CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1065 – Visualizer: Tables and Charts Manager for WordPress <= 3.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Import Data From File
https://notcve.org/view.php?id=CVE-2025-1065
18 Feb 2025 — The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Import Data From File feature in all versions up to, and including, 3.11.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/changeset/3240066/visualizer • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22659 – WordPress Orbit Fox by ThemeIsle plugin <= 2.10.44 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-22659
03 Feb 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Orbit Fox by ThemeIsle allows Stored XSS.This issue affects Orbit Fox by ThemeIsle: from n/a through 2.10.44. The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.10.44 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to... • https://patchstack.com/database/wordpress/plugin/themeisle-companion/vulnerability/wordpress-orbit-fox-by-themeisle-plugin-2-10-44-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10705 – Multiple Page Generator Plugin – MPG <= 4.0.5 - Authenticated (Editor+) Server-Side Request Forgery via fileUrl
https://notcve.org/view.php?id=CVE-2024-10705
25 Jan 2025 — The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.5 via the 'mpg_download_file_by_link' function. This makes it possible for authenticated attackers, with editor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. • https://plugins.trac.wordpress.org/changeset/3205550/multiple-pages-generator-by-porthas • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13183 – Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag Parameter
https://notcve.org/view.php?id=CVE-2024-13183
09 Jan 2025 — The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_tag’ parameter in all versions up to, and including, 2.10.43 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://github.com/Codeinwp/themeisle-companion/commit/47a17c86934cebbfc3f1a812f1afcaa20515c1f7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0311 – Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget
https://notcve.org/view.php?id=CVE-2025-0311
09 Jan 2025 — The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Table widget in all versions up to, and including, 2.10.43 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://github.com/Codeinwp/themeisle-companion/commit/47a17c86934cebbfc3f1a812f1afcaa20515c1f7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11219 – Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 3.0.6 - Unauthetnicated Path Traversal to Arbitrary Image View
https://notcve.org/view.php?id=CVE-2024-11219
26 Nov 2024 — The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.0.6 via the get_image function. This makes it possible for unauthenticated attackers to view arbitrary images on the server, which can contain sensitive information. • https://plugins.trac.wordpress.org/browser/otter-blocks/tags/3.0.6/inc/plugins/class-dynamic-content.php#L222 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10672 – Multiple Page Generator Plugin – MPG <= 4.0.2 - Authenticated (Editor+) Directory Traversal to Limited File Deletion
https://notcve.org/view.php?id=CVE-2024-10672
11 Nov 2024 — The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with editor-level access and above, to delete limited files on the server. • https://plugins.trac.wordpress.org/browser/multiple-pages-generator-by-porthas/tags/3.4.8/controllers/ProjectController.php#L139 • CWE-73: External Control of File Name or Path •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10367 – Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 3.0.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
https://notcve.org/view.php?id=CVE-2024-10367
31 Oct 2024 — The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. • https://plugins.trac.wordpress.org/changeset/3178637 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7424 – Multiple Page Generator Plugin – MPG <= 4.0.1 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-7424
31 Oct 2024 — The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to unauthorized modification of and access to data due to a missing capability check on several functions in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke those functions intended for admin use resulting in subscribers being able to upload csv files and view the contents of MPG projects. • https://plugins.trac.wordpress.org/browser/multiple-pages-generator-by-porthas/trunk/controllers/DatasetController.php#L261 • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7778 – Orbit Fox by ThemeIsle <= 2.10.36 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
https://notcve.org/view.php?id=CVE-2024-7778
21 Aug 2024 — The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.10.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. • https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/2.10.36/obfx_modules/custom-fonts/custom_fonts_admin.php#L376 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •