Total
38585 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8149 | 3 Athemes, Elementor, Wordpress | 3 Athemes Addons For Elementor, Elementor, Wordpress | 2025-09-08 | 6.4 Medium |
| The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2019-25225 | 1 Apostrophecms | 1 Sanitize-html | 2025-09-08 | 6.1 Medium |
| `sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code. | ||||
| CVE-2025-6067 | 2025-09-08 | 6.4 Medium | ||
| The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` and `data-linktext` parameters in all versions up to, and including, 6.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-6757 | 1 Wordpress | 1 Wordpress | 2025-09-08 | 6.4 Medium |
| The Recent Posts Widget Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rpwe' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8360 | 2025-09-08 | 6.4 Medium | ||
| The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's widgets in all versions up to, and including, 1.5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8564 | 3 Elementor, Sonalsinha21, Wordpress | 3 Elementor, Skt Addons For Elementor, Wordpress | 2025-09-08 | 6.4 Medium |
| The SKT Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-9849 | 1 Wordpress | 1 Wordpress | 2025-09-08 | 5.3 Medium |
| The Html Social share buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zm_sh_btn' shortcode in all versions up to, and including, 2.1.16 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-58825 | 1 Wordpress | 1 Wordpress | 2025-09-08 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Habibur Rahman Comment Form WP – Customize Default Comment Form allows Stored XSS. This issue affects Comment Form WP – Customize Default Comment Form: from n/a through 2.0.0. | ||||
| CVE-2025-58823 | 1 Wordpress | 1 Wordpress | 2025-09-08 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The African Boss Get Cash allows Stored XSS. This issue affects Get Cash: from n/a through 3.2.2. | ||||
| CVE-2025-58822 | 2025-09-08 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail allows DOM-Based XSS. This issue affects WP Mail: from n/a through 1.3. | ||||
| CVE-2025-58805 | 2025-09-08 | 5.9 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Widgetize Pages Light allows Stored XSS. This issue affects Widgetize Pages Light: from n/a through 3.0. | ||||
| CVE-2025-9845 | 2 Carmelo, Code-projects | 2 Fruit Shop Management System, Fruit Shop Management System | 2025-09-08 | 3.5 Low |
| A vulnerability has been found in code-projects Fruit Shop Management System 1.0. Affected by this vulnerability is an unknown functionality of the file products.php. Such manipulation of the argument product_code/gen_name/product_name/supplier leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-58876 | 1 Wordpress | 1 Wordpress | 2025-09-07 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ali Aghdam Aparat Video Shortcode allows Stored XSS. This issue affects Aparat Video Shortcode: from n/a through 0.2.4. | ||||
| CVE-2025-58784 | 2 Ari-soft, Wordpress | 2 Ari Fancy Lightbox, Wordpress | 2025-09-07 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arisoft ARI Fancy Lightbox allows Stored XSS. This issue affects ARI Fancy Lightbox: from n/a through 1.4.0. | ||||
| CVE-2025-58838 | 1 Wordpress | 1 Wordpress | 2025-09-07 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zakir Smooth Accordion allows Stored XSS. This issue affects Smooth Accordion: from n/a through 2.1. | ||||
| CVE-2025-58882 | 1 Wordpress | 1 Wordpress | 2025-09-07 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in w1zzard Simple Text Slider allows Stored XSS. This issue affects Simple Text Slider: from n/a through 1.0.5. | ||||
| CVE-2025-58886 | 1 Wordpress | 1 Wordpress | 2025-09-07 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tan Nguyen Instant Locations allows Stored XSS. This issue affects Instant Locations: from n/a through 1.0. | ||||
| CVE-2025-58871 | 1 Wordpress | 1 Wordpress | 2025-09-07 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Luis Rock Master Paper Collapse Toggle allows Stored XSS. This issue affects Master Paper Collapse Toggle: from n/a through 1.1. | ||||
| CVE-2025-58842 | 1 Wordpress | 1 Wordpress | 2025-09-07 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in givecloud Donation Forms WP by Givecloud allows Stored XSS. This issue affects Donation Forms WP by Givecloud: from n/a through 1.0.9. | ||||
| CVE-2025-58874 | 2 Josepsitjar, Wordpress | 2 Storymap, Wordpress | 2025-09-07 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in josepsitjar StoryMap allows DOM-Based XSS. This issue affects StoryMap: from n/a through 2.1. | ||||