CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-1401 – WP Click Info <= 2.7.4 - Reflected XSS
https://notcve.org/view.php?id=CVE-2025-1401
20 Feb 2025 — The WP Click Info WordPress plugin through 2.7.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The WP Click Info plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts ... • https://wpscan.com/vulnerability/072620a2-76db-49d2-aae5-1170c409f7e7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-1436 – Limit Bio <= 1.0 - Stored XSS via CSRF
https://notcve.org/view.php?id=CVE-2025-1436
20 Feb 2025 — The Limit Bio WordPress plugin through 1.0 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. The Limit Bio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject... • https://wpscan.com/vulnerability/849ed0a0-be17-43cf-a3a1-ad54dfb33d57 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13574 – XV Random Quotes <= 1.40 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-13574
18 Feb 2025 — The XV Random Quotes WordPress plugin through 1.40 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. The XV Random Quotes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'qo' parameter in all versions up to, and including, 1.40 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to i... • https://wpscan.com/vulnerability/7eb9ef20-5d34-425e-b7fc-38a769d0a822 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13580 – XV Random Quotes <= 1.40 - Settings Reset via CSRF
https://notcve.org/view.php?id=CVE-2024-13580
18 Feb 2025 — The XV Random Quotes WordPress plugin through 1.40 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack The XV Random Quotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.40. This is due to missing or incorrect nonce validation on the 'stray_tools' page. This makes it possible for unauthenticated attackers to reset the plugin settings via a forged request gra... • https://wpscan.com/vulnerability/48cffe03-adcf-4da2-a331-464ae511a805 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13615 – Social Media Plugin by Social Snap <= 1.3.6 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-13615
18 Feb 2025 — The Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap WordPress plugin through 1.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap plugin for WordPress is vulnerable to Sto... • https://wpscan.com/vulnerability/e8401973-f4c2-4ccf-a6ad-507dde8d2259 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13836 – WP Login Control <= 2.0.0 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-13836
18 Feb 2025 — The WP Login Control WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. The WP Login Control plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'order' parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers... • https://wpscan.com/vulnerability/26c2026a-1490-4a0f-9d1d-54ee43c69f22 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 1CVE-2024-13853 – SEO Tools <= 4.0.7 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-13853
18 Feb 2025 — The SEO Tools WordPress plugin through 4.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The SEO Tools plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'src' parameter in all versions up to, and including, 4.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitr... • https://wpscan.com/vulnerability/52991dd9-41f7-4cf8-b8c9-56dd4e62bf0c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13862 – S3Bubble Media Streaming <= 8.0 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-13862
18 Feb 2025 — The S3Bubble Media Streaming (AWS|Elementor|YouTube|Vimeo Functionality) WordPress plugin through 8.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The S3Bubble Media Streaming (AWS|Elementor|YouTube|Vimeo Functionality) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 8.0 due to insuffi... • https://wpscan.com/vulnerability/7692b768-a33f-45a2-90f1-1f4258493979 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13864 – Countdown Timer <= 1.0 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-13864
18 Feb 2025 — The Countdown Timer WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The Countdown Timer plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in ... • https://wpscan.com/vulnerability/b95b32b6-218a-4d02-b294-ab13458006b2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-0629 – Coronavirus (COVID-19) Notice Message <= 1.1.2 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-0629
18 Feb 2025 — The Coronavirus (COVID-19) Notice Message WordPress plugin through 1.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Coronavirus (COVID-19) Notice Message plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.2 due to insufficient input sa... • https://wpscan.com/vulnerability/39c36d6d-5522-422b-b890-524e27e67f7c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •