Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

11 vulnerabilities by HT Plugins

CVE-2026-24991 (GCVE-0-2026-24991)

Vulnerability from cvelistv5 – Published: 2026-02-03 14:08 – Updated: 2026-04-01 14:14
VLAI?
Title
WordPress Extensions For CF7 plugin <= 3.4.0 - Insecure Direct Object References (IDOR) vulnerability
Summary
Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Extensions For CF7: from n/a through <= 3.4.0.
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
HT Plugins Extensions For CF7 Affected: 0 , ≤ 3.4.0 (custom)
Create a notification for this product.
Date Public ?
2026-04-01 16:05
Credits
Nabil Irawan | Patchstack Bug Bounty Program
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-24991",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T16:43:02.979968Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T16:43:53.305Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "extensions-for-cf7",
          "product": "Extensions For CF7",
          "vendor": "HT Plugins",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.4.1",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.4.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nabil Irawan | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:05:01.508Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Extensions For CF7: from n/a through \u003c= 3.4.0.\u003c/p\u003e"
            }
          ],
          "value": "Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Extensions For CF7: from n/a through \u003c= 3.4.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T14:14:38.330Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/extensions-for-cf7/vulnerability/wordpress-extensions-for-cf7-plugin-3-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Extensions For CF7 plugin \u003c= 3.4.0 - Insecure Direct Object References (IDOR) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-24991",
    "datePublished": "2026-02-03T14:08:36.896Z",
    "dateReserved": "2026-01-28T09:50:51.017Z",
    "dateUpdated": "2026-04-01T14:14:38.330Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-60147 (GCVE-0-2025-60147)

Vulnerability from cvelistv5 – Published: 2025-09-26 08:31 – Updated: 2026-04-01 15:59
VLAI?
Title
WordPress HT Feed Plugin <= 1.3.0 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Feed ht-instagram allows Stored XSS.This issue affects HT Feed: from n/a through <= 1.3.0.
Severity ?
No CVSS data available.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
HT Plugins HT Feed Affected: 0 , ≤ 1.3.0 (custom)
Create a notification for this product.
Date Public ?
2026-04-01 16:44
Credits
Muhammad Yudha - DJ | Patchstack Bug Bounty Program
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-60147",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-26T14:33:08.887261Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-26T14:33:17.828Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "ht-instagram",
          "product": "HT Feed",
          "vendor": "HT Plugins",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.3.1",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.3.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:44:00.151Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in HT Plugins HT Feed ht-instagram allows Stored XSS.\u003cp\u003eThis issue affects HT Feed: from n/a through \u003c= 1.3.0.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in HT Plugins HT Feed ht-instagram allows Stored XSS.This issue affects HT Feed: from n/a through \u003c= 1.3.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stored XSS"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T15:59:42.000Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/ht-instagram/vulnerability/wordpress-ht-feed-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress HT Feed Plugin \u003c= 1.3.0 - Cross Site Scripting (XSS) Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-60147",
    "datePublished": "2025-09-26T08:31:50.655Z",
    "dateReserved": "2025-09-25T15:27:39.209Z",
    "dateUpdated": "2026-04-01T15:59:42.000Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-53463 (GCVE-0-2025-53463)

Vulnerability from cvelistv5 – Published: 2025-09-22 18:25 – Updated: 2026-04-01 15:56
VLAI?
Title
WordPress HT Mega – Absolute Addons for WPBakery Page Builder Plugin <= 1.0.9 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Mega – Absolute Addons for WPBakery Page Builder ht-mega-for-wpbakery allows DOM-Based XSS.This issue affects HT Mega – Absolute Addons for WPBakery Page Builder: from n/a through <= 1.0.9.
Severity ?
No CVSS data available.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
HT Plugins HT Mega – Absolute Addons for WPBakery Page Builder Affected: 0 , ≤ 1.0.9 (custom)
Create a notification for this product.
Date Public ?
2026-04-01 16:42
Credits
theviper17 | Patchstack Bug Bounty Program
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53463",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-23T20:30:18.795768Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-23T20:30:30.078Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "ht-mega-for-wpbakery",
          "product": "HT Mega \u2013 Absolute Addons for WPBakery Page Builder",
          "vendor": "HT Plugins",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.1.0",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.0.9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "theviper17 | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:42:34.878Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in HT Plugins HT Mega \u2013 Absolute Addons for WPBakery Page Builder ht-mega-for-wpbakery allows DOM-Based XSS.\u003cp\u003eThis issue affects HT Mega \u2013 Absolute Addons for WPBakery Page Builder: from n/a through \u003c= 1.0.9.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in HT Plugins HT Mega \u2013 Absolute Addons for WPBakery Page Builder ht-mega-for-wpbakery allows DOM-Based XSS.This issue affects HT Mega \u2013 Absolute Addons for WPBakery Page Builder: from n/a through \u003c= 1.0.9."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-588",
          "descriptions": [
            {
              "lang": "en",
              "value": "DOM-