Security Risk Category

stored-xss Security Risks

Published vulnerability pages connected to stored-xss. One risk can appear in multiple categories while keeping one canonical page.

stored-xss risks

Showing 10 of 10 published risks.

medium

AcyMailing WordPress Plugin Stored Cross-Site Scripting Vulnerability

The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alignment' attribute in all versions up to, and including, 10.10.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-12170wordpressacymailingstored-xssnewsletter

Updated Jul 10, 2026

mediumEPSS 0.002

Ultimate Post WordPress Plugin Stored Cross-Site Scripting Vulnerability

The Ultimate Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'moreResultsText' block attribute of the ultimate-post/advanced-search block in versions up to and including 5.0.31. This is due to insufficient input sanitization and output escaping in the Advanced_Search::content() render callback: the attribute value is filtered with wp_kses(), which strips disallowed HTML tags but does NOT escape HTML special characters such as double quotes in plain text, and the result is then concatenated directly into the data-viewmoretext HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-13253wordpressultimate-poststored-xssplugin

Updated Jul 10, 2026

mediumEPSS 0.002

Customer Reviews for WooCommerce Stored Cross-Site Scripting Vulnerability

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'color' Shortcode Attribute in all versions up to, and including, 5.113.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-13771wordpresswoocommercecustomer-reviewsstored-xss

Updated Jul 10, 2026

mediumEPSS 0.002

Download Manager WordPress Plugin Stored Cross-Site Scripting Vulnerability

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'note_before' and 'note_after' Shortcode Attributes in all versions up to, and including, 3.3.61 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because wp_kses_post filters post content on save for users without unfiltered_html, only kses-allowed tag and attribute payloads that survive save-time filtering will reach the unescaped sink; however, the sink itself remains unsafe and such payloads can still execute in the browser when a user renders the shortcode.

CVE-2026-14343wordpressdownload-managerstored-xssplugin

Updated Jul 10, 2026

highEPSS 0.003

Connect Contact Form 7 and Mailchimp Stored Cross-Site Scripting Vulnerability

The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Mailchimp Merge Field Values in all versions up to, and including, 0.9.78.06 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is only triggered when a privileged user (Administrator) performs a Contact Lookup for the email address submitted via the CF7 form, meaning execution is deferred until an administrator interacts with the affected entry.

CVE-2026-15000wordpresscontact-form-7mailchimpstored-xss

Updated Jul 10, 2026

mediumEPSS 0.001

Nozomi Guardian and CMC Diagram and Graph Stored HTML Injection Vulnerability

A Stored HTML Injection vulnerability was discovered in the Diagram tab and Graph view due to a shared input validation function being insufficiently restrictive. An authenticated user with administrative privileges can inject malicious HTML tags into N2OS configuration data through multiple input vectors. When a victim views the affected data in the Diagram tab and Graph view, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

CVE-2026-31981nozomi-networksguardiancmchtml-injection

Updated Jul 10, 2026

mediumEPSS 0.002

Block Suspend Report for BuddyPress Stored Cross-Site Scripting Vulnerability

The Block, Suspend, Report for BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in versions up to and including 3.6.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-4653wordpressbuddypressstored-xssplugin

Updated Jul 10, 2026

mediumEPSS 0.002

Bookero.pl WordPress Plugin Stored Cross-Site Scripting Vulnerability

The Bookero.pl – system rezerwacji online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `bookero_products` shortcode's `hide_products` (and `filter_products`) attributes in versions up to and including 2.2. This is due to insufficient input sanitization and output escaping in the `bookero_products()` function — the raw attribute value is concatenated directly into an inline `<script>` block without any escaping. This makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.

CVE-2026-6910wordpressbookerostored-xssplugin

Updated Jul 10, 2026

criticalEPSS 0.004

ValeApp Stored Cross-Site Scripting Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OceanicSoft Informatics Systems Ltd. ValeApp allows Stored XSS. This issue affects ValeApp: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-2342valeappstored-xssweb-application

Updated Jul 10, 2026

high

EventPrime WordPress Plugin Stored Cross-Site Scripting Vulnerability

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_event_type_background_color' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the plugin's Guest Submissions setting (allow_submission_by_anonymous_user) to be enabled, which allows unauthenticated attackers to submit event types via the frontend form; when that setting is disabled, exploitation requires at minimum a subscriber-level authenticated account.

CVE-2026-13441wordpresseventprimestored-xssplugin

Updated Jul 10, 2026