CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2560 – Ninja Forms < 3.10.1 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-2560
28 Apr 2025 — The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.10.0 due to insufficient input saniti... • https://wpscan.com/vulnerability/2adaa55a-4a6d-40ca-ae19-fcb82420894a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2561 – Ninja Forms < 3.10.1 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-2561
28 Apr 2025 — The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.10.0 due to insufficient input saniti... • https://wpscan.com/vulnerability/4a2074a3-a479-4473-92fb-04397f20dd86 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3516 – Simple Lightbox < 2.9.4 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-3516
25 Apr 2025 — The Simple Lightbox WordPress plugin before 2.9.4 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Simple Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor... • https://wpscan.com/vulnerability/336a78cd-297b-4f47-a007-e33eac7f1dad • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3201 – Kali Forms < 2.4.3 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-3201
25 Apr 2025 — The Contact Form builder with drag & drop for WordPress WordPress plugin before 2.4.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks. The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for a... • https://wpscan.com/vulnerability/4248289f-36d2-41c5-baf6-bb2c630482ef • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3742 – Responsive Lightbox & Gallery < 2.5.1 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-3742
24 Apr 2025 — The Responsive Lightbox & Gallery WordPress plugin before 2.5.1 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticat... • https://wpscan.com/vulnerability/5b8f487b-63a5-4d2a-9b61-ed4d97f18320 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3597 – Firelight Lightbox < 2.3.15 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-3597
21 Apr 2025 — The Firelight Lightbox WordPress plugin before 2.3.15 does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled. While this feature is meant to only be available to Pro version users, it can be activated in the free version too, making it theoretically exploitable there as well. The Firelight Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via posts in all versions up to, and including, 2.3.14 due to insuf... • https://wpscan.com/vulnerability/8bf5e107-6397-4946-aaee-bf61d3e2dffd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3649 – LightPress Lightbox < 2.3.4 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-3649
21 Apr 2025 — The LightPress Lightbox WordPress plugin before 2.3.4 does not check download links point to valid, non-Javascript URLs, allowing users with at least the contributor role to conduct Stored XSS attacks. The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data download URLs in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, ... • https://wpscan.com/vulnerability/37fb7f3b-1766-4c2c-9b78-f77f15a04476 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3583 – Newsletter < 8.7.1 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-3583
14 Apr 2025 — The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the preheader_text value in versions up to, and including, 8.7.0 due to insufficient input sanitization and output escaping. This makes it pos... • https://wpscan.com/vulnerability/a6582e14-e21e-48e7-9b4c-0044fb199825 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3513 – SureForms < 1.4.4 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-3513
11 Apr 2025 — The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.4.3 due to insufficient input sanitizatio... • https://wpscan.com/vulnerability/dd7e0bb3-4a98-4f62-bd2e-f30b27d71226 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3514 – SureForms < 1.4.4 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-3514
11 Apr 2025 — The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.4.3 due to insufficient input sanitizatio... • https://wpscan.com/vulnerability/fc3da503-a973-44d8-82d0-13539501f8c0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •