CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
44,894 vulnerabilities with CWE-79
CVE-2026-1886
MEDIUM
Go Night Pro | WordPress Dark Mode Plugin <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'margin' Shortcode Attribute
CVSS 6.4
CVE-2026-1854
MEDIUM
Post Flagger <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slug' Shortcode Attribute
CVSS 6.4
CVE-2026-1851
MEDIUM
iVysilani Shortcode <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'width' Shortcode Attribute
CVSS 6.4
CVE-2026-1822
MEDIUM
WP NG Weather <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-1806
MEDIUM
Tour & Activity Operator Plugin for TourCMS <= 1.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-1647
MEDIUM
Comment Genius <= 1.2.5 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
CVSS 6.1
CVE-2026-1575
MEDIUM
Schema Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVSS 6.4
CVE-2026-1397
MEDIUM
PQ Addons – Creative Elementor Widgets <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Attributes
CVSS 6.4
CVE-2026-1278
MEDIUM
Mandatory Field <= 1.6.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Fields
CVSS 4.4
CVE-2026-1275
MEDIUM
Multi Post Carousel by Category <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slides' Shortcode Attribute
CVSS 6.4
CVE-2026-1247
MEDIUM
Survey <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
CVSS 4.4
CVE-2026-1093
MEDIUM
WPFAQBlock– FAQ & Accordion Plugin For Gutenberg <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute
CVSS 6.4
CVE-2026-0609
MEDIUM
Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'logo-slider' Shortcode
CVSS 6.4
CVE-2026-4083
MEDIUM
Scoreboard for HTML5 Games Lite <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2026-3577
MEDIUM
Keep Backup Daily <= 2.1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Backup Title
CVSS 4.4
CVE-2026-3572
MEDIUM
iTracker360 <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'itracker_license' Settings Field
CVSS 6.1
CVE-2026-3516
MEDIUM
Contact List <= 3.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_cl_map_iframe' Parameter
CVSS 6.4
CVE-2026-3368
HIGH
Injection Guard <= 1.2.9 - Unauthenticated Stored Cross-Site Scripting via Query Parameter Name
CVSS 7.2
CVE-2026-3350
MEDIUM
Image Alt Text Manager <= 1.8.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Title
CVSS 6.4
CVE-2026-2430
MEDIUM
Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lazy-loaded Image Attributes
CVSS 6.4
CVE-2026-2352
MEDIUM
Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ao_post_preload' Meta Value
CVSS 6.4
CVE-2026-33411
MEDIUM
Discourse's solved topic stream has potential stored XSS in topic title
CVSS 5.4
CVE-2026-33230
MEDIUM
nltk Vulnerable to Cross-site Scripting
CVSS 6.1
CVE-2026-33209
MEDIUM
Avo <3.30.3 return_to Parameter - Reflected Cross-Site Scripting
CVSS 6.1
CVE-2026-33172
HIGH
Statamic has Stored XSS via SVG Sanitization Bypass
CVSS 8.7
Details
Vulnerabilities
44,894
Exploit Likelihood
High