Skip to main content

XSS

38813 CVEs technique

Monthly

CVE-2026-57754 MEDIUM This Month

Stored Cross-Site Scripting in Livemesh Addons for WPBakery Page Builder versions 3.9.4 and earlier allows authenticated Contributors to inject persistent malicious scripts into WordPress pages. When a higher-privileged user such as an Editor or Administrator views the affected content, the injected script executes in their browser session - enabling session hijacking, credential theft, or privilege escalation within the WordPress admin panel. No public exploit or CISA KEV listing has been identified at time of analysis, but the low-privilege entry point and Changed scope elevate real-world risk for multi-author WordPress installations.

XSS Livemesh Addons For Wpbakery Page Builder
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57686 HIGH This Week

Reflected cross-site scripting in the WowAddons (Product Addons) WordPress plugin through version 1.6.14 lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is needed but the victim must be lured into interacting with a crafted request/link, and the scope-change flag reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; EPSS was not provided.

XSS Wowaddons
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57684 MEDIUM This Month

TheFox WordPress theme by tranmautritam in versions 3.9.70 and earlier allows a Contributor-level authenticated attacker to inject persistent Cross-Site Scripting payloads into theme-specific input fields, which then execute in the browsers of any user who views the affected content. The Changed Scope (S:C) in the CVSS vector confirms the payload crosses security boundaries into the victim browser context, enabling session token theft, credential harvesting, or unauthorized administrative actions against higher-privileged users such as editors or site admins. No public proof-of-concept and no CISA KEV listing have been identified at time of analysis; the vulnerability was reported and documented by Patchstack.

XSS Thefox
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57682 HIGH This Week

Cross-site scripting in the Simple Link Directory WordPress plugin (versions 15.0.5 and earlier, by QuantumCloud) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is required but a user must be lured into triggering the payload, and the changed scope reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS Simple Link Directory
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57675 HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the WP Photo Album Plus WordPress plugin (versions <= 9.2.02.004) lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser session when they interact with a crafted link or request. The CVSS 3.1 vector (PR:N, UI:R, S:C) indicates no authentication is required but the victim must be lured into triggering the payload, and the scope change reflects script execution crossing into the WordPress user's authenticated context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

XSS Wp Photo Album Plus
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57674 HIGH This Week

Cross-Site Scripting in the Timetics WordPress appointment-booking plugin (by Arraytics) affects all versions up to and including 1.0.58, allowing unauthenticated remote attackers to inject script that executes in a victim's browser after the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), a successful injection can affect resources beyond the vulnerable component, such as the browser session of a logged-in administrator. There is no public exploit identified at time of analysis, the CVE is not listed in CISA KEV, and no EPSS score was provided.

XSS Timetics
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57673 HIGH This Week

Stored/reflected Cross-Site Scripting in the Optimole WordPress image-optimization plugin (versions 4.2.7 and earlier) lets remote unauthenticated attackers inject arbitrary JavaScript that executes in the browser of any user who views the affected content. Reported by Patchstack and classified CWE-79 with a CVSS 3.1 score of 7.1, the flaw carries a scope-changing impact (S:C) but requires victim interaction (UI:R). At the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV; no EPSS value was supplied.

XSS Optimole
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57672 HIGH This Week

Reflected/stored cross-site scripting in the wpDataTables WordPress plugin (versions 6.5.1.1 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they view a crafted page or follow a malicious link. The scope-change (S:C) rating in the CVSS vector indicates the injected script can affect resources beyond the vulnerable component - for example the wider WordPress site context - enabling session/cookie theft or admin-panel actions. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed through Patchstack's vulnerability database.

XSS Wpdatatables
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57671 HIGH This Week

Cross-site scripting in the Perfmatters WordPress performance plugin (versions 2.6.4 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-reachable, no-authentication exploitation gated by user interaction, with a scope change into the victim's browser context. There is no public exploit identified at time of analysis and the issue is not in CISA KEV.

XSS Perfmatters
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57670 HIGH This Week

Stored/reflected Cross-Site Scripting in the Google Maps CP WordPress plugin (versions 1.2.5 and earlier, vendor CodePeople) lets an unauthenticated attacker inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The flaw carries a CVSS 3.1 base score of 7.1 with a scope change, reflecting impact beyond the vulnerable component into the wider WordPress session. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Google Google Maps Cp
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57625 CRITICAL Act Now

Stored/reflected cross-site scripting in the Admin and Site Enhancements (ASE) Pro WordPress plugin (versions 8.8.5 and earlier) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser once they view the affected page or follow a crafted link. Because the flaw requires no authentication and carries a scope-changing CVSS 3.1 score of 9.6, a single successful lure can lead to admin session hijacking and full site takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Admin And Site Enhancements Ase Pro
NVD
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-57426 HIGH This Week

Cross-site scripting in the Modula PRO WordPress gallery plugin (versions through 2.10.8) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they view or interact with attacker-influenced content. Reported by Patchstack and rated CVSS 7.1 with a scope change, the flaw requires user interaction but no authentication; no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Modula Pro
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57366 HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the WPAdverts WordPress classifieds plugin (versions 2.3.1 and earlier) lets a remote, unauthenticated attacker inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link or view attacker-controlled input. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity network attack needing only user interaction, with a scope change into the browser security context. No public exploit was identified at time of analysis and the flaw is not listed in CISA KEV; EPSS data was not provided.

XSS Wpadverts
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57362 HIGH This Week

Reflected cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions 8.3.2 and earlier) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 score is 7.1 with a scope change (S:C), reflecting that injected script runs in the security context of the WordPress site rather than the vulnerable component alone. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Chatbot
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57361 HIGH This Week

Stored/reflected cross-site scripting in the Survey Maker WordPress plugin (versions 5.2.2.5 and earlier by AYS Pro) lets unauthenticated remote attackers inject JavaScript that executes in a victim's browser after they interact with a crafted page or survey. The CVSS scope-change flag (S:C) indicates the injected script escapes the plugin's context to affect the wider WordPress site, potentially reaching authenticated admin sessions. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no CISA KEV listing.

XSS Survey Maker
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57360 HIGH This Week

Cross-site scripting in the implecode eCommerce Product Catalog WordPress plugin (all versions through 3.5.4) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser session, with no login required (PR:N) but a user interaction step to trigger the payload (UI:R). Reported by Patchstack and rated CVSS 7.1, the scope-changing flaw can hijack administrator or shopper sessions on affected online stores. There is no public exploit identified at time of analysis and no CISA KEV listing, so this is a plausible-impact issue rather than a confirmed active-exploitation event.

XSS Ecommerce Product Catalog
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57359 HIGH This Week

Reflected/stored Cross-Site Scripting in the ReviewX WordPress plugin (versions 2.3.10 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or page. The scope-changed CVSS 3.1 score of 7.1 (PR:N/UI:R) reflects that no authentication is required but a victim must be lured into triggering the payload. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a disclosed-but-not-yet-actively-exploited plugin flaw reported by Patchstack.

XSS Reviewx
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57358 HIGH This Week

Reflected Cross-Site Scripting in the Customize My Account for WooCommerce WordPress plugin (versions 4.3.9 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The flaw carries a CVSS 7.1 rating driven by a scope change (S:C), meaning script execution crosses the plugin's security boundary into the wider WordPress session context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Customize My Account For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57357 HIGH This Week

Reflected cross-site scripting in the Search Atlas SEO WordPress plugin (versions 2.6.6 and earlier, distributed under the 'metasync' slug) lets an unauthenticated attacker inject script that executes in a victim's browser session when they follow a crafted link. Rated CVSS 7.1 with an elevated score due to a scope change, the flaw affects any WordPress site running the vulnerable plugin and can lead to session hijacking, admin action forgery, or redirection. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Search Atlas Seo
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57356 HIGH This Week

Reflected/stored cross-site scripting in the MC WooCommerce Wishlist WordPress plugin (also distributed as 'Smart Wishlist for MoreConvert') affects all versions up to and including 1.9.19, letting remote unauthenticated attackers inject malicious script that executes in a victim's browser after the victim interacts with a crafted link or request. The scope-changed CVSS 3.1 score of 7.1 reflects that injected script runs in the WordPress site's origin, enabling session/cookie theft or actions against other users. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

WordPress XSS Mc Woocommerce Wishlist
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57354 MEDIUM This Month

Stored Cross-Site Scripting in JetReviews plugin for WordPress (versions <= 3.0.0.1) allows subscriber-level authenticated users to inject malicious scripts into review fields that execute in victims' browsers when the content is viewed. The vulnerability carries a changed scope (S:C), meaning the injected payload breaks out of the plugin's context and can target higher-privileged users such as site administrators. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low attack complexity and the prevalence of WordPress in production environments make this a credible escalation path to full site compromise.

XSS Jetreviews
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57351 HIGH This Week

Stored/reflected cross-site scripting in the HandL UTM Grabber WordPress plugin (versions 2.9.2 and earlier) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, per PR:N/UI:R in the CVSS vector. The scope-change flag (S:C) indicates injected script can affect resources beyond the vulnerable component, such as authenticated admin sessions. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Handl Utm Grabber
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57350 HIGH This Week

Reflected cross-site scripting in the WP Debugging WordPress plugin (versions 2.12.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they interact with a crafted link or request. Reported by Patchstack and classified CWE-79 with a CVSS 7.1, the flaw carries a scope-change impact meaning injected script can affect the wider WordPress session context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Wp Debugging
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57349 HIGH This Week

Stored/reflected Cross-Site Scripting in the WPeMatico RSS Feed Fetcher WordPress plugin (versions 2.8.17 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in the browser of a victim who interacts with crafted content. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation with a scope change, meaning injected script can affect the wider WordPress context beyond the vulnerable component. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.

XSS Wpematico Rss Feed Fetcher
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57345 HIGH This Week

Cross-Site Scripting in the Internal Links Manager WordPress plugin (versions 3.0.3 and earlier, by webraketen) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script escapes the vulnerable component's boundary and can act against other WordPress users, including administrators. There is no public exploit identified and it is not on CISA KEV, though Patchstack has publicly documented the flaw.

XSS Internal Links Manager
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57344 HIGH This Week

Cross-site scripting in the Classified Listing WordPress plugin (by RadiusTheme) versions 5.4.2 and earlier lets a remote, unauthenticated attacker inject malicious script that executes in a victim's browser when they interact with a crafted link or page. Reported by Patchstack and rated CVSS 7.1, the flaw carries a scope change (S:C) meaning the injected script can act beyond the vulnerable component into the wider browsing context. There is no public exploit identified at time of analysis and no active exploitation reported.

