CVEs from 2026
Total
13,988
critical
critical 1,213
high
high 4,564
medium
medium 4,407
low
low 482
% Critical
8.7%
% with KEV
0.4%
% with exploit
0.8%
Top vendors
Top products
- chrome 503
- firepower_threat_defense_software 300
- firepower_threat_defense 298
- gcp 229
- openclaw 172
- commerce 104
- commerce_b2b 89
- saml_sso_-_service_provider 77
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-24379 | medium | 6.5 | 6.5 | 4mo ago | Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP… | |||
| CVE-2026-24361 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress – Course Review learnpress-course-review allows Stored XSS.This issue affect… | |||
| CVE-2026-24355 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality allows Stored XSS.This issue a… | |||
| CVE-2026-22349 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in linux4me2 Menu In Post menu-in-post allows DOM-Based XSS.This issue affects Menu In Post: from n/… | |||
| CVE-2026-1142 | medium | 6.5 | 6.5 | 4mo ago | A security flaw has been discovered in PHPGurukul News Portal 1.0. The impacted element is an unknown function. Performing a manipulation results in cross-site request forgery. The attack may be init… | |||
| CVE-2026-0571 | medium | 6.5 | 6.5 | 5mo ago | A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function createResponseEntity of the file warehouse\src\main\java… | |||
| CVE-2026-8885 | medium | 6.4 | 6.4 | 7h ago | The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'callout' shortcode in all versions up to, and including, 1.1.1. This is due to insuf… | |||
| CVE-2026-4081 | medium | 6.4 | 6.4 | 7h ago | The ZeM STL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [zemstl] shortcode in all versions up to and including 1.0. This is due to insufficient input sanitization and ou… | |||
| CVE-2026-4080 | medium | 6.4 | 6.4 | 7h ago | The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_to_cart' shortcode in all versions up to and including 1.8. This is due to insufficient input sanitization… | |||
| CVE-2026-2382 | medium | 6.4 | 6.4 | 7h ago | The FPW Category Thumbnails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'fpw_fs_get_file' AJAX action in all versions up to, and including, 1.9.5. … | |||
| CVE-2026-3722 | medium | 6.4 | 6.4 | 13h ago | The Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment metadata in al… | |||
| CVE-2026-45285 | medium | 6.4 | 6.4 | 21h ago | Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes… | |||
| CVE-2026-25600 | medium | 6.4 | 6.4 | 1d ago | The PDBM application relies on a static, hard‑coded secret embedded in the PDBM.exe executable. This secret is used by the application’s encryption routines, including the function responsible for … | |||
| CVE-2026-20454 | medium | 6.4 | 6.4 | 2d ago | In geniezone, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User in… | |||
| CVE-2026-9557 | medium | 6.4 | 6.4 | 4d ago | A Server-Side Request Forgery (SSRF) vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests f… | |||
| CVE-2026-9243 | medium | 6.4 | 6.4 | 4d ago | The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter of the Carousel Anything widget in versions up to, and including… | |||
| CVE-2026-9714 | medium | 6.4 | 6.4 | 4d ago | The Simple Divi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [showmodule] shortcode in versions up to, and including, 1.2 This is due to i… | |||
| CVE-2026-6275 | medium | 6.4 | 6.4 | 4d ago | The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on… | |||
| CVE-2026-44462 | medium | 6.4 | 6.4 | 5d ago | Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining (${var@P}), allowing arbitrary command execution under an allowliste… | |||
| CVE-2026-4334 | medium | 6.4 | 6.4 | 5d ago | The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insuf… | |||
| CVE-2026-6427 | medium | 6.4 | 6.4 | 5d ago | The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HT… | |||
| CVE-2026-9644 | medium | 6.4 | 6.4 | 5d ago | The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livesmart_widget' shortcode in all versions up to, and including, 1.2 due … | |||
| CVE-2026-8042 | medium | 6.4 | 6.4 | 6d ago | The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to in… | |||
| CVE-2026-3895 | medium | 6.4 | 6.4 | 6d ago | The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to… | |||
| CVE-2026-2030 | medium | 6.4 | 6.4 | 6d ago | The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcode attributes in all versio… | |||
| CVE-2026-3896 | medium | 6.4 | 6.4 | 6d ago | The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lsow_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing auth… | |||
| CVE-2026-3897 | medium | 6.4 | 6.4 | 6d ago | The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `labb_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missi… | |||
| CVE-2026-8884 | medium | 6.4 | 6.4 | 6d ago | The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sa… | |||
| CVE-2026-8867 | medium | 6.4 | 6.4 | 6d ago | The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'postcategorygallery' shortcode in versions up to, and including, 1.0.0. This is due to in… | |||
| CVE-2026-8899 | medium | 6.4 | 6.4 | 6d ago | The Auto Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'thumbnails' shortcode in all versions up to, and including, 1.0. This is due to insufficient input saniti… | |||
| CVE-2026-8040 | medium | 6.4 | 6.4 | 6d ago | The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insuffi… | |||
| CVE-2026-8886 | medium | 6.4 | 6.4 | 6d ago | The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitizatio… | |||
