CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
44,894 vulnerabilities with CWE-79
CVE-2026-4022
MEDIUM
Show Posts list <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVSS 6.4
CVE-2026-3997
MEDIUM
Text Toggle <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute
CVSS 6.4
CVE-2026-3996
MEDIUM
WP Games Embed <= 0.1beta - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-3619
MEDIUM
Sheets2Table <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'titles' Shortcode Attribute
CVSS 6.4
CVE-2026-3617
MEDIUM
Paypal Shortcodes <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'amount' and 'name' Shortcode Attributes
CVSS 6.4
CVE-2026-3554
MEDIUM
Sherk Custom Post Type Displays <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute
CVSS 6.4
CVE-2026-3354
MEDIUM
Wikilookup <= 1.1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Popup Width' Setting
CVSS 4.4
CVE-2026-3353
MEDIUM
Comment SPAM Wiper <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting
CVSS 4.4
CVE-2026-3347
MEDIUM
Multi Functional Flexi Lightbox <= 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via 'message' Parameter
CVSS 5.5
CVE-2026-3333
MEDIUM
MinhNhut Link Gateway <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-3003
HIGH
Vagaro Booking Widget <= 0.3 - Unauthenticated Stored Cross-Site Scripting via 'vagaro_code'
CVSS 7.2
CVE-2026-2837
MEDIUM
Ricerca – advanced search <= 1.1.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin's Settings
CVSS 4.4
CVE-2026-2501
MEDIUM
Ed's Social Share <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-2496
MEDIUM
Ed's Font Awesome <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-2440
HIGH
SurveyJS: Drag & Drop Form Builder <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting
CVSS 7.2
CVE-2026-2427
MEDIUM
itsukaita <= 0.1.2 - Reflected Cross-Site Scripting via 'day_from' Parameter
CVSS 6.1
CVE-2026-2424
MEDIUM
Reward Video Ad for WordPress <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings
CVSS 4.4
CVE-2026-2277
MEDIUM
rexCrawler <= 1.0.15 - Reflected Cross-Site Scripting via 'url' and 'regex' Parameters
CVSS 6.1
CVE-2026-2121
MEDIUM
Weaver Show Posts <= 1.8.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Additional Classes to Wrap Posts' Widget Setting
CVSS 4.4
CVE-2026-1914
MEDIUM
FuseDesk <= 6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'emailtext' Shortcode Attribute
CVSS 6.4
CVE-2026-1911
MEDIUM
Twitter Feeds <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'tweet_title' Shortcode Attribute
CVSS 6.4
CVE-2026-1908
MEDIUM
Integration with Hubspot Forms <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-1899
MEDIUM
Any Post Slider <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_type' Shortcode Attribute
CVSS 6.4
CVE-2026-1891
MEDIUM
Simple Football Scoreboard <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-1889
MEDIUM
Outgrow <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'outgrow' Shortcode 'id' Attribute
CVSS 6.4
Details
Vulnerabilities
44,894
Exploit Likelihood
High