XSS Classified Listing
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57343 HIGH This Week

Reflected/stored Cross-Site Scripting in the Real Estate 7 WordPress theme (contempoinc) versions 3.5.9 and earlier lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. The scope-changing flaw (CVSS 3.1 7.1) can hijack sessions or perform actions in the victim's authenticated context, including administrators. Reported by Patchstack; no public exploit code has been identified and it is not on the CISA KEV list.

XSS Real Estate 7
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57342 MEDIUM This Month

Stored Cross-Site Scripting in ShortPixel Adaptive Images WordPress plugin (versions <= 3.11.3) enables authenticated subscriber-role users to inject malicious scripts that execute in the browsers of higher-privileged users, including administrators. The CVSS changed-scope indicator (S:C) signals that injected payloads can transcend the attacker's own session context - a meaningful risk in WordPress environments where admin account takeover is feasible via session hijacking. No public exploit has been identified and this vulnerability is not listed in CISA KEV at time of analysis.

XSS Shortpixel Adaptive Images
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-27430 HIGH This Week

Reflected cross-site scripting in the TheFox WordPress theme (versions 3.9.76 and earlier) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported through Patchstack and scoped to the ThemeForest 'tranmautritam:thefox' theme, the flaw carries a CVSS 3.1 base score of 7.1 driven largely by a changed scope. There is no public exploit identified at time of analysis and no CISA KEV listing, so risk hinges on tricking a user into clicking a malicious URL.

XSS Thefox
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-27426 HIGH This Week

Reflected cross-site scripting in the Automotive Car Dealership Business WordPress theme (versions 13.3.3 and earlier by ThemeSuite) lets unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) confirms network-based, unauthenticated exploitation that requires user interaction and crosses a security scope boundary. There is no public exploit identified at time of analysis and the flaw is not on CISA KEV.

XSS Automotive Car Dealership Business
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-27425 HIGH This Week

Reflected Cross-Site Scripting in the Automotive Listings WordPress plugin (versions 18.6 and earlier) lets remote unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported by Patchstack and classified CWE-79 with a CVSS 3.1 score of 7.1 (scope-changed, low impact across confidentiality, integrity, and availability), the flaw requires user interaction but no authentication. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Automotive Listings
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-27408 HIGH This Week

Reflected cross-site scripting in the NativeChurch WordPress theme (versions 4.8.8.2 and earlier, by imithemes) allows unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 vector (7.1) reflects a scope change with limited confidentiality, integrity, and availability impact, and requires victim interaction. No public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was disclosed through Patchstack's WordPress vulnerability database.

XSS Nativechurch
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-27404 HIGH This Week

Reflected Cross-Site Scripting in the designthemes LMS WordPress theme (versions 9.7 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link. Reported by Patchstack, the flaw carries CVSS 7.1 with a scope change, reflecting cross-context impact; no public exploit is identified at time of analysis and it is not listed in CISA KEV.

XSS Lms
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-27402 HIGH This Week

Reflected/stored cross-site scripting in the DesignThemes 'Kids Life | Children School' WordPress theme (versions 5.2 and earlier) allows unauthenticated remote attackers to inject arbitrary web script that executes in a victim's browser when they interact with a crafted link or input. The CVSS vector (PR:N, UI:R, Scope Changed) indicates no authentication is needed but the victim must be lured into interaction, and the injected script can cross into other security contexts. No public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.

WordPress XSS Kids Life Children School Wordpress
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-69156 HIGH This Week

Reflected cross-site scripting in the Kids Zone - Children WordPress Theme (versions 5.4 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session when the victim opens a crafted link or page. The CVSS 3.1 base score is 7.1, elevated by a scope change (S:C) reflecting that injected script escapes the vulnerable theme context into the visitor's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; no EPSS value was supplied with the input.

WordPress XSS Kids Zone Children Wordpress Theme
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-69155 HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the Fitness Zone WordPress theme (versions 5.7 and earlier) by designthemes allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or request. The scope-change (S:C) rating indicates the injected script can affect resources beyond the vulnerable component, such as hijacking authenticated admin sessions. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by Patchstack.

WordPress XSS Fitness Zone Wordpress Theme
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-69154 HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the designthemes SpaLab | Beauty Salon WordPress theme (all versions up to and including 6.7) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 score of 7.1 reflects a scope-changing (S:C) client-side impact requiring no authentication (PR:N) but user interaction (UI:R). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not supplied in the input.

WordPress XSS Spalab Beauty Salon Wordpress Theme
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-69153 HIGH This Week

Reflected cross-site scripting in the Trendy Travel WordPress theme (versions 6.7 and earlier) by designthemes lets remote unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Rated CVSS 7.1 with a scope change (S:C), reflecting that injected script can act across the WordPress security boundary. No public exploit identified at time of analysis, and no EPSS score was supplied.

XSS Trendy Travel
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-69152 HIGH This Week

Reflected/stored Cross-Site Scripting in the Artale Wedding Photography WordPress theme (versions 2.2.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they follow a crafted link or load a poisoned page. Reported by Patchstack and rated CVSS 7.1 with a scope change, it primarily threatens site visitors and administrators through session/context theft rather than direct server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Artale Wedding Photography Wordpress
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-10104 MEDIUM This Month

Stored Cross-Site Scripting in the Product Video Gallery for WooCommerce WordPress plugin (versions ≤ 1.5.1.8) allows authenticated shop managers to persist malicious JavaScript via the custom_thumbnail parameter, which then executes in the browsers of any visitor accessing an affected product page. The CVSS scope-change flag (S:C) confirms the injected payload crosses security boundaries from the attacker's session into victims' browser contexts. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog, but the PR:H requirement is the primary limiting factor for real-world risk - any compromise of a shop manager account would make this trivially exploitable.

WordPress XSS Product Video Gallery For Woocommerce
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2026-13252 MEDIUM This Month

Stored Cross-Site Scripting in the Feedzy RSS Aggregator WordPress plugin (all versions through 5.2.1) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the unsanitized 'aspectRatio' attribute of the RSS feed block. When any user - including site administrators - visits a page containing the injected content, the payload executes in their browser, enabling session hijacking, credential theft, or privilege escalation to full site control. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the low privilege bar (contributor) and scope change to administrator sessions make this a meaningful risk for multi-author WordPress deployments.

WordPress XSS Rss Aggregator By Feedzy Feed To Post Autoblogging News Youtube Video Feeds Aggregator
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-13704 MEDIUM This Month

Stored Cross-Site Scripting in GiveWP (WordPress Donation Plugin and Fundraising Platform) versions up to and including 4.16.1 allows authenticated attackers holding the Give Worker role or above to inject persistent malicious scripts via the Sequoia form template's introduction image parameter. The CVSS Scope:Changed rating reflects that injected payloads execute in the security context of any victim browser that loads the affected donation page, enabling session hijacking or credential theft from site visitors and administrators alike. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-10089 MEDIUM This Month

Stored Cross-Site Scripting in the Insert Pages WordPress plugin (versions through 3.11.4) allows authenticated attackers with author-level access to persist arbitrary JavaScript via post custom field key names. The vulnerability arises because the `the_meta()` function applies `wp_kses_post()` to custom field values but interpolates the custom field KEY directly into rendered HTML without any escaping, exploitable only when the `[insert page='ID' display='all']` shortcode is used. Any visitor loading a page containing the shortcode will execute the attacker's payload in their browser, enabling session hijacking or credential theft; no public exploit identified at time of analysis.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-10077 MEDIUM PATCH This Month

Stored XSS in the yootheme WordPress theme before version 5.0.35 enables users holding the Author role to inject persistent malicious scripts into posts by exploiting a sanitization gap between WordPress's wp_kses_post() filter and the theme's bundled front-end framework, which interprets certain permitted HTML attributes as executable markup. Any visitor - including site administrators - who views an affected post triggers script execution in their browser, creating a realistic privilege escalation path on multi-author WordPress sites. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; vendor patch version 5.0.35 is confirmed via WPScan advisory.

WordPress XSS
NVD WPScan VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-55790 PHP HIGH POC PATCH GHSA This Week

Stored cross-site scripting in the Craft CMS control panel lets an attacker holding only a free GitHub account run JavaScript in an administrator's authenticated session. The payload is planted in the title of a craftcms/cms GitHub issue and executes when a Craft admin uses the CraftSupport widget's 'Give feedback' screen and searches a term that surfaces the poisoned issue. Affects Craft CMS 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15; no public exploit identified at time of analysis, and it is not in CISA KEV.

XSS
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-55793 PHP MEDIUM POC PATCH GHSA This Month

Stored XSS in Craft CMS 5.0.0-RC1 through 5.9.22 allows an author-level control panel user to execute arbitrary JavaScript in the session of an admin or any privileged user with saveEntries permission on the same Structure section. The vulnerability arises from an HTML encode/decode mismatch: the server safely escapes an entry title into a data-title attribute, but jQuery's .data() method re-decodes the value before it is concatenated back into HTML without re-escaping, bypassing the initial sanitization. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; the vendor shipped a fix in version 5.9.23.

XSS
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.4%
CVE-2026-54263 PyPI HIGH PATCH This Week

Reflected cross-site scripting in the Wagtail Django CMS admin interface lets a low-privilege editor craft a malicious URL that executes JavaScript in the browser of a higher-privilege administrator who opens it, enabling actions to be performed with the victim's credentials. All Wagtail installations before 7.0.8, 7.3.3 and 7.4.2 are affected - the flaw lives in the dynamic image URL generator view and exists even on sites that never enabled the dynamic image serve view. No public exploit identified at time of analysis, and the issue is not reachable by anonymous site visitors without a Wagtail admin account.

XSS Python Wagtail
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-54720 MEDIUM PATCH This Month

Cross-site scripting in Silverstripe Framework's 'Insert media from web' CMS feature allows a remote unauthenticated attacker to inject malicious JavaScript by supplying a specially crafted embed URL that a CMS editor then inserts into content. All Silverstripe Framework installations prior to version 6.2.2 are affected. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make it a credible risk for any deployment where CMS editors process externally sourced media.

XSS PHP Silverstripe Framework
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-58263 HIGH PATCH This Week

Mutation XSS in Jodit Editor (xdan/jodit) before 4.12.28 lets attacker-influenced HTML slip a live, no-interaction event handler past the built-in clean-html sanitizer. A MathML/<style> carrier hides a dangerous element from the sanitizer's element walk, so the sanitized editor value still contains a working handler such as <img onload=...> or onfocus; any consumer that renders editor.value via innerHTML executes attacker JavaScript without user interaction. No public exploit identified at time of analysis, and the flaw is fixed in 4.12.28.

XSS Jodit
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-14358 MEDIUM PATCH This Month

Cross-site scripting in the Wikimedia Foundation's MediaWiki Charts Extension allows network-accessible, unauthenticated attackers to inject malicious JavaScript into wiki pages that render chart content. All installations running the Charts Extension across the 1.43.x, 1.44.x, and 1.45.x branches prior to fixed releases 1.43.9, 1.44.6, and 1.45.4 are affected. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the CVSS 4.0 vector's PR:N and UI:N designations indicate the attack requires neither attacker credentials nor victim interaction beyond page rendering, which is atypical for classical reflected XSS and elevates practical exploitability.

XSS Mediawiki Charts Extension
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-49864 npm HIGH POC PATCH GHSA This Week

Cross-site scripting in the wetty web-terminal client (npm package `wetty`, default configuration) lets any writer of content a victim renders inject keystrokes into that victim's live SSH session. The client base64-decodes an attacker-controlled filename from the documented file-download escape sequence (`\x1b[5i<name>:<content>\x1b[4i`) and interpolates it raw into a Toastify toast with `escapeMarkup:false`, so script runs in the wetty origin and can call `window.wetty_term.input()` to type commands and read the terminal buffer. A detailed proof-of-concept is published in the GitHub Security Advisory (GHSA-p26j-h7wj-r568), so publicly available exploit code exists; there is no public evidence of active exploitation at time of analysis.

XSS Docker
NVD GitHub
CVE-2026-39379 Maven HIGH PATCH GHSA This Week

Reflected cross-site scripting in GeoNetwork lets a remote attacker run arbitrary JavaScript in a victim's authenticated session by luring them to a crafted service URL. Because the not-found/unauthorized error page is an AngularJS application, attacker-controlled request content reflected into that page is evaluated as a client-side template expression (AngularJS sandbox escape) rather than shown as inert text. No public exploit is identified at time of analysis, and the flaw is not on CISA KEV.

XSS
NVD GitHub
CVSS 3.1
7.1
CVE-2026-57737 MEDIUM This Month

DOM-Based XSS in the Shortcodes and extra features for Phlox theme WordPress plugin (all versions through 2.17.16) permits a low-privileged authenticated attacker to inject malicious JavaScript that executes in victims' browsers via unsanitized shortcode input. Exploitation requires an attacker with at least contributor-level WordPress access and a privileged user to view the crafted page, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit identified at time of analysis; vulnerability was disclosed by Patchstack and is not listed in CISA KEV.

XSS Shortcodes And Extra Features For Phlox Theme
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57722 MEDIUM This Month

Stored cross-site scripting in the ShortPixel Enable Media Replace WordPress plugin (all versions through 4.2.1) allows an authenticated attacker with high-level privileges to inject persistent malicious scripts via the media replacement workflow, which then execute in the browser context of any WordPress user who subsequently views the affected content. The scope change confirmed by the CVSS vector (S:C) means a compromised editor-level account could be leveraged to target administrator sessions, enabling privilege escalation within the WordPress admin interface. No public exploit code or CISA KEV listing has been identified at time of analysis; the Patchstack advisory is the primary confirmed intelligence source.

XSS Enable Media Replace
NVD VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-34098 MEDIUM POC This Month

Reflected cross-site scripting in Guardian Language-System's media.php allows authenticated attackers to inject arbitrary JavaScript into the victim's browser session by crafting a malicious URL with a script payload in the id GET parameter. The flaw exists because the id parameter is written unsanitized directly into HTML source and form action attributes at lines 119 and 129 of media.php. A publicly available proof-of-concept exploit exists on GitHub, though no KEV listing indicates broad active exploitation at time of analysis.

XSS PHP Language System
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-34097 MEDIUM POC This Month

Reflected XSS in Guardian Language-System's text_file.php allows an authenticated attacker to inject arbitrary script tags into at least six distinct form action attributes (lines 94, 101, 323, 403, 826, 852) by crafting a malicious URL with a payload in the id GET parameter. When a second authenticated victim is socially engineered into following the crafted link, the script executes within their browser session against the Guardian Language-System origin, enabling session token theft or unauthorized actions on the victim's behalf. A publicly available proof-of-concept exploit exists on GitHub; no CISA KEV listing has been identified, meaning active exploitation is not confirmed at time of analysis.

XSS PHP Language System
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-34096 MEDIUM POC This Month

Reflected XSS in Guardian language-system's designer.php allows authenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session by crafting a malicious URL. The `name` GET parameter is echoed unsanitized directly into an HTML input value attribute at line 57, enabling classic reflected cross-site scripting. A publicly available proof-of-concept exploit exists on GitHub (via VulnCheck advisory); the vulnerability is not currently listed in CISA KEV, and real-world impact is constrained by the requirement for victim interaction and authentication.

XSS PHP Language System
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-58028 NONE PATCH Awaiting Data

Cross-site scripting in Wikimedia Foundation MediaWiki and the CentralAuth extension allows authenticated low-privileged users to inject malicious scripts into rendered wiki pages or API output through unsanitized input in API formatting, ResourceLoader module handling, page display hooks, and permission change log formatting. Affected versions span all releases of both products prior to the 1.46.0, 1.45.4, 1.44.6, and 1.43.9 patch series. No public exploit code or CISA KEV listing has been identified at time of analysis, though the five affected PHP files suggest a broad attack surface across core MediaWiki subsystems.

XSS PHP Mediawiki Centralauth
NVD VulDB
EPSS
0.4%
CVE-2026-58038 NONE PATCH Awaiting Data

Stored cross-site scripting in the Wikimedia Foundation Timeline extension exposes MediaWiki installations to session hijacking and credential theft. The flaw exists in Timeline.php and EasyTimeline.pl, where user-supplied timeline markup syntax is not properly neutralized before HTML output, allowing an authenticated wiki editor to inject arbitrary JavaScript executed in other users' browsers. No public exploit has been identified at time of analysis, and KEV listing is absent, but the network-accessible nature and low-privilege entry point make this a credible risk on publicly editable wikis.

XSS PHP Timeline
NVD VulDB
EPSS
0.2%
CVE-2026-58030 MEDIUM PATCH This Month

Cross-site scripting in the Wikimedia Foundation SyntaxHighlight_GeSHi MediaWiki extension allows authenticated users to inject unsanitized input via the syntax highlighting interface, with malicious script executing in victims' browsers upon page view. The flaw originates in includes/SyntaxHighlight.php and affects all versions prior to branch-specific fixes at 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS 4.0 score of 5.3 (Medium) reflects limited confidentiality impact scoped to the vulnerable system.

XSS PHP Syntaxhighlight Geshi
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-58032 MEDIUM PATCH This Month

Cross-site scripting in MediaWiki's JavaScript API client layer (resources/src/mediawiki.Api/index.js) allows network-accessible, unauthenticated attackers to inject malicious scripts that execute in a victim's browser upon user interaction. All MediaWiki deployments prior to versions 1.43.9, 1.44.6, 1.45.4, and 1.46.0 are affected, covering a broad range of wiki installations worldwide. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity and lack of authentication requirement elevate concern for public-facing deployments.

XSS Mediawiki
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-58037 NONE PATCH Awaiting Data

Cross-site scripting vulnerabilities across multiple log formatter and language components in MediaWiki allow authenticated low-privilege users to inject malicious JavaScript that executes in the browser of any user who views affected log pages or the SpecialVersion special page. The vulnerability spans seven PHP files covering block, patrol, rename-user, and tag log formatters, the base LogFormatter, the Language class, and SpecialVersion - indicating widespread unsanitized output rendering in administrative and logging interfaces. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the breadth of affected components and the multiple concurrent fix branches (1.43.9, 1.44.6, 1.45.4, 1.46.0) signal a significant audit-driven remediation effort.

XSS PHP Mediawiki
NVD VulDB
EPSS
0.4%
CVE-2026-58031 NONE PATCH Awaiting Data

Cross-site scripting in MediaWiki's ApiSandbox component (ApiSandboxLayout.js) allows an authenticated attacker to inject malicious JavaScript that executes in the browser of a victim who interacts with a crafted ApiSandbox page. Only MediaWiki 1.46.0-rc.0 is confirmed affected; the 1.46.0 stable release resolves the flaw, meaning real-world exposure is limited to deployments running the release candidate. No public exploit code or active exploitation has been identified at time of analysis.

XSS Mediawiki
NVD VulDB
EPSS
0.2%
CVE-2026-58034 NONE PATCH Awaiting Data

Cross-site scripting in the Wikimedia Foundation CheckUser extension (versions 1.46.0-rc.0 up to but not including 1.46.0) allows a high-privileged attacker to inject malicious scripts via the blockConnectedTempAccountsField Vue component used in the Temporary Accounts blocking workflow. Exploitation requires both elevated CheckUser-level privileges and active user interaction from another party, materially constraining real-world risk. No public exploit code exists and this CVE is not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis.

XSS Checkuser
NVD VulDB
EPSS
0.2%
CVE-2026-6283 MEDIUM This Month

Stored XSS in DivvyDrive versions v.4.8.2.23 through before v.4.8.3.1 enables an authenticated low-privilege user to inject persistent malicious scripts into application content that execute in the browsers of other users who subsequently view the affected page. The CVSS scope change indicator (S:C) reflects that the injected payload breaks out of the application's security boundary into the victim's browser context, enabling session hijacking or unauthorized actions. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the vulnerability was disclosed by TR-CERT with a corresponding patch available.

XSS Divvydrive
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-58035 NONE PATCH Awaiting Data

Cross-site scripting in MediaWiki's Special:Block Vue.js component allows a high-privileged user - such as a wiki administrator - to inject malicious scripts that execute in the browsers of other users who subsequently view the affected block interface output. The vulnerability is isolated to the `SpecialBlock.Vue` frontend component, gating exploitation behind administrative access. No public exploit has been identified at time of analysis, and no patch version has been confirmed from available data.

XSS Mediawiki
NVD VulDB
EPSS
0.2%
CVE-2026-5220 MEDIUM This Month

Stored cross-site scripting in DivvyDrive (versions 4.8.2.23 through before 4.8.3.1) allows authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users who view affected pages. The CVSS scope change (S:C) reflects that injected scripts operate outside the application's security boundary, enabling session hijacking or credential theft against higher-privileged victims such as administrators. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low attack complexity and cross-scope impact make this a meaningful lateral escalation risk within DivvyDrive deployments.

XSS Divvydrive
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-53907 MEDIUM This Month

Stored XSS in MyComplianceOffice MCO version 25.3.3.1 allows a privileged attacker with logo-upload rights to plant malicious JavaScript inside a crafted SVG file that executes in any user's browser when the application logo is rendered. Reported by CERT-PL, vendor contact was unsuccessful, leaving no official patch or advisory in place. No public exploit code has been identified at time of analysis, though the SVG-based XSS technique is well-documented and trivially replicable against unpatched instances.

XSS Mco
NVD
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-13323 HIGH PATCH This Week

Stored cross-site scripting in Eclipse Open VSX Registry (versions 0.1.0 through before 1.0.2) allows an attacker who self-registers a publisher account to upload a VSIX containing malicious HTML that the /vscode/unpkg/ endpoint serves inline as text/html within the open-vsx.org origin, with no Content-Security-Policy or Content-Disposition: attachment header. When a logged-in victim is lured to the resulting URL, the script runs in the registry's origin and can steal session tokens, mint Personal Access Tokens, and publish trojanized extension versions - turning a single XSS into a supply-chain compromise of VS Code, VSCodium, Cursor, and Windsurf users. No public exploit is identified at time of analysis and EPSS risk is low (0.17%), but the downstream blast radius is severe.

XSS Eclipse Open Vsx Red Hat
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.2%
CVE-2026-12142 HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the '_name[]' array parameter, which then runs in the browser of any user who views the injected page. The flaw is notable because the plugin's own wp_kses() allow-list (NEXForms_allowed_tags()) deliberately whitelists <script>, <iframe src/srcdoc>, and JS event handlers, so the normal output-filtering layer provides no protection. No public exploit identified at time of analysis; the issue was reported by Wordfence and carries a CVSS 7.2 with a changed scope.

WordPress XSS Nex Forms Ultimate Forms Plugin For Wordpress
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-10095 MEDIUM This Month

Stored Cross-Site Scripting in WP Photo Album Plus (WordPress plugin, all versions through 9.1.13.005) allows contributor-level authenticated attackers to inject persistent JavaScript payloads via the unsanitized 'subtext' parameter of the [photo] shortcode. The CVSS scope change (S:C) is the critical amplifier: a low-privileged contributor can embed malicious shortcodes in posts submitted for editorial review, causing the stored payload to execute in administrator browser sessions when the content is previewed - enabling session hijacking and potential full site takeover. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and common WordPress contributor registration practices make this a realistic threat on affected installations.

WordPress XSS Wp Photo Album Plus
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12754 MEDIUM This Month

Reflected Cross-Site Scripting in VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.12) allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers by tricking them into clicking a crafted URL. The vulnerable `layoutstyle` parameter is insufficiently sanitized before being rendered in the roomslist view template, enabling session hijacking, credential theft, or malicious redirects against authenticated site users such as hotel administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and a patched version (1.8.13) is available per plugin Trac references.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-13733 MEDIUM This Month

Stored Cross-Site Scripting in the WordPress Download Manager plugin (all versions through 3.3.60) allows authenticated contributors to persistently inject arbitrary JavaScript via the `no_data_msg` shortcode attribute, executing in any subsequent visitor's browser context. The vulnerability exploits a bypass in WordPress's `wp_kses_post` sanitization: the filter strips disallowed HTML tokens at save time but does not neutralize C-style escape sequences embedded in shortcode attribute values, which are silently reconstructed into raw `<script>` tags at render time. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the deliberate evasion technique elevates risk on multi-contributor WordPress deployments.

WordPress XSS Download Manager
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12732 MEDIUM This Month

Stored Cross-Site Scripting in the LearnPress WordPress LMS plugin (versions up to and including 4.4.0) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the unescaped 'class_wrapper_form' shortcode attribute. The payload persists in the database and executes in the browser of any visitor - including administrators - who loads the affected page, enabling session hijacking, credential harvesting, or privilege escalation through forged admin actions. No CISA KEV listing or public exploit code has been identified at time of analysis, but the Wordfence advisory includes precise code-level references that substantially lower the bar for independent reproduction.

WordPress XSS Learnpress Wordpress Lms Plugin For Create And Sell Online Courses
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-11570 MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the User Submitted Posts WordPress plugin before version 20260608 enables unauthenticated attackers to inject persistent malicious scripts into admin-configured display templates. The vulnerability is only reachable when a site administrator has enabled a non-default display option in the plugin settings, limiting its real-world exposure. A publicly available proof-of-concept exploit exists per WPScan, though no active exploitation has been confirmed by CISA KEV at time of analysis.

WordPress XSS User Submitted Posts
NVD WPScan VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-11380 MEDIUM This Month

Stored cross-site scripting in JetWidgets For Elementor (versions up to and including 1.0.21) allows authenticated WordPress users holding author-level access or higher to plant persistent JavaScript payloads by supplying unsanitized input to the Animated Box widget's animation_effect parameter, which is written directly into an HTML class attribute without output escaping or server-side validation. Any site visitor who loads an injected page triggers the payload, enabling session hijacking, credential theft, or administrative account takeover through privilege escalation within the victim's browser context. No public exploit has been identified at time of analysis and the CVE does not appear in CISA KEV; however, a fix has been committed to the WordPress plugin repository.

WordPress XSS Jetwidgets For Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-2387 MEDIUM This Month

Stored Cross-Site Scripting in the Event Organiser WordPress plugin (all versions through 3.12.9) allows an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript via the unescaped 'no_events' parameter of the 'eo_events' shortcode. The payload persists server-side and executes in any visitor's browser when they load a page containing the injected shortcode with no matching events. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the low authentication bar (Contributor) makes this a meaningful risk on multi-author WordPress sites.

WordPress XSS Event Organiser
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-7517 HIGH This Week

Stored cross-site scripting in the Custom Payment Gateways for WooCommerce WordPress plugin (all versions through 2.1.0) lets unauthenticated guests plant persistent JavaScript by submitting a crafted checkout POST request via the 'alg_wc_cpg_input_fields' parameter. The injected script executes in the browser of any user - including store administrators - who later views the affected page, enabling session/account compromise in the WordPress admin context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, but the unauthenticated, no-configuration-required attack path makes it materially exploitable against default installs.

WordPress XSS Custom Payment Gateways For Woocommerce
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-58519 MEDIUM PATCH This Month

Stored cross-site scripting in the Wikimedia Foundation's MediaWiki Cargo Extension (all versions before 3.9.1) allows attackers to inject persistent malicious scripts into wiki pages rendered through the Cargo data-display system. The CVSS 4.0 vector carries E:A (evidence of active exploitation), elevating this beyond a theoretical risk. Successful exploitation enables session hijacking, credential theft, and in-browser payload delivery against any user who views an affected Cargo-rendered page.

XSS Mediawiki Cargo Extension
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-12135 MEDIUM This Month

Stored Cross-Site Scripting in FV Flowplayer Video Player (all WordPress plugin versions up to and including 7.5.51.7212) allows authenticated contributors to permanently inject arbitrary JavaScript via the unsanitized `align` attribute of the `[video_player]` shortcode. The payload persists in the WordPress database and executes in the browser of every user who subsequently visits any page containing the injected shortcode, enabling session hijacking, credential harvesting, or further site compromise. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis, though the stored nature of this XSS amplifies real-world risk relative to reflected variants.

WordPress XSS Fv Flowplayer Video Player
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13015 MEDIUM This Month

Reflected Cross-Site Scripting in Wp Google Places Review Slider (WordPress plugin, versions ≤ 18.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized `place` GET parameter in `admin/partials/googlecrawl_dfs.php`. The raw user input is URL-decoded and passed through `stripslashes()` before being echoed directly into an HTML value attribute — bypassing WordPress's standard `esc_attr()` — but only when the supplied place value is not already present as a key in the `wprev_google_crawls` stored option. No public exploit identified at time of analysis; successful exploitation requires tricking an authenticated WordPress administrator into clicking a specially crafted link.

WordPress XSS PHP Google Wp Google Review Slider
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-13443 MEDIUM This Month

Stored Cross-Site Scripting in Tutor LMS (WordPress plugin by Themeum) versions through 3.9.13 allows authenticated attackers holding author-level or higher WordPress roles to inject persistent malicious scripts via the Lesson Attachment Title field. The injected payload is stored in the WordPress database and executes in the browser of any user who subsequently accesses a course page rendering the attachment - achieving a scope change from the plugin's context into the victim's browsing session. No public exploit code or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references to the vulnerable rendering path, lowering the barrier to exploitation.

WordPress XSS Tutor Lms Elearning And Online Course Solution
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-9107 MEDIUM This Month

Stored Cross-Site Scripting in the Kali Forms WordPress plugin (versions up to and including 2.4.13) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'meta[kaliforms_field_components]' parameter. Any WordPress user who subsequently visits a page containing the injected form will execute the attacker's script in their browser, making session hijacking, credential theft, and admin account takeover realistic outcomes. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege bar (contributor) makes this a realistic risk on multi-author WordPress sites.

WordPress XSS Kali Forms Contact Form Drag And Drop Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13731 HIGH POC This Week

Stored cross-site scripting in the WPBot AI ChatBot for WordPress (all versions through 8.4.9) lets unauthenticated attackers persist arbitrary JavaScript through the 'conversation' parameter, which later executes when the injected page is viewed - most notably by an administrator opening the chat-session reports in wp-admin. Because the AJAX nonce that guards the save endpoint is publicly emitted on every frontend page via wp_localize_script, any anonymous visitor can obtain it, so there is effectively no barrier to injection. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; risk stems from ease of exploitation rather than confirmed in-the-wild abuse.

