CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13559 – TemplatesNext ToolKit <= 3.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2024-13559
28 Feb 2025 — The TemplatesNext ToolKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tx_woo_wishlist_table' shortcode in all versions up to, and including, 3.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/templatesnext-toolkit/trunk/inc/woo-compare-wishlist/includes/wishlist/shortcode.php#L13 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22310 – WordPress TemplatesNext ToolKit plugin <= 3.2.9 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-22310
06 Jan 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TemplatesNext TemplatesNext ToolKit allows Stored XSS.This issue affects TemplatesNext ToolKit: from n/a through 3.2.9. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web ('Cross-site Scripting') en TemplatesNext TemplatesNext ToolKit permite XSS almacenado. Este problema afecta a TemplatesNext ToolKit: desde n/a hasta 3.2.9. The TemplatesNext ToolKit plugin for W... • https://patchstack.com/database/wordpress/plugin/templatesnext-toolkit/vulnerability/wordpress-templatesnext-toolkit-plugin-3-2-9-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0333 – TemplatesNext ToolKit < 3.2.9 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0333
18 Jan 2023 — The TemplatesNext ToolKit WordPress plugin before 3.2.9 does not validate some of its shortcode attributes before using them to generate an HTML tag, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks The TemplatesNext ToolKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 3.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This ma... • https://wpscan.com/vulnerability/e86ff4d5-d549-4c71-b80e-6a9b3bfddbfc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4678 – TemplatesNext ToolKit < 3.2.8 - Contributor+ Stored XSS via Shortcode
https://notcve.org/view.php?id=CVE-2022-4678
17 Jan 2023 — The TemplatesNext ToolKit WordPress plugin before 3.2.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The TemplatesNext ToolKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 3.2.7 due to insufficient input sanitization and output esc... • https://wpscan.com/vulnerability/6a36d665-a0ca-4346-8e55-cf9ba45966cc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22712 – WordPress TemplatesNext ToolKit Plugin <= 3.2.7 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-22712
17 Jan 2023 — Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in TemplatesNext TemplatesNext ToolKit plugin <= 3.2.7 versions. The TemplatesNext ToolKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via numerous rendering parameters in its widgets code in versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user ac... • https://patchstack.com/database/vulnerability/templatesnext-toolkit/wordpress-templatesnext-toolkit-plugin-3-2-7-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •