CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
44,858 vulnerabilities with CWE-79
CVE-2026-39500
MEDIUM
WordPress themesflat-addons-for-elementor plugin <= 2.3.2 - Cross Site Scripting (XSS) vulnerability
CVSS 6.5
CVE-2026-39483
MEDIUM
WordPress VK All in One Expansion Unit plugin <= 9.113.3 - Cross Site Scripting (XSS) vulnerability
CVSS 6.5
CVE-2026-39482
MEDIUM
WordPress Post Expirator plugin <= 4.9.4 - Cross Site Scripting (XSS) vulnerability
CVSS 6.5
CVE-2026-1396
MEDIUM
Magic Conversation For Gravity Forms <= 3.0.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-4655
MEDIUM
Element Pack Addons for Elementor <= 8.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Image Widget
CVSS 6.4
CVE-2026-5508
MEDIUM
WowPress <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-5506
MEDIUM
Wavr <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-5169
MEDIUM
Inquiry form to posts or pages <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Form Header Field
CVSS 4.4
CVE-2026-4871
MEDIUM
Sports Club Management <= 1.12.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' Attribute
CVSS 6.4
CVE-2026-3618
MEDIUM
Columns by BestWebSoft <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'columns' Shortcode 'id' Attribute
CVSS 6.4
CVE-2026-3142
MEDIUM
Pinterest Site Verification plugin using Meta Tag <= 1.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'post_var'
CVSS 6.4
CVE-2026-2838
MEDIUM
Whole Enquiry Cart for WooCommerce <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'woowhole_success_msg' Parameter
CVSS 4.4
CVE-2026-3311
MEDIUM
The Plus Addons for Elementor < 6.4.9 - Authenticated Stored Cross-Site Scripting via Progress Bar Shortcode
CVSS 6.4
CVE-2026-27787
MEDIUM
MATCHA SNS <= 1.3.9 - Cross-Site Scripting
CVSS 5.4
CVE-2026-4785
MEDIUM
LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVSS 6.4
CVE-2026-4341
MEDIUM
Prime Slider <= 4.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'follow_us_text' Parameter
CVSS 6.4
CVE-2026-4333
MEDIUM
LearnPress <= 4.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'skin' Shortcode Attribute
CVSS 6.4
CVE-2026-3600
MEDIUM
Investi <= 1.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute
CVSS 6.4
CVE-2026-3513
MEDIUM
TableOn – WordPress Posts Table Filterable <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute
CVSS 6.4
CVE-2026-3239
MEDIUM
Strong Testimonials <= 3.2.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via testimonial_view Shortcode
CVSS 6.4
CVE-2026-4379
MEDIUM
LightPress Lightbox <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute
CVSS 6.4
CVE-2026-2988
MEDIUM
Blubrry PowerPress <= 11.15.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via powerpress and podcast Shortcodes
CVSS 6.4
CVE-2026-32289
MEDIUM
JsBraceDepth Context Tracking Bugs (XSS) in html/template
CVSS 6.1
CVE-2026-4406
MEDIUM
Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter
CVSS 4.7
CVE-2026-4394
MEDIUM
Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field
CVSS 6.1
Details
Vulnerabilities
44,858
Exploit Likelihood
High