Total CVEs

141,272

Critical Severity

3,795

High Severity

13,729

Last 7 Days

1,855
Quick preset (or use dates below)
Clear Filters
Showing 8,821 - 8,840 of 14,204 CVEs
CVE-2026-1914 MEDIUM - 6.4

The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusedesk_newcase shortcode in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping on the 'emailtext' attribute. This makes it possible for auth...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1911 MEDIUM - 6.4

The Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tweet_title' parameter in the 'TwitterFeeds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for a...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1908 MEDIUM - 6.4

The Integration with Hubspot Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hubspotform' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1899 MEDIUM - 6.4

The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'post_type' attribute. This makes it possible for a...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1891 MEDIUM - 6.4

The Simple Football Scoreboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ytmr_fb_scoreboard' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1889 MEDIUM - 6.4

The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' shortcode in all versions up to, and including, 2.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1886 MEDIUM - 6.4

The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'go-night-pro-shortcode' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on the user-supplied ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1854 MEDIUM - 6.4

The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1851 MEDIUM - 6.4

The iVysilani Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' shortcode attribute in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contr...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1822 MEDIUM - 6.4

The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for au...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1806 MEDIUM - 6.4

The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'target' parameter of the tourcms_doc_link shortcode in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This ma...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1647 MEDIUM - 6.1

The Comment Genius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to i...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1575 MEDIUM - 6.4

The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `itemscope` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1503 MEDIUM - 4.3

The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the 'login_regi...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1397 MEDIUM - 6.4

The PQ Addons โ€“ Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on the html_tag parameter in the PQ Section Title widget. This mak...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1393 MEDIUM - 4.3

The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to upda...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1392 MEDIUM - 4.3

The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the sr_minify_html_theme() function. This makes it possible for unauthenticated attackers to update plugin settings via a forge...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1390 MEDIUM - 4.3

The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `countdown_settings_content()` function. This makes it possible for unauthenticated attackers to update the plugin setting...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1378 MEDIUM - 4.3

The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `cpt_plugin_options()` function. This makes it possible for unauthenticated attackers to update the plugin settings includi...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1278 MEDIUM - 4.4

The Mandatory Field plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions an...

Published: Mar 21, 2026
Source: NVD