WordPress XSS Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-13246 MEDIUM This Month

Stored Cross-Site Scripting in GiveWP versions up to and including 4.16.0 allows authenticated attackers with author-level WordPress access to inject persistent JavaScript payloads via the 'block_id' attribute of the 'givewp_campaign_comments' shortcode. The flaw originates in two code paths - CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render() - where the blockId value is interpolated directly into a single-quoted HTML attribute without WordPress's esc_attr() sanitization function. Any visitor loading an injected page will have the malicious script execute in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-57963 MEDIUM This Month

An attacker who can send HTML chat messages (via Matrix or XMPP) can inject arbitrary styled content, phishing links, and CSS that manipulates the chat UI. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.

Mozilla Thunderbird XSS
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-14147 MEDIUM PATCH This Month

Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)

Google XSS Suse
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-14145 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's CSS implementation prior to 150.0.7871.47 allows a remote attacker to inject arbitrary scripts or HTML by luring a user to a crafted web page, with the scope change (S:C) in the CVSS vector indicating potential Same-Origin Policy bypass affecting other loaded origins. No public exploit or active exploitation is identified at time of analysis - EPSS sits at 0.17% (6th percentile) and SSVC exploitation status is rated 'none.' A vendor-released patch is available in stable channel 150.0.7871.47.

XSS Google Suse
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-14142 MEDIUM PATCH This Month

UI spoofing in Google Chrome's Extensions implementation (all versions prior to 150.0.7871.47) enables a remote attacker - who has already achieved renderer process compromise via a separate exploit - to render deceptive UI elements through a crafted HTML page, potentially misleading users into unintended interactions. The vulnerability carries a CVSS 5.4 Medium score, though Chromium's internal rating is Low, and the EPSS score of 0.18% (8th percentile) reflects minimal exploitation probability. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis.

XSS Google Suse
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-14068 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Chrome's Omnibox on iOS enables remote attackers to inject arbitrary scripts or HTML across security origins by luring users into performing specific UI gestures on a crafted page. Affected versions are Chrome for iOS prior to 150.0.7871.47; the desktop channel is not affected. No public exploit code or active exploitation has been identified at time of analysis, and EPSS sits at 0.18% (8th percentile), consistent with Chromium's own 'Low' severity rating despite the scope-changed CVSS vector.

XSS Apple Google Suse
NVD
CVSS 3.1
6.1
EPSS
0.2%
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in Livemesh Addons for WPBakery Page Builder versions 3.9.4 and earlier allows authenticated Contributors to inject persistent malicious scripts into WordPress pages. When a higher-privileged user such as an Editor or Administrator views the affected content, the injected script executes in their browser session - enabling session hijacking, credential theft, or privilege escalation within the WordPress admin panel. No public exploit or CISA KEV listing has been identified at time of analysis, but the low-privilege entry point and Changed scope elevate real-world risk for multi-author WordPress installations.

XSS Livemesh Addons For Wpbakery Page Builder
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the WowAddons (Product Addons) WordPress plugin through version 1.6.14 lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is needed but the victim must be lured into interacting with a crafted request/link, and the scope-change flag reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; EPSS was not provided.

XSS Wowaddons
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

TheFox WordPress theme by tranmautritam in versions 3.9.70 and earlier allows a Contributor-level authenticated attacker to inject persistent Cross-Site Scripting payloads into theme-specific input fields, which then execute in the browsers of any user who views the affected content. The Changed Scope (S:C) in the CVSS vector confirms the payload crosses security boundaries into the victim browser context, enabling session token theft, credential harvesting, or unauthorized administrative actions against higher-privileged users such as editors or site admins. No public proof-of-concept and no CISA KEV listing have been identified at time of analysis; the vulnerability was reported and documented by Patchstack.

XSS Thefox
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Simple Link Directory WordPress plugin (versions 15.0.5 and earlier, by QuantumCloud) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is required but a user must be lured into triggering the payload, and the changed scope reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS Simple Link Directory
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the WP Photo Album Plus WordPress plugin (versions <= 9.2.02.004) lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser session when they interact with a crafted link or request. The CVSS 3.1 vector (PR:N, UI:R, S:C) indicates no authentication is required but the victim must be lured into triggering the payload, and the scope change reflects script execution crossing into the WordPress user's authenticated context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

XSS Wp Photo Album Plus
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Scripting in the Timetics WordPress appointment-booking plugin (by Arraytics) affects all versions up to and including 1.0.58, allowing unauthenticated remote attackers to inject script that executes in a victim's browser after the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), a successful injection can affect resources beyond the vulnerable component, such as the browser session of a logged-in administrator. There is no public exploit identified at time of analysis, the CVE is not listed in CISA KEV, and no EPSS score was provided.

XSS Timetics
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected Cross-Site Scripting in the Optimole WordPress image-optimization plugin (versions 4.2.7 and earlier) lets remote unauthenticated attackers inject arbitrary JavaScript that executes in the browser of any user who views the affected content. Reported by Patchstack and classified CWE-79 with a CVSS 3.1 score of 7.1, the flaw carries a scope-changing impact (S:C) but requires victim interaction (UI:R). At the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV; no EPSS value was supplied.

XSS Optimole
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the wpDataTables WordPress plugin (versions 6.5.1.1 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they view a crafted page or follow a malicious link. The scope-change (S:C) rating in the CVSS vector indicates the injected script can affect resources beyond the vulnerable component - for example the wider WordPress site context - enabling session/cookie theft or admin-panel actions. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed through Patchstack's vulnerability database.

XSS Wpdatatables
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Perfmatters WordPress performance plugin (versions 2.6.4 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-reachable, no-authentication exploitation gated by user interaction, with a scope change into the victim's browser context. There is no public exploit identified at time of analysis and the issue is not in CISA KEV.

XSS Perfmatters
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected Cross-Site Scripting in the Google Maps CP WordPress plugin (versions 1.2.5 and earlier, vendor CodePeople) lets an unauthenticated attacker inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The flaw carries a CVSS 3.1 base score of 7.1 with a scope change, reflecting impact beyond the vulnerable component into the wider WordPress session. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Google Google Maps Cp
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Stored/reflected cross-site scripting in the Admin and Site Enhancements (ASE) Pro WordPress plugin (versions 8.8.5 and earlier) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser once they view the affected page or follow a crafted link. Because the flaw requires no authentication and carries a scope-changing CVSS 3.1 score of 9.6, a single successful lure can lead to admin session hijacking and full site takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Admin And Site Enhancements Ase Pro
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Modula PRO WordPress gallery plugin (versions through 2.10.8) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they view or interact with attacker-influenced content. Reported by Patchstack and rated CVSS 7.1 with a scope change, the flaw requires user interaction but no authentication; no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Modula Pro
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the WPAdverts WordPress classifieds plugin (versions 2.3.1 and earlier) lets a remote, unauthenticated attacker inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link or view attacker-controlled input. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity network attack needing only user interaction, with a scope change into the browser security context. No public exploit was identified at time of analysis and the flaw is not listed in CISA KEV; EPSS data was not provided.

XSS Wpadverts
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions 8.3.2 and earlier) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 score is 7.1 with a scope change (S:C), reflecting that injected script runs in the security context of the WordPress site rather than the vulnerable component alone. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Chatbot
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected cross-site scripting in the Survey Maker WordPress plugin (versions 5.2.2.5 and earlier by AYS Pro) lets unauthenticated remote attackers inject JavaScript that executes in a victim's browser after they interact with a crafted page or survey. The CVSS scope-change flag (S:C) indicates the injected script escapes the plugin's context to affect the wider WordPress site, potentially reaching authenticated admin sessions. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no CISA KEV listing.

XSS Survey Maker
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the implecode eCommerce Product Catalog WordPress plugin (all versions through 3.5.4) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser session, with no login required (PR:N) but a user interaction step to trigger the payload (UI:R). Reported by Patchstack and rated CVSS 7.1, the scope-changing flaw can hijack administrator or shopper sessions on affected online stores. There is no public exploit identified at time of analysis and no CISA KEV listing, so this is a plausible-impact issue rather than a confirmed active-exploitation event.

XSS Ecommerce Product Catalog
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored Cross-Site Scripting in the ReviewX WordPress plugin (versions 2.3.10 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or page. The scope-changed CVSS 3.1 score of 7.1 (PR:N/UI:R) reflects that no authentication is required but a victim must be lured into triggering the payload. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a disclosed-but-not-yet-actively-exploited plugin flaw reported by Patchstack.

XSS Reviewx
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected Cross-Site Scripting in the Customize My Account for WooCommerce WordPress plugin (versions 4.3.9 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The flaw carries a CVSS 7.1 rating driven by a scope change (S:C), meaning script execution crosses the plugin's security boundary into the wider WordPress session context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Customize My Account For Woocommerce
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Search Atlas SEO WordPress plugin (versions 2.6.6 and earlier, distributed under the 'metasync' slug) lets an unauthenticated attacker inject script that executes in a victim's browser session when they follow a crafted link. Rated CVSS 7.1 with an elevated score due to a scope change, the flaw affects any WordPress site running the vulnerable plugin and can lead to session hijacking, admin action forgery, or redirection. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Search Atlas Seo
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the MC WooCommerce Wishlist WordPress plugin (also distributed as 'Smart Wishlist for MoreConvert') affects all versions up to and including 1.9.19, letting remote unauthenticated attackers inject malicious script that executes in a victim's browser after the victim interacts with a crafted link or request. The scope-changed CVSS 3.1 score of 7.1 reflects that injected script runs in the WordPress site's origin, enabling session/cookie theft or actions against other users. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

WordPress XSS Mc Woocommerce Wishlist
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in JetReviews plugin for WordPress (versions <= 3.0.0.1) allows subscriber-level authenticated users to inject malicious scripts into review fields that execute in victims' browsers when the content is viewed. The vulnerability carries a changed scope (S:C), meaning the injected payload breaks out of the plugin's context and can target higher-privileged users such as site administrators. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low attack complexity and the prevalence of WordPress in production environments make this a credible escalation path to full site compromise.

XSS Jetreviews
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected cross-site scripting in the HandL UTM Grabber WordPress plugin (versions 2.9.2 and earlier) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, per PR:N/UI:R in the CVSS vector. The scope-change flag (S:C) indicates injected script can affect resources beyond the vulnerable component, such as authenticated admin sessions. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Handl Utm Grabber
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the WP Debugging WordPress plugin (versions 2.12.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they interact with a crafted link or request. Reported by Patchstack and classified CWE-79 with a CVSS 7.1, the flaw carries a scope-change impact meaning injected script can affect the wider WordPress session context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Wp Debugging
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected Cross-Site Scripting in the WPeMatico RSS Feed Fetcher WordPress plugin (versions 2.8.17 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in the browser of a victim who interacts with crafted content. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation with a scope change, meaning injected script can affect the wider WordPress context beyond the vulnerable component. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.

