Latest CVE Feed
-
6.5
MEDIUMCVE-2026-0572
The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurify_save_options' function in all versions up to, and including, 4.0.2. This makes it possible for unaut... Read more
Affected Products :- Published: Feb. 04, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2026-24447
If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note ... Read more
Affected Products :- Published: Feb. 04, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2026-23704
A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL),... Read more
Affected Products :- Published: Feb. 04, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2026-24361
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress – Course Review learnpress-course-review allows Stored XSS.This issue affects LearnPress – Course Review: from n/a throu... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2026-24585
Missing Authorization vulnerability in Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hyyan WooCommerce Polylang Integration: from n/a... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-13431
The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on th... Read more
Affected Products :- Published: Feb. 11, 2026
- Modified: Feb. 11, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2026-25036
Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Passster: from n/a through <= 4.2.25.... Read more
Affected Products :- Published: Feb. 03, 2026
- Modified: Feb. 12, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2026-1942
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2s_curation_draft AJAX action in all versions up to, and including, 8.7.4. The curationDr... Read more
Affected Products : blog2social- Published: Feb. 18, 2026
- Modified: Feb. 18, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2026-20800
Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifi... Read more
Affected Products : gitea- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-69055
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder allows Path Traversal.This issue affects BM Content Builder: from n/a before 3.16.3.3.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Feb. 17, 2026
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2026-2682
A vulnerability has been found in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). Impacted is an unknown function of the file /mine/PublicReport/prinReport.html?token=java. Such manipulation of the argument comid leads to sql injecti... Read more
Affected Products :- Published: Feb. 18, 2026
- Modified: Feb. 19, 2026
- Vuln Type: Injection
-
6.4
MEDIUMCVE-2025-14941
The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input s... Read more
Affected Products :- Published: Jan. 24, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
6.4
MEDIUMCVE-2019-25315
WordPress Server Log Viewer 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unfiltered log file paths. Attackers can add log files with embedded XSS payloads that will execute when vie... Read more
Affected Products :- Published: Feb. 11, 2026
- Modified: Feb. 11, 2026
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2026-1808
The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplus_button shortcode in all versions up to, and including, 0.7 due to insufficient input sanitiza... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2020-37019
Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source paramete... Read more
Affected Products :- Published: Jan. 30, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2021-47917
Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. Attackers can exploit the newUser and editUser modules to inject persistent scripts that execute... Read more
Affected Products : simple_cms_php- Published: Feb. 01, 2026
- Modified: Feb. 11, 2026
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2020-37014
Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which exec... Read more
Affected Products : tryton- Published: Jan. 30, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-12117
The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with... Read more
Affected Products :- Published: Feb. 19, 2026
- Modified: Feb. 19, 2026
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2021-47912
PHP Melody version 3.0 contains multiple non-persistent cross-site scripting vulnerabilities in categories, import, and user import files. Attackers can inject malicious scripts through unvalidated parameters to execute client-side attacks and potentially... Read more
Affected Products : php_melody- Published: Feb. 01, 2026
- Modified: Feb. 12, 2026
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-15522
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due ... Read more
Affected Products : uncanny_automator- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Cross-Site Scripting