| CVE-2026-8847 | medium | 6.4 | 6.4 | 6d ago | The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on th… | |||
| CVE-2026-8844 | medium | 6.4 | 6.4 | 6d ago | The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitiza… | |||
| CVE-2026-8875 | medium | 6.4 | 6.4 | 6d ago | The Easy Prism Syntax Highlighter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'code' (and 'c') shortcode in versions up to, and including, 1.0.2. This is due to… | |||
| CVE-2026-8894 | medium | 6.4 | 6.4 | 6d ago | The iWR Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `iwrtooltip` shortcode in versions up to, and including, 1.0. This is due to insufficient input sani… | |||
| CVE-2026-8845 | medium | 6.4 | 6.4 | 6d ago | The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input san… | |||
| CVE-2026-8873 | medium | 6.4 | 6.4 | 6d ago | The Content Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 2.4.1 due to insufficient input sanitization and… | |||
| CVE-2026-8846 | medium | 6.4 | 6.4 | 6d ago | The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and o… | |||
| CVE-2026-8891 | medium | 6.4 | 6.4 | 6d ago | The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitizat… | |||
| CVE-2026-8871 | medium | 6.4 | 6.4 | 6d ago | The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kinetic_link' shortcode in versions up to, and including, 1.1.01. This is due to insufficient input s… | |||
| CVE-2026-8048 | medium | 6.4 | 6.4 | 6d ago | The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' shortcode attribute in the 'my-email' shortcode in all versions up to, and including, 0.91 d… | |||
| CVE-2026-8872 | medium | 6.4 | 6.4 | 6d ago | The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insuffici… | |||
| CVE-2026-8869 | medium | 6.4 | 6.4 | 6d ago | The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input … | |||
| CVE-2026-8898 | medium | 6.4 | 6.4 | 6d ago | The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitizati… | |||
| CVE-2026-8866 | medium | 6.4 | 6.4 | 6d ago | The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input… | |||
| CVE-2026-8701 | medium | 6.4 | 6.4 | 6d ago | The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the `title-ticker-slide`, `title-ticker-fade`, and `title-ticker-typing` shortcodes. Th… | |||
| CVE-2026-8887 | medium | 6.4 | 6.4 | 6d ago | The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization… | |||
| CVE-2026-8897 | medium | 6.4 | 6.4 | 6d ago | The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and… | |||
| CVE-2026-8870 | medium | 6.4 | 6.4 | 6d ago | The Team Master – A Modern WordPress Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.2 due to insuff… | |||
| CVE-2026-8702 | medium | 6.4 | 6.4 | 6d ago | The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in… | |||
| CVE-2026-8842 | medium | 6.4 | 6.4 | 6d ago | The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gplusnamelink' shortcode in versions up to, and including, 1.0. This is due to insufficient input sani… | |||
| CVE-2026-8703 | medium | 6.4 | 6.4 | 6d ago | The Endless Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and ou… | |||
| CVE-2026-8868 | medium | 6.4 | 6.4 | 6d ago | The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'single-mailchimp' shortcode in all versions up to, and including, 1.4. This is due to insufficient inpu… | |||
| CVE-2026-8698 | medium | 6.4 | 6.4 | 6d ago | The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the as_get_coin_shortcode(… | |||
| CVE-2026-8837 | medium | 6.4 | 6.4 | 6d ago | The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'adid' Shortcode Attribute in all versions up to, and including, 1.1 due to insuffi… | |||
| CVE-2026-8877 | medium | 6.4 | 6.4 | 6d ago | The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rem_video' shortcode in versions up to, and including, 0.1. This is due to insufficient input … | |||
| CVE-2026-9022 | medium | 6.4 | 6.4 | 7d ago | The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'url' Block Attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitizatio… | |||
| CVE-2026-6565 | medium | 6.4 | 6.4 | 7d ago | The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '/wp-json/agwp/v1/tokens/save' endp… | |||
| CVE-2026-9104 | medium | 6.4 | 6.4 | 11d ago | The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output esc… | |||
| CVE-2026-7509 | medium | 6.4 | 6.4 | 11d ago | The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` shortcode `before` and `after` attributes in all versions up to, and including, 4.0.… | |||
| CVE-2026-7890 | medium | 6.4 | 6.4 | 12d ago | In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CM… | |||
| CVE-2026-7887 | medium | 6.4 | 6.4 | 12d ago | For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and r… | |||
| CVE-2026-44056 | medium | 6.4 | 6.4 | 12d ago | A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data. | |||
| CVE-2026-1543 | medium | 6.4 | 6.4 | 12d ago | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitizatio… | |||
| CVE-2026-9087 | medium | 6.4 | 6.4 | 13d ago | A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream… | |||
| CVE-2026-2955 | medium | 6.4 | 6.4 | 13d ago | The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insuffi… | |||
| CVE-2026-8038 | medium | 6.4 | 6.4 | 14d ago | The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 … | |||
| CVE-2026-6549 | medium | 6.4 | 6.4 | 14d ago | The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the `vc_enamad_namad`, `vc_enamad_shamed`, and `vc_enamad_custom` shortcodes… | |||