XSS Wpematico Rss Feed Fetcher
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Scripting in the Internal Links Manager WordPress plugin (versions 3.0.3 and earlier, by webraketen) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script escapes the vulnerable component's boundary and can act against other WordPress users, including administrators. There is no public exploit identified and it is not on CISA KEV, though Patchstack has publicly documented the flaw.

XSS Internal Links Manager
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Classified Listing WordPress plugin (by RadiusTheme) versions 5.4.2 and earlier lets a remote, unauthenticated attacker inject malicious script that executes in a victim's browser when they interact with a crafted link or page. Reported by Patchstack and rated CVSS 7.1, the flaw carries a scope change (S:C) meaning the injected script can act beyond the vulnerable component into the wider browsing context. There is no public exploit identified at time of analysis and no active exploitation reported.

XSS Classified Listing
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored Cross-Site Scripting in the Real Estate 7 WordPress theme (contempoinc) versions 3.5.9 and earlier lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. The scope-changing flaw (CVSS 3.1 7.1) can hijack sessions or perform actions in the victim's authenticated context, including administrators. Reported by Patchstack; no public exploit code has been identified and it is not on the CISA KEV list.

XSS Real Estate 7
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in ShortPixel Adaptive Images WordPress plugin (versions <= 3.11.3) enables authenticated subscriber-role users to inject malicious scripts that execute in the browsers of higher-privileged users, including administrators. The CVSS changed-scope indicator (S:C) signals that injected payloads can transcend the attacker's own session context - a meaningful risk in WordPress environments where admin account takeover is feasible via session hijacking. No public exploit has been identified and this vulnerability is not listed in CISA KEV at time of analysis.

XSS Shortpixel Adaptive Images
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the TheFox WordPress theme (versions 3.9.76 and earlier) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported through Patchstack and scoped to the ThemeForest 'tranmautritam:thefox' theme, the flaw carries a CVSS 3.1 base score of 7.1 driven largely by a changed scope. There is no public exploit identified at time of analysis and no CISA KEV listing, so risk hinges on tricking a user into clicking a malicious URL.

XSS Thefox
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Automotive Car Dealership Business WordPress theme (versions 13.3.3 and earlier by ThemeSuite) lets unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) confirms network-based, unauthenticated exploitation that requires user interaction and crosses a security scope boundary. There is no public exploit identified at time of analysis and the flaw is not on CISA KEV.

XSS Automotive Car Dealership Business
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected Cross-Site Scripting in the Automotive Listings WordPress plugin (versions 18.6 and earlier) lets remote unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported by Patchstack and classified CWE-79 with a CVSS 3.1 score of 7.1 (scope-changed, low impact across confidentiality, integrity, and availability), the flaw requires user interaction but no authentication. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Automotive Listings
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the NativeChurch WordPress theme (versions 4.8.8.2 and earlier, by imithemes) allows unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 vector (7.1) reflects a scope change with limited confidentiality, integrity, and availability impact, and requires victim interaction. No public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was disclosed through Patchstack's WordPress vulnerability database.

XSS Nativechurch
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected Cross-Site Scripting in the designthemes LMS WordPress theme (versions 9.7 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link. Reported by Patchstack, the flaw carries CVSS 7.1 with a scope change, reflecting cross-context impact; no public exploit is identified at time of analysis and it is not listed in CISA KEV.

XSS Lms
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the DesignThemes 'Kids Life | Children School' WordPress theme (versions 5.2 and earlier) allows unauthenticated remote attackers to inject arbitrary web script that executes in a victim's browser when they interact with a crafted link or input. The CVSS vector (PR:N, UI:R, Scope Changed) indicates no authentication is needed but the victim must be lured into interaction, and the injected script can cross into other security contexts. No public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.

WordPress XSS Kids Life Children School Wordpress
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Kids Zone - Children WordPress Theme (versions 5.4 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session when the victim opens a crafted link or page. The CVSS 3.1 base score is 7.1, elevated by a scope change (S:C) reflecting that injected script escapes the vulnerable theme context into the visitor's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; no EPSS value was supplied with the input.

WordPress XSS Kids Zone Children Wordpress Theme
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the Fitness Zone WordPress theme (versions 5.7 and earlier) by designthemes allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or request. The scope-change (S:C) rating indicates the injected script can affect resources beyond the vulnerable component, such as hijacking authenticated admin sessions. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by Patchstack.

WordPress XSS Fitness Zone Wordpress Theme
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the designthemes SpaLab | Beauty Salon WordPress theme (all versions up to and including 6.7) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 score of 7.1 reflects a scope-changing (S:C) client-side impact requiring no authentication (PR:N) but user interaction (UI:R). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not supplied in the input.

WordPress XSS Spalab Beauty Salon Wordpress Theme
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Trendy Travel WordPress theme (versions 6.7 and earlier) by designthemes lets remote unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Rated CVSS 7.1 with a scope change (S:C), reflecting that injected script can act across the WordPress security boundary. No public exploit identified at time of analysis, and no EPSS score was supplied.

XSS Trendy Travel
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored Cross-Site Scripting in the Artale Wedding Photography WordPress theme (versions 2.2.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they follow a crafted link or load a poisoned page. Reported by Patchstack and rated CVSS 7.1 with a scope change, it primarily threatens site visitors and administrators through session/context theft rather than direct server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Artale Wedding Photography Wordpress
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Product Video Gallery for WooCommerce WordPress plugin (versions ≤ 1.5.1.8) allows authenticated shop managers to persist malicious JavaScript via the custom_thumbnail parameter, which then executes in the browsers of any visitor accessing an affected product page. The CVSS scope-change flag (S:C) confirms the injected payload crosses security boundaries from the attacker's session into victims' browser contexts. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog, but the PR:H requirement is the primary limiting factor for real-world risk - any compromise of a shop manager account would make this trivially exploitable.

WordPress XSS Product Video Gallery For Woocommerce
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Feedzy RSS Aggregator WordPress plugin (all versions through 5.2.1) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the unsanitized 'aspectRatio' attribute of the RSS feed block. When any user - including site administrators - visits a page containing the injected content, the payload executes in their browser, enabling session hijacking, credential theft, or privilege escalation to full site control. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the low privilege bar (contributor) and scope change to administrator sessions make this a meaningful risk for multi-author WordPress deployments.

WordPress XSS Rss Aggregator By Feedzy Feed To Post Autoblogging News Youtube Video Feeds Aggregator
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in GiveWP (WordPress Donation Plugin and Fundraising Platform) versions up to and including 4.16.1 allows authenticated attackers holding the Give Worker role or above to inject persistent malicious scripts via the Sequoia form template's introduction image parameter. The CVSS Scope:Changed rating reflects that injected payloads execute in the security context of any victim browser that loads the affected donation page, enabling session hijacking or credential theft from site visitors and administrators alike. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Insert Pages WordPress plugin (versions through 3.11.4) allows authenticated attackers with author-level access to persist arbitrary JavaScript via post custom field key names. The vulnerability arises because the `the_meta()` function applies `wp_kses_post()` to custom field values but interpolates the custom field KEY directly into rendered HTML without any escaping, exploitable only when the `[insert page='ID' display='all']` shortcode is used. Any visitor loading a page containing the shortcode will execute the attacker's payload in their browser, enabling session hijacking or credential theft; no public exploit identified at time of analysis.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Stored XSS in the yootheme WordPress theme before version 5.0.35 enables users holding the Author role to inject persistent malicious scripts into posts by exploiting a sanitization gap between WordPress's wp_kses_post() filter and the theme's bundled front-end framework, which interprets certain permitted HTML attributes as executable markup. Any visitor - including site administrators - who views an affected post triggers script execution in their browser, creating a realistic privilege escalation path on multi-author WordPress sites. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; vendor patch version 5.0.35 is confirmed via WPScan advisory.

WordPress XSS
NVD WPScan VulDB
EPSS 0% CVSS 7.4
HIGH POC PATCH This Week

Stored cross-site scripting in the Craft CMS control panel lets an attacker holding only a free GitHub account run JavaScript in an administrator's authenticated session. The payload is planted in the title of a craftcms/cms GitHub issue and executes when a Craft admin uses the CraftSupport widget's 'Give feedback' screen and searches a term that surfaces the poisoned issue. Affects Craft CMS 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15; no public exploit identified at time of analysis, and it is not in CISA KEV.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Stored XSS in Craft CMS 5.0.0-RC1 through 5.9.22 allows an author-level control panel user to execute arbitrary JavaScript in the session of an admin or any privileged user with saveEntries permission on the same Structure section. The vulnerability arises from an HTML encode/decode mismatch: the server safely escapes an entry title into a data-title attribute, but jQuery's .data() method re-decodes the value before it is concatenated back into HTML without re-escaping, bypassing the initial sanitization. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; the vendor shipped a fix in version 5.9.23.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Reflected cross-site scripting in the Wagtail Django CMS admin interface lets a low-privilege editor craft a malicious URL that executes JavaScript in the browser of a higher-privilege administrator who opens it, enabling actions to be performed with the victim's credentials. All Wagtail installations before 7.0.8, 7.3.3 and 7.4.2 are affected - the flaw lives in the dynamic image URL generator view and exists even on sites that never enabled the dynamic image serve view. No public exploit identified at time of analysis, and the issue is not reachable by anonymous site visitors without a Wagtail admin account.

XSS Python Wagtail
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in Silverstripe Framework's 'Insert media from web' CMS feature allows a remote unauthenticated attacker to inject malicious JavaScript by supplying a specially crafted embed URL that a CMS editor then inserts into content. All Silverstripe Framework installations prior to version 6.2.2 are affected. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make it a credible risk for any deployment where CMS editors process externally sourced media.

