Total
42491 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-27094 | 2 Godaddy, Wordpress | 2 Coblocks, Wordpress | 2026-02-20 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoDaddy CoBlocks coblocks allows Stored XSS.This issue affects CoBlocks: from n/a through <= 3.1.16. | ||||
| CVE-2026-27069 | 2 Pencidesign, Wordpress | 2 Soledad, Wordpress | 2026-02-20 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through <= 8.7.2. | ||||
| CVE-2026-24392 | 2 Nabil Lemsieh, Wordpress | 2 Hurrytimer, Wordpress | 2026-02-20 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.This issue affects HurryTimer: from n/a through <= 2.14.2. | ||||
| CVE-2026-25432 | 2 Omnipressteam, Wordpress | 2 Omnipress, Wordpress | 2026-02-20 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in omnipressteam Omnipress omnipress allows Stored XSS.This issue affects Omnipress: from n/a through <= 1.6.7. | ||||
| CVE-2026-25463 | 2 Wordpress, Wpestate | 2 Wordpress, Wpresidence Core | 2026-02-20 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpEstate Wpresidence Core wpresidence-core allows Stored XSS.This issue affects Wpresidence Core: from n/a through <= 5.4.0. | ||||
| CVE-2025-14445 | 2 Le Van Toan, Wordpress | 2 Image Hotspot By Devvn, Wordpress | 2026-02-19 | 6.4 Medium |
| The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1373 | 2 Lawsonry, Wordpress | 2 Easy Author Image, Wordpress | 2026-02-19 | 6.4 Medium |
| The Easy Author Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author_profile_picture_url' parameter in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-13981 | 2 Artificial Intelligence Project, Drupal | 2 Artificial Intelligence, Ai | 2026-02-19 | 4.4 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. | ||||
| CVE-2026-0561 | 2 Paultgoodchild, Wordpress | 2 Shield: Blocks Bots, Protects Users, And Prevents Security Breaches, Wordpress | 2026-02-19 | 6.1 Medium |
| The Shield Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 21.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-14452 | 2 Bompus, Wordpress | 2 Wp Customer Reviews, Wordpress | 2026-02-19 | 7.2 High |
| The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-1044 | 2 Renoiriii, Wordpress | 2 Tennis Court Bookings, Wordpress | 2026-02-19 | 4.4 Medium |
| The Tennis Court Bookings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-0549 | 2 Itthinx, Wordpress | 2 Groups, Wordpress | 2026-02-19 | 6.4 Medium |
| The Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'groups_group_info' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-69749 | 2 Otale, Tale Project | 2 Tale Blog, Tale | 2026-02-19 | 6.1 Medium |
| Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code. | ||||
| CVE-2025-14076 | 2 Icount, Wordpress | 2 Ixml – Google Xml Sitemap Generator, Wordpress | 2026-02-19 | 6.1 Medium |
| The iXML – Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-1043 | 2 Gagan0123, Wordpress | 2 Postmarkapp Email Integrator, Wordpress | 2026-02-19 | 4.4 Medium |
| The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pma_api_key and pma_sender_address parameters. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the settings page. | ||||
| CVE-2025-13738 | 2 Magazine3, Wordpress | 2 Easy Table Of Contents, Wordpress | 2026-02-19 | 6.4 Medium |
| The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2019-25356 | 1 Bematech | 1 Mp-4200 | 2026-02-19 | 6.1 Medium |
| Bematech (formerly Logic Controls, now Elgin) MP-4200 TH printer contains a cross-site scripting vulnerability in the admin configuration page. Attackers can inject malicious scripts via crafted POST requests with malformed 'admin' and 'person' parameters, allowing execution of arbitrary JavaScript in the context of an authenticated user's browser session. | ||||
| CVE-2026-25230 | 2 Error311, Filerise | 2 Filerise, Filerise | 2026-02-19 | 4.6 Medium |
| FileRise is a self-hosted web file manager / WebDAV server. Prior to 3.3.0, an HTML Injection vulnerability allows an authenticated user to modify the DOM and add e.g. form elements that call certain endpoints or link elements that redirect the user on active interaction. This vulnerability is fixed in 3.3.0. | ||||
| CVE-2026-25491 | 1 Craftcms | 2 Craft Cms, Craftcms | 2026-02-19 | 4.8 Medium |
| Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22. | ||||
| CVE-2026-25496 | 1 Craftcms | 2 Craft Cms, Craftcms | 2026-02-19 | 4.8 Medium |
| Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22. | ||||