| CVE-2026-6397 | medium | 6.4 | 6.4 | 14d ago | The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `cvmh-sticky` shortcode `readmoretext` attribute in versions up to and including 2.5.6. This is due to insufficien… | |||
| CVE-2026-5293 | medium | 6.4 | 6.4 | 14d ago | The 診断ジェネレータ作成プラグイン (Diagnosis Generator) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing autho… | |||
| CVE-2026-6415 | medium | 6.4 | 6.4 | 18d ago | The Advanced Custom Fields: Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.0.2. This is due to insufficient input validation of JSON … | |||
| CVE-2026-6646 | medium | 6.4 | 6.4 | 18d ago | The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dt_default_button' shortcode in all versions up to, and including, 14.3.2. This is due to insufficient input sanitiz… | |||
| CVE-2026-6504 | medium | 6.4 | 6.4 | 19d ago | The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title_tag' parameter in all versions up to, and including, 1.7.1058 due to insuffic… | |||
| CVE-2026-6174 | medium | 6.4 | 6.4 | 19d ago | The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'more' parameter in all versions up to, and including, 2.1.1 due to insufficient input sanitization and ou… | |||
| CVE-2026-6252 | medium | 6.4 | 6.4 | 19d ago | The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' block attribute in all versions up to, and including, 1.5.2 due to insufficient input sanitiza… | |||
| CVE-2026-3694 | medium | 6.4 | 6.4 | 19d ago | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the bt_bb_button shortcode in all versions up to, and including, 5.6.8. This is due… | |||
| CVE-2026-5243 | medium | 6.4 | 6.4 | 19d ago | The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to stored cross-site scripting via the `menu_hover_click` … | |||
| CVE-2026-5361 | medium | 6.4 | 6.4 | 19d ago | The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in th… | |||
| CVE-2026-3004 | medium | 6.4 | 6.4 | 20d ago | The Snow Monkey Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-slick' attribute in all versions up to, and including, 24.1.11 due to insufficient input sanitiz… | |||
| CVE-2026-6962 | medium | 6.4 | 6.4 | 20d ago | The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_cog_product_cost' and 'alg_wc_cog_produc… | |||
| CVE-2026-6828 | medium | 6.4 | 6.4 | 20d ago | The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'permission_message' parameter in … | |||
| CVE-2026-7661 | medium | 6.4 | 6.4 | 21d ago | The Bootstrap Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `box` shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitiza… | |||
| CVE-2026-7659 | medium | 6.4 | 6.4 | 21d ago | The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `social` shortcode in all versions up to, and including, 1.2. This is due to insufficient inp… | |||
| CVE-2026-6913 | medium | 6.4 | 6.4 | 21d ago | The Shortcodely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'widget_area' parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization an… | |||
| CVE-2026-6256 | medium | 6.4 | 6.4 | 21d ago | The Credits Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the 'credits' shortcode in all versions up to, and including, 1.2 due to insufficie… | |||
| CVE-2026-6247 | medium | 6.4 | 6.4 | 21d ago | The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due… | |||
| CVE-2026-6237 | medium | 6.4 | 6.4 | 21d ago | The Quick Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' attribute of the 'qtbl' shortcode in all versions up to, and including, 1.0.0 due to insufficient inp… | |||
| CVE-2026-5715 | medium | 6.4 | 6.4 | 21d ago | The Voyage Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'post-content' shortcode in all versions up to, and including, 1.0.6 due to insuffic… | |||
| CVE-2026-5340 | medium | 6.4 | 6.4 | 21d ago | The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fancy-img-show` shortcode in all versions up to, and including, 9.1 due to insufficient input … | |||
| CVE-2026-4920 | medium | 6.4 | 6.4 | 21d ago | The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization … | |||
| CVE-2026-4859 | medium | 6.4 | 6.4 | 21d ago | The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the `wpsbd_post_carousel` shortcode in all versions up to, and including, 1.0.0 du… | |||
| CVE-2026-2300 | medium | 6.4 | 6.4 | 21d ago | The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. This is due to the use of regex-base… | |||
| CVE-2026-41591 | medium | 6.4 | 6.4 | 25d ago | Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping | |||
| CVE-2026-7650 | medium | 6.4 | 6.4 | 25d ago | The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `e2pdf-download` shortcode in all versions up to, and includi… | |||
| CVE-2026-7475 | medium | 6.4 | 6.4 | 25d ago | The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sky-custom-scripts` custom post type in all versions up to, and including, 3.3.2. This is due to the custom p… | |||
| CVE-2026-5341 | medium | 6.4 | 6.4 | 25d ago | The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `strava_nmr_connect` shortcode in all versions up to, and including, 1.0.14 due to insuffi… | |||
| CVE-2026-20169 | medium | 6.4 | 6.4 | 27d ago | A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to access files and execute commands on a r… | |||
| CVE-2026-7457 | medium | 6.4 | 6.4 | 27d ago | The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profi… | |||
| CVE-2026-6672 | medium | 6.4 | 6.4 | 27d ago | The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to… |