability despite the attack chain complexity.
Cross-site request forgery (CSRF) vulnerability in reneade SensitiveTagCloud WordPress plugin through version 1.4.1 allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially combined with stored XSS to inject malicious content. The vulnerability affects all versions up to and including 1.4.1, with no CVSS vector provided, but EPSS data suggests low real-world exploitation probability (0.02% percentile).
Cross-site request forgery (CSRF) vulnerability in the Social Profilr WordPress plugin version 1.0 and earlier allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The vulnerability affects the social-profilr-display-social-network-profile plugin and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or confirmed active exploitation identified at the time of analysis.
Cross-Site Request Forgery (CSRF) in the Custom Style WordPress plugin up to version 1.0 enables attackers to perform unauthorized administrative actions, potentially leading to stored cross-site scripting (XSS) injection. The vulnerability affects all versions from initial release through 1.0, with no CVSS score published but an EPSS score of 0.02% indicating minimal observed exploitation probability. No active KEV status or public exploit code has been identified.
Stored XSS via CSRF in eleopard Behance Portfolio Manager WordPress plugin versions up to 1.7.5 allows authenticated attackers to inject malicious scripts through cross-site request forgery mechanisms, potentially compromising site administrators and visitors. The EPSS score of 0.02% indicates low exploitation probability, though the vulnerability type suggests a chainable attack vector when combined with social engineering. No CVSS score was assigned, limiting quantification of attack complexity and privilege requirements.
Cross-site request forgery (CSRF) vulnerability in Simple Archive Generator WordPress plugin through version 5.2 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored XSS injection. The vulnerability requires tricking an administrator into visiting a malicious page but carries low exploitation probability (EPSS 0.02%) despite being simple to execute, suggesting limited real-world weaponization.
WP-CalDav2ICS WordPress plugin through version 1.3.4 contains a Cross-Site Request Forgery (CSRF) vulnerability that enables Stored XSS attacks. The vulnerability allows unauthenticated attackers to craft malicious requests that, when executed by a logged-in administrator or user, inject persistent malicious scripts into the plugin's stored data. This combined CSRF+XSS chain can lead to persistent compromise of the WordPress site through script injection.
DOM-based cross-site scripting (XSS) in WPCal.io WordPress plugin versions 0.9.5.9 and earlier allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation, enabling attackers to execute arbitrary JavaScript in the context of affected websites. No CVSS score is available, but the EPSS score of 0.04% (14th percentile) indicates low practical exploitation likelihood despite the XSS vector being a common attack class.
Stored cross-site scripting (XSS) in Yada Wiki WordPress plugin through version 3.5 allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling persistent XSS attacks that could compromise site integrity, steal credentials, or perform actions on behalf of administrators. EPSS exploitation probability is very low at 0.04%, but the stored nature of the vulnerability means injected payloads persist across sessions.
DOM-based cross-site scripting (XSS) in 8theme XStore Core plugin (et-core-plugin) versions below 5.6 allows attackers to inject malicious scripts that execute in users' browsers during web page generation. The vulnerability affects WordPress installations using the vulnerable plugin, and while no CVSS score was assigned, the extremely low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the XSS classification.
Stored cross-site scripting (XSS) in webcreations907 WBC907 Core WordPress plugin versions up to 3.4.1 allows attackers to inject and execute malicious JavaScript that persists in the application, potentially compromising users who view affected pages. The vulnerability stems from improper input neutralization during web page generation. No public exploit code or active exploitation has been identified at the time of analysis, though the attack vector and complexity depend on the specific injection point within the plugin.
Stored cross-site scripting (XSS) in CodeFlavors Featured Video for WordPress (VideographyWP) plugin version 1.0.18 and earlier allows authenticated attackers to inject malicious scripts that execute in the browsers of other site users, potentially compromising administrator accounts and site integrity. The vulnerability stems from improper input sanitization during web page generation, and no public exploit code has been identified at the time of analysis.
Stored Cross-Site Scripting (XSS) in Magnigenie RestroPress WordPress plugin through version 3.2.8.4 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or defacing content. The vulnerability requires user interaction (UI:R) and affects only authenticated attackers (PR:L), limiting immediate exploitation risk despite the moderate CVSS score of 6.5. No public exploit code or active exploitation has been confirmed at time of analysis.
DOM-based cross-site scripting (XSS) in Crocoblock JetTabs WordPress plugin versions up to 2.2.12 allows attackers to inject malicious scripts that execute in users' browsers when viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling stored or reflected XSS attacks without requiring authentication. With an EPSS score of 0.04% (14th percentile), exploitation likelihood is very low despite the publicly documented vulnerability.
Reflected cross-site scripting (XSS) in the Off Page SEO WordPress plugin through version 3.0.3 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, redirect users, or perform actions on behalf of victims through crafted URLs. No public exploit code has been identified, and the low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the moderate theoretical attack surface.
Reflected cross-site scripting (XSS) in the Product Puller WordPress plugin through version 1.5.1 allows unauthenticated attackers to inject malicious JavaScript into web pages viewed by other users. The vulnerability stems from improper input sanitization in the plugin's request handling, enabling attackers to craft malicious URLs that execute arbitrary scripts in victim browsers. No public exploit code has been identified, and the EPSS score of 0.04% indicates low exploitation probability in the wild, though the vulnerability remains remotely exploitable without authentication.
Reflected XSS in Sleekplan WordPress plugin through version 0.2.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability exists in the plugin's input handling during web page generation, enabling attackers to steal session cookies, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. No active exploitation has been confirmed, but the attack vector is network-based with low complexity.
Reflected cross-site scripting (XSS) in the Rakessh Ads24 Lite WordPress plugin (wp-ad-management) up to version 1.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers when visited, potentially compromising user sessions, stealing credentials, or defacing content. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the straightforward attack vector.
Stored cross-site scripting (XSS) in WordPress Custom Field Template plugin through version 2.7.7 allows authenticated users to inject malicious scripts that execute in the browsers of other users who view affected content, potentially compromising site security and user data. The vulnerability has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the high-impact nature of stored XSS on WordPress sites.
DOM-based cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin through version 3.5.16 allows attackers to inject malicious scripts into the search interface that execute in users' browsers. The vulnerability affects the plugin's web page generation when processing search input, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of authenticated users without requiring authentication themselves. No CVSS score was available at analysis time, but the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the XSS vector.
Stored cross-site scripting (XSS) in codeaffairs Wp Text Slider Widget plugin for WordPress versions 1.0 and earlier enables authenticated attackers to inject malicious scripts that execute in the browsers of site administrators and other users. The vulnerability arises from improper input sanitization during widget configuration, allowing persistent code injection through the plugin's admin interface.
Reflected cross-site scripting (XSS) in the Content Grid Slider WordPress plugin through version 1.5 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a malicious URL containing script payloads that execute in the victim's browser when the page is rendered, potentially enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; the EPSS score of 0.04% indicates minimal real-world exploitation likelihood despite the vulnerability's technical severity.
Reflected cross-site scripting (XSS) in Advanced Custom CSS WordPress plugin versions through 1.1.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session tokens, credentials, or perform actions on behalf of victims through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04th percentile) suggests limited real-world exploitation risk despite the straightforward attack vector.
Reflected cross-site scripting (XSS) in INVELITY Invelity SPS connect WordPress plugin through version 1.0.8 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation and carries an extremely low exploitation probability (EPSS 0.04th percentile), suggesting minimal real-world attack motivation despite the CVSS scoring absence.
Stored XSS in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions <= 2.3.23) allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user data. The vulnerability requires user interaction (viewing a page with the injected content) and affects the site's security context (SameSite:Changed per CVSS:3.1/S:C). EPSS score of 0.04% indicates low real-world exploitation probability despite CVE publication.
Stored cross-site scripting (XSS) in Live Composer page builder plugin for WordPress (versions through 2.1.11) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages. An attacker with contributor or editor access can store XSS payloads that persist in the database and execute when administrators or other site visitors interact with the affected content, potentially leading to session hijacking, credential theft, or malware distribution.
Stored cross-site scripting (XSS) in BlueGlass Interactive AG Jobs for WordPress plugin versions 2.8.1 and earlier allows authenticated users with low privileges to inject malicious scripts into job postings that execute in the browsers of other site visitors. The vulnerability requires user interaction (clicking a crafted link) and affects website visitors with cross-site request forgery capabilities, resulting in limited confidentiality and integrity impact but no availability impact. The issue has a low exploitation probability (EPSS 0.04%) despite publicly disclosed details.
Stored cross-site scripting (XSS) in WordPress plugin My auctions allegro (versions up to 3.6.35) allows authenticated users to inject malicious scripts that execute in other users' browsers when viewing auction content. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected WordPress installations, though with limited scope within the plugin context. No public exploit code or active exploitation has been identified; real-world risk is moderate given the requirement for authenticated access and user interaction.
Cross-site scripting (XSS) vulnerability in CodexThemes TheGem Theme Elements (for Elementor) plugin through version 5.10.5.1 allows improper neutralization of input during web page generation. Attackers can inject malicious scripts that execute in the context of other users' browsers, potentially compromising WordPress site visitors and administrators. No active exploitation has been confirmed at time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the vulnerability's presence in a widely-used Elementor theme plugin.
Stored cross-site scripting (XSS) in WebCodingPlace Responsive Posts Carousel Pro WordPress plugin versions 15.2 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise site integrity and steal sensitive user data. EPSS exploitation probability is notably low (0.04%, 14th percentile), suggesting limited real-world attack incentive despite the stored nature of the flaw.
Stored cross-site scripting (XSS) in Void Elementor WHMCS Elements for Elementor Page Builder through version 2.0.1.2 allows authenticated attackers to inject malicious scripts into web pages generated by the plugin, potentially compromising site visitors and administrators. The vulnerability stems from improper input sanitization in page generation functions. No public exploit code or active exploitation has been identified, but the low EPSS score (0.04%) reflects limited real-world attack probability despite the high-impact nature of XSS vulnerabilities.
Stored cross-site scripting (XSS) in HappyDevs TempTool WordPress plugin version 1.3.1 and earlier allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of other users who view affected pages. The vulnerability exists in the [Show Current Template Info] functionality and affects the current-template-name component; exploitation requires an authenticated user with appropriate plugin permissions but can compromise all site visitors who interact with the injected content.
Stored cross-site scripting (XSS) in WP Microdata WordPress plugin version 1.0 and earlier allows authenticated users or lower-privileged administrators to inject malicious scripts that execute in the browsers of site visitors, potentially leading to credential theft, session hijacking, or malware distribution. The vulnerability stems from improper input sanitization during web page generation. EPSS score of 0.04% indicates low exploitation probability in real-world conditions.
Stored XSS in SlimStat Analytics for WordPress allows unauthenticated attackers to inject malicious scripts via unsanitized 'outbound_resource' parameter in slimtrack AJAX action (versions ≤5.3.2). Injected scripts execute when any user accesses the compromised page, enabling session hijacking, credential theft, or privilege escalation. Affects all installations with publicly accessible AJAX endpoints. No public exploit identified at time of analysis.
DOM-based cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin versions up to 2.7.12 allows attackers to inject malicious scripts into web pages through improper input neutralization during page generation. The vulnerability affects WordPress sites using this Elementor page builder extension and can enable session hijacking, credential theft, or malware distribution against site visitors. EPSS exploitation probability is low at 0.04%, but the attack vector is likely network-based requiring no authentication.
Stored HTML injection in Nozomi Networks CMC and Guardian Asset List functionality allows unauthenticated remote attackers to inject malicious HTML tags into asset attributes via crafted network packets, enabling phishing and open redirect attacks when victims view affected assets. CVSS 5.3 (medium severity) with user interaction required; exploitation is bounded by existing Content Security Policy and input validation that prevent full XSS and direct information disclosure.
Stored cross-site scripting in Nozomi Networks CMC and Guardian allows authenticated users with report privileges to inject malicious JavaScript payloads into report definitions. When victims view or import these weaponized reports, the XSS executes in their browser context, enabling attackers to modify application data, disrupt availability, and access sensitive information. The vulnerability requires low-privilege authentication and user interaction (CVSS:4.0 score 7.1, PR:L/UI:P), with high integrity and availability impacts but limited confidentiality exposure. No public exploit identified at time of analysis, though the attack technique is well-understood and straightforward given the stored XSS nature.
Stored HTML injection in Nozomi Networks CMC and Guardian Time Machine Snapshot Diff feature allows unauthenticated attackers to inject HTML tags into asset attributes across snapshots via specially crafted network packets. When a victim uses the Snapshot Diff feature and performs specific GUI actions, the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is mitigated by input validation and Content Security Policy. This vulnerability has not been confirmed as actively exploited, requires high attack complexity (multiple preconditions), and results in low integrity impact with limited scope.
Stored cross-site scripting (XSS) in VK Google Job Posting Manager WordPress plugin versions up to 1.2.22 allows authenticated users with low privileges to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators. The vulnerability requires user interaction (clicking a link or viewing a malicious page) to trigger payload execution and affects the plugin's web page generation functionality. EPSS probability of exploitation is notably low at 0.04%, suggesting this is primarily a theoretical risk without documented active exploitation.
Stored cross-site scripting (XSS) in Premio Stars Testimonials WordPress plugin versions 3.3.4 and below allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators or visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate risk, but the stored nature means injected payloads persist and affect multiple users. No public exploit code or active KEV status is documented, though the 6.5 CVSS score reflects moderate severity when considering cross-site impact.
Reflected cross-site scripting (XSS) in WPS Visitor Counter WordPress plugin through version 1.4.8 allows remote attackers to inject malicious scripts via the REQUEST_URI parameter, which is output without sanitization in HTML attributes. The vulnerability has a CVSS score of 5.8 and requires user interaction (clicking a crafted link), with exploitation limited primarily to older web browsers due to modern XSS protections. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in WP Job Portal plugin for WordPress up to version 2.4.4 allows authenticated attackers with Editor-level access or higher to inject arbitrary JavaScript into job description fields by exploiting explicit whitelisting of the `<script>` tag in the WPJOBPORTAL_ALLOWED_TAGS configuration. The injected scripts execute when users view affected job listings, enabling session hijacking, credential theft, and other malicious activities. Impact is limited to multi-site installations or sites with unfiltered_html disabled. CVSS score of 4.4 reflects the high privilege requirement (PR:H) and high attack complexity (AC:H), though the vulnerability affects a potentially large number of WordPress installations.
Stored Cross-Site Scripting in Bold Timeline Lite WordPress plugin up to version 1.2.7 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'bold_timeline_group' shortcode, executing malicious scripts whenever users view affected pages. CVSS 6.4 reflects moderate impact (confidentiality and integrity compromise across trust boundaries); EPSS 0.04% indicates low real-world exploitation probability. No public exploit code or active exploitation confirmed.