XSS PHP Silverstripe Framework
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Mutation XSS in Jodit Editor (xdan/jodit) before 4.12.28 lets attacker-influenced HTML slip a live, no-interaction event handler past the built-in clean-html sanitizer. A MathML/<style> carrier hides a dangerous element from the sanitizer's element walk, so the sanitized editor value still contains a working handler such as <img onload=...> or onfocus; any consumer that renders editor.value via innerHTML executes attacker JavaScript without user interaction. No public exploit identified at time of analysis, and the flaw is fixed in 4.12.28.

XSS Jodit
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-site scripting in the Wikimedia Foundation's MediaWiki Charts Extension allows network-accessible, unauthenticated attackers to inject malicious JavaScript into wiki pages that render chart content. All installations running the Charts Extension across the 1.43.x, 1.44.x, and 1.45.x branches prior to fixed releases 1.43.9, 1.44.6, and 1.45.4 are affected. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the CVSS 4.0 vector's PR:N and UI:N designations indicate the attack requires neither attacker credentials nor victim interaction beyond page rendering, which is atypical for classical reflected XSS and elevates practical exploitability.

XSS Mediawiki Charts Extension
NVD
HIGH POC PATCH This Week

Cross-site scripting in the wetty web-terminal client (npm package `wetty`, default configuration) lets any writer of content a victim renders inject keystrokes into that victim's live SSH session. The client base64-decodes an attacker-controlled filename from the documented file-download escape sequence (`\x1b[5i<name>:<content>\x1b[4i`) and interpolates it raw into a Toastify toast with `escapeMarkup:false`, so script runs in the wetty origin and can call `window.wetty_term.input()` to type commands and read the terminal buffer. A detailed proof-of-concept is published in the GitHub Security Advisory (GHSA-p26j-h7wj-r568), so publicly available exploit code exists; there is no public evidence of active exploitation at time of analysis.

XSS Docker
NVD GitHub
CVSS 7.1
HIGH PATCH This Week

Reflected cross-site scripting in GeoNetwork lets a remote attacker run arbitrary JavaScript in a victim's authenticated session by luring them to a crafted service URL. Because the not-found/unauthorized error page is an AngularJS application, attacker-controlled request content reflected into that page is evaluated as a client-side template expression (AngularJS sandbox escape) rather than shown as inert text. No public exploit is identified at time of analysis, and the flaw is not on CISA KEV.

XSS
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-Based XSS in the Shortcodes and extra features for Phlox theme WordPress plugin (all versions through 2.17.16) permits a low-privileged authenticated attacker to inject malicious JavaScript that executes in victims' browsers via unsanitized shortcode input. Exploitation requires an attacker with at least contributor-level WordPress access and a privileged user to view the crafted page, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit identified at time of analysis; vulnerability was disclosed by Patchstack and is not listed in CISA KEV.

XSS Shortcodes And Extra Features For Phlox Theme
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored cross-site scripting in the ShortPixel Enable Media Replace WordPress plugin (all versions through 4.2.1) allows an authenticated attacker with high-level privileges to inject persistent malicious scripts via the media replacement workflow, which then execute in the browser context of any WordPress user who subsequently views the affected content. The scope change confirmed by the CVSS vector (S:C) means a compromised editor-level account could be leveraged to target administrator sessions, enabling privilege escalation within the WordPress admin interface. No public exploit code or CISA KEV listing has been identified at time of analysis; the Patchstack advisory is the primary confirmed intelligence source.

XSS Enable Media Replace
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Reflected cross-site scripting in Guardian Language-System's media.php allows authenticated attackers to inject arbitrary JavaScript into the victim's browser session by crafting a malicious URL with a script payload in the id GET parameter. The flaw exists because the id parameter is written unsanitized directly into HTML source and form action attributes at lines 119 and 129 of media.php. A publicly available proof-of-concept exploit exists on GitHub, though no KEV listing indicates broad active exploitation at time of analysis.

XSS PHP Language System
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Reflected XSS in Guardian Language-System's text_file.php allows an authenticated attacker to inject arbitrary script tags into at least six distinct form action attributes (lines 94, 101, 323, 403, 826, 852) by crafting a malicious URL with a payload in the id GET parameter. When a second authenticated victim is socially engineered into following the crafted link, the script executes within their browser session against the Guardian Language-System origin, enabling session token theft or unauthorized actions on the victim's behalf. A publicly available proof-of-concept exploit exists on GitHub; no CISA KEV listing has been identified, meaning active exploitation is not confirmed at time of analysis.

XSS PHP Language System
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Reflected XSS in Guardian language-system's designer.php allows authenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session by crafting a malicious URL. The `name` GET parameter is echoed unsanitized directly into an HTML input value attribute at line 57, enabling classic reflected cross-site scripting. A publicly available proof-of-concept exploit exists on GitHub (via VulnCheck advisory); the vulnerability is not currently listed in CISA KEV, and real-world impact is constrained by the requirement for victim interaction and authentication.

XSS PHP Language System
NVD GitHub
EPSS 0%
NONE PATCH Awaiting Data

Cross-site scripting in Wikimedia Foundation MediaWiki and the CentralAuth extension allows authenticated low-privileged users to inject malicious scripts into rendered wiki pages or API output through unsanitized input in API formatting, ResourceLoader module handling, page display hooks, and permission change log formatting. Affected versions span all releases of both products prior to the 1.46.0, 1.45.4, 1.44.6, and 1.43.9 patch series. No public exploit code or CISA KEV listing has been identified at time of analysis, though the five affected PHP files suggest a broad attack surface across core MediaWiki subsystems.

XSS PHP Mediawiki +1
NVD VulDB
EPSS 0%
NONE PATCH Awaiting Data

Stored cross-site scripting in the Wikimedia Foundation Timeline extension exposes MediaWiki installations to session hijacking and credential theft. The flaw exists in Timeline.php and EasyTimeline.pl, where user-supplied timeline markup syntax is not properly neutralized before HTML output, allowing an authenticated wiki editor to inject arbitrary JavaScript executed in other users' browsers. No public exploit has been identified at time of analysis, and KEV listing is absent, but the network-accessible nature and low-privilege entry point make this a credible risk on publicly editable wikis.

XSS PHP Timeline
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-site scripting in the Wikimedia Foundation SyntaxHighlight_GeSHi MediaWiki extension allows authenticated users to inject unsanitized input via the syntax highlighting interface, with malicious script executing in victims' browsers upon page view. The flaw originates in includes/SyntaxHighlight.php and affects all versions prior to branch-specific fixes at 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS 4.0 score of 5.3 (Medium) reflects limited confidentiality impact scoped to the vulnerable system.

XSS PHP Syntaxhighlight Geshi
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-site scripting in MediaWiki's JavaScript API client layer (resources/src/mediawiki.Api/index.js) allows network-accessible, unauthenticated attackers to inject malicious scripts that execute in a victim's browser upon user interaction. All MediaWiki deployments prior to versions 1.43.9, 1.44.6, 1.45.4, and 1.46.0 are affected, covering a broad range of wiki installations worldwide. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity and lack of authentication requirement elevate concern for public-facing deployments.

XSS Mediawiki
NVD VulDB
EPSS 0%
NONE PATCH Awaiting Data

Cross-site scripting vulnerabilities across multiple log formatter and language components in MediaWiki allow authenticated low-privilege users to inject malicious JavaScript that executes in the browser of any user who views affected log pages or the SpecialVersion special page. The vulnerability spans seven PHP files covering block, patrol, rename-user, and tag log formatters, the base LogFormatter, the Language class, and SpecialVersion - indicating widespread unsanitized output rendering in administrative and logging interfaces. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the breadth of affected components and the multiple concurrent fix branches (1.43.9, 1.44.6, 1.45.4, 1.46.0) signal a significant audit-driven remediation effort.

XSS PHP Mediawiki
NVD VulDB
EPSS 0%
NONE PATCH Awaiting Data

Cross-site scripting in MediaWiki's ApiSandbox component (ApiSandboxLayout.js) allows an authenticated attacker to inject malicious JavaScript that executes in the browser of a victim who interacts with a crafted ApiSandbox page. Only MediaWiki 1.46.0-rc.0 is confirmed affected; the 1.46.0 stable release resolves the flaw, meaning real-world exposure is limited to deployments running the release candidate. No public exploit code or active exploitation has been identified at time of analysis.

XSS Mediawiki
NVD VulDB
EPSS 0%
NONE PATCH Awaiting Data

Cross-site scripting in the Wikimedia Foundation CheckUser extension (versions 1.46.0-rc.0 up to but not including 1.46.0) allows a high-privileged attacker to inject malicious scripts via the blockConnectedTempAccountsField Vue component used in the Temporary Accounts blocking workflow. Exploitation requires both elevated CheckUser-level privileges and active user interaction from another party, materially constraining real-world risk. No public exploit code exists and this CVE is not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis.

XSS Checkuser
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in DivvyDrive versions v.4.8.2.23 through before v.4.8.3.1 enables an authenticated low-privilege user to inject persistent malicious scripts into application content that execute in the browsers of other users who subsequently view the affected page. The CVSS scope change indicator (S:C) reflects that the injected payload breaks out of the application's security boundary into the victim's browser context, enabling session hijacking or unauthorized actions. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the vulnerability was disclosed by TR-CERT with a corresponding patch available.

XSS Divvydrive
NVD VulDB
EPSS 0%
NONE PATCH Awaiting Data

Cross-site scripting in MediaWiki's Special:Block Vue.js component allows a high-privileged user - such as a wiki administrator - to inject malicious scripts that execute in the browsers of other users who subsequently view the affected block interface output. The vulnerability is isolated to the `SpecialBlock.Vue` frontend component, gating exploitation behind administrative access. No public exploit has been identified at time of analysis, and no patch version has been confirmed from available data.

XSS Mediawiki
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in DivvyDrive (versions 4.8.2.23 through before 4.8.3.1) allows authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users who view affected pages. The CVSS scope change (S:C) reflects that injected scripts operate outside the application's security boundary, enabling session hijacking or credential theft against higher-privileged victims such as administrators. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low attack complexity and cross-scope impact make this a meaningful lateral escalation risk within DivvyDrive deployments.

XSS Divvydrive
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in MyComplianceOffice MCO version 25.3.3.1 allows a privileged attacker with logo-upload rights to plant malicious JavaScript inside a crafted SVG file that executes in any user's browser when the application logo is rendered. Reported by CERT-PL, vendor contact was unsuccessful, leaving no official patch or advisory in place. No public exploit code has been identified at time of analysis, though the SVG-based XSS technique is well-documented and trivially replicable against unpatched instances.

