Export limit exceeded: 362508 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 47037 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (47037 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-56040 2 Wordpress, Wordpress.com 2 Wordpress, Gutenverse Form 2026-06-29 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Gutenverse Form <= 2.4.7 versions.
CVE-2026-56047 2 Perfmatters, Powered Kinsta + Generatepress Docs Changelog Feature Requests Legal Affiliate Contact, Wordpress 2 Perfmatters, Wordpress 2026-06-29 7.1 High
Unauthenticated Cross Site Scripting (XSS) in perfmatters <= 2.6.3 versions.
CVE-2026-57325 2 Jellywp, Wordpress 2 Nanomag, Wordpress 2026-06-29 7.1 High
Unauthenticated Cross Site Scripting (XSS) in NanoMag <= 1.8 versions.
CVE-2026-57618 2 Themeisle, Wordpress 2 Neve Pro, Wordpress 2026-06-29 6.5 Medium
Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions.
CVE-2026-57638 2 Wordpress, Wpmanageninja 2 Wordpress, Fluent Booking 2026-06-29 6.5 Medium
Contributor Cross Site Scripting (XSS) in Fluent Booking <= 2.1.0 versions.
CVE-2026-57651 2 Nk, Wordpress 2 Ghost Kit, Wordpress 2026-06-29 6.5 Medium
Contributor Cross Site Scripting (XSS) in Ghost Kit <= 3.6.0 versions.
CVE-2026-57656 2 Peregrinethemes, Wordpress 2 Hester Core, Wordpress 2026-06-29 5.9 Medium
Author Cross Site Scripting (XSS) in Hester Core <= 1.1.8 versions.
CVE-2026-31928 1 Daktronics 3 Dmp-5000, Dmp-8000, Vfc-dmp-5000 2026-06-29 8.1 High
The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.
CVE-2026-13335 2 Codepeople, Wordpress 2 Codepeople Post Map For Google Maps, Wordpress 2026-06-29 6.4 Medium
The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point' Post Meta in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-13245 2 Maxfoundry, Wordpress 2 Maxbuttons – Create Buttons, Wordpress 2026-06-29 6.1 Medium
The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to, and including, 9.8.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2026-9677 2 Shariff For Wordpress, Wordpress 2 Shariff For Wordpress, Wordpress 2026-06-29 4.8 Medium
The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2026-11597 2 Surbma, Wordpress 2 Surbma | Infusionsoft Shortcode, Wordpress 2026-06-29 6.4 Medium
The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and 'id' shortcode attributes in the surbma_infusionsoft_shortcode_shortcode() function, which are concatenated directly into a <script> tag's src attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-10083 2 Apcu Manager, Wordpress 2 Apcu Manager, Wordpress 2026-06-29 7.5 High
The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.
CVE-2026-6658 1 Jupyter 1 Jupyter Server 2026-06-29 5.4 Medium
A vulnerability in jupyter/nbconvert versions <= 7.17.0 allows for Cross-site Scripting (XSS) via unsanitized `text/vnd.mermaid` output in HTML exports. The `data_mermaid` block in `share/templates/lab/base.html.j2` renders `text/vnd.mermaid` cell output directly into HTML without escaping, enabling attackers to inject arbitrary HTML/JavaScript by breaking out of the `<pre>` tag. This vulnerability impacts any server using nbconvert to render notebooks as HTML, allowing attackers to execute arbitrary JavaScript in the context of users viewing the HTML export.
CVE-2026-57620 2 Timstrifler, Wordpress 2 Exclusive Addons For Elementor, Wordpress 2026-06-29 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS. This issue affects Exclusive Addons Elementor: from n/a through 2.7.9.8.
CVE-2026-56046 2 Cridio, Wordpress 2 Listingpro, Wordpress 2026-06-29 6.5 Medium
Subscriber Cross Site Scripting (XSS) in ListingPro <= 2.9.11 versions.
CVE-2026-57431 2 Mer.vin, Wordpress 2 Featured Image, Wordpress 2026-06-29 6.5 Medium
Author Cross Site Scripting (XSS) in Featured Image <= 2.1 versions.
CVE-2026-53427 1 Leandrocp 2 Mdex, Mdex Native 2026-06-29 N/A
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown. When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML. An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required. The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched. This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
CVE-2026-11356 2 Vinod-dalvi, Wordpress 2 Ivory Search – Wordpress Search Plugin, Wordpress 2026-06-29 4.4 Medium
The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings in all versions up to, and including, 5.5.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-4610 2 Metagauss, Wordpress 2 Profilegrid – User Profiles, Groups And Communities, Wordpress 2026-06-29 6.4 Medium
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pm_author_message' parameter in the pm_send_message_to_author function in all versions up to, and including, 5.9.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 5.9.8.5.