XSS Mco
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in Eclipse Open VSX Registry (versions 0.1.0 through before 1.0.2) allows an attacker who self-registers a publisher account to upload a VSIX containing malicious HTML that the /vscode/unpkg/ endpoint serves inline as text/html within the open-vsx.org origin, with no Content-Security-Policy or Content-Disposition: attachment header. When a logged-in victim is lured to the resulting URL, the script runs in the registry's origin and can steal session tokens, mint Personal Access Tokens, and publish trojanized extension versions - turning a single XSS into a supply-chain compromise of VS Code, VSCodium, Cursor, and Windsurf users. No public exploit is identified at time of analysis and EPSS risk is low (0.17%), but the downstream blast radius is severe.

XSS Eclipse Open Vsx Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the '_name[]' array parameter, which then runs in the browser of any user who views the injected page. The flaw is notable because the plugin's own wp_kses() allow-list (NEXForms_allowed_tags()) deliberately whitelists <script>, <iframe src/srcdoc>, and JS event handlers, so the normal output-filtering layer provides no protection. No public exploit identified at time of analysis; the issue was reported by Wordfence and carries a CVSS 7.2 with a changed scope.

WordPress XSS Nex Forms Ultimate Forms Plugin For Wordpress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in WP Photo Album Plus (WordPress plugin, all versions through 9.1.13.005) allows contributor-level authenticated attackers to inject persistent JavaScript payloads via the unsanitized 'subtext' parameter of the [photo] shortcode. The CVSS scope change (S:C) is the critical amplifier: a low-privileged contributor can embed malicious shortcodes in posts submitted for editorial review, causing the stored payload to execute in administrator browser sessions when the content is previewed - enabling session hijacking and potential full site takeover. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and common WordPress contributor registration practices make this a realistic threat on affected installations.

WordPress XSS Wp Photo Album Plus
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.12) allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers by tricking them into clicking a crafted URL. The vulnerable `layoutstyle` parameter is insufficiently sanitized before being rendered in the roomslist view template, enabling session hijacking, credential theft, or malicious redirects against authenticated site users such as hotel administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and a patched version (1.8.13) is available per plugin Trac references.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WordPress Download Manager plugin (all versions through 3.3.60) allows authenticated contributors to persistently inject arbitrary JavaScript via the `no_data_msg` shortcode attribute, executing in any subsequent visitor's browser context. The vulnerability exploits a bypass in WordPress's `wp_kses_post` sanitization: the filter strips disallowed HTML tokens at save time but does not neutralize C-style escape sequences embedded in shortcode attribute values, which are silently reconstructed into raw `<script>` tags at render time. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the deliberate evasion technique elevates risk on multi-contributor WordPress deployments.

WordPress XSS Download Manager
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the LearnPress WordPress LMS plugin (versions up to and including 4.4.0) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the unescaped 'class_wrapper_form' shortcode attribute. The payload persists in the database and executes in the browser of any visitor - including administrators - who loads the affected page, enabling session hijacking, credential harvesting, or privilege escalation through forged admin actions. No CISA KEV listing or public exploit code has been identified at time of analysis, but the Wordfence advisory includes precise code-level references that substantially lower the bar for independent reproduction.

WordPress XSS Learnpress Wordpress Lms Plugin For Create And Sell Online Courses
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the User Submitted Posts WordPress plugin before version 20260608 enables unauthenticated attackers to inject persistent malicious scripts into admin-configured display templates. The vulnerability is only reachable when a site administrator has enabled a non-default display option in the plugin settings, limiting its real-world exposure. A publicly available proof-of-concept exploit exists per WPScan, though no active exploitation has been confirmed by CISA KEV at time of analysis.

WordPress XSS User Submitted Posts
NVD WPScan VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in JetWidgets For Elementor (versions up to and including 1.0.21) allows authenticated WordPress users holding author-level access or higher to plant persistent JavaScript payloads by supplying unsanitized input to the Animated Box widget's animation_effect parameter, which is written directly into an HTML class attribute without output escaping or server-side validation. Any site visitor who loads an injected page triggers the payload, enabling session hijacking, credential theft, or administrative account takeover through privilege escalation within the victim's browser context. No public exploit has been identified at time of analysis and the CVE does not appear in CISA KEV; however, a fix has been committed to the WordPress plugin repository.

WordPress XSS Jetwidgets For Elementor
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Event Organiser WordPress plugin (all versions through 3.12.9) allows an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript via the unescaped 'no_events' parameter of the 'eo_events' shortcode. The payload persists server-side and executes in any visitor's browser when they load a page containing the injected shortcode with no matching events. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the low authentication bar (Contributor) makes this a meaningful risk on multi-author WordPress sites.

WordPress XSS Event Organiser
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Custom Payment Gateways for WooCommerce WordPress plugin (all versions through 2.1.0) lets unauthenticated guests plant persistent JavaScript by submitting a crafted checkout POST request via the 'alg_wc_cpg_input_fields' parameter. The injected script executes in the browser of any user - including store administrators - who later views the affected page, enabling session/account compromise in the WordPress admin context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, but the unauthenticated, no-configuration-required attack path makes it materially exploitable against default installs.

WordPress XSS Custom Payment Gateways For Woocommerce
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Stored cross-site scripting in the Wikimedia Foundation's MediaWiki Cargo Extension (all versions before 3.9.1) allows attackers to inject persistent malicious scripts into wiki pages rendered through the Cargo data-display system. The CVSS 4.0 vector carries E:A (evidence of active exploitation), elevating this beyond a theoretical risk. Successful exploitation enables session hijacking, credential theft, and in-browser payload delivery against any user who views an affected Cargo-rendered page.

XSS Mediawiki Cargo Extension
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in FV Flowplayer Video Player (all WordPress plugin versions up to and including 7.5.51.7212) allows authenticated contributors to permanently inject arbitrary JavaScript via the unsanitized `align` attribute of the `[video_player]` shortcode. The payload persists in the WordPress database and executes in the browser of every user who subsequently visits any page containing the injected shortcode, enabling session hijacking, credential harvesting, or further site compromise. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis, though the stored nature of this XSS amplifies real-world risk relative to reflected variants.

WordPress XSS Fv Flowplayer Video Player
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in Wp Google Places Review Slider (WordPress plugin, versions ≤ 18.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized `place` GET parameter in `admin/partials/googlecrawl_dfs.php`. The raw user input is URL-decoded and passed through `stripslashes()` before being echoed directly into an HTML value attribute — bypassing WordPress's standard `esc_attr()` — but only when the supplied place value is not already present as a key in the `wprev_google_crawls` stored option. No public exploit identified at time of analysis; successful exploitation requires tricking an authenticated WordPress administrator into clicking a specially crafted link.

WordPress XSS PHP +2
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Tutor LMS (WordPress plugin by Themeum) versions through 3.9.13 allows authenticated attackers holding author-level or higher WordPress roles to inject persistent malicious scripts via the Lesson Attachment Title field. The injected payload is stored in the WordPress database and executes in the browser of any user who subsequently accesses a course page rendering the attachment - achieving a scope change from the plugin's context into the victim's browsing session. No public exploit code or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references to the vulnerable rendering path, lowering the barrier to exploitation.

WordPress XSS Tutor Lms Elearning And Online Course Solution
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Kali Forms WordPress plugin (versions up to and including 2.4.13) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'meta[kaliforms_field_components]' parameter. Any WordPress user who subsequently visits a page containing the injected form will execute the attacker's script in their browser, making session hijacking, credential theft, and admin account takeover realistic outcomes. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege bar (contributor) makes this a realistic risk on multi-author WordPress sites.

WordPress XSS Kali Forms Contact Form Drag And Drop Builder
NVD
EPSS 0% CVSS 7.2
HIGH POC This Week

Stored cross-site scripting in the WPBot AI ChatBot for WordPress (all versions through 8.4.9) lets unauthenticated attackers persist arbitrary JavaScript through the 'conversation' parameter, which later executes when the injected page is viewed - most notably by an administrator opening the chat-session reports in wp-admin. Because the AJAX nonce that guards the save endpoint is publicly emitted on every frontend page via wp_localize_script, any anonymous visitor can obtain it, so there is effectively no barrier to injection. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; risk stems from ease of exploitation rather than confirmed in-the-wild abuse.

WordPress XSS Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in GiveWP versions up to and including 4.16.0 allows authenticated attackers with author-level WordPress access to inject persistent JavaScript payloads via the 'block_id' attribute of the 'givewp_campaign_comments' shortcode. The flaw originates in two code paths - CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render() - where the blockId value is interpolated directly into a single-quoted HTML attribute without WordPress's esc_attr() sanitization function. Any visitor loading an injected page will have the malicious script execute in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An attacker who can send HTML chat messages (via Matrix or XMPP) can inject arbitrary styled content, phishing links, and CSS that manipulates the chat UI. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.

Mozilla Thunderbird XSS
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)

Google XSS Suse
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's CSS implementation prior to 150.0.7871.47 allows a remote attacker to inject arbitrary scripts or HTML by luring a user to a crafted web page, with the scope change (S:C) in the CVSS vector indicating potential Same-Origin Policy bypass affecting other loaded origins. No public exploit or active exploitation is identified at time of analysis - EPSS sits at 0.17% (6th percentile) and SSVC exploitation status is rated 'none.' A vendor-released patch is available in stable channel 150.0.7871.47.

XSS Google Suse
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

UI spoofing in Google Chrome's Extensions implementation (all versions prior to 150.0.7871.47) enables a remote attacker - who has already achieved renderer process compromise via a separate exploit - to render deceptive UI elements through a crafted HTML page, potentially misleading users into unintended interactions. The vulnerability carries a CVSS 5.4 Medium score, though Chromium's internal rating is Low, and the EPSS score of 0.18% (8th percentile) reflects minimal exploitation probability. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis.

XSS Google Suse
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Chrome's Omnibox on iOS enables remote attackers to inject arbitrary scripts or HTML across security origins by luring users into performing specific UI gestures on a crafted page. Affected versions are Chrome for iOS prior to 150.0.7871.47; the desktop channel is not affected. No public exploit code or active exploitation has been identified at time of analysis, and EPSS sits at 0.18% (8th percentile), consistent with Chromium's own 'Low' severity rating despite the scope-changed CVSS vector.

XSS Apple Google +1
NVD
Prev Page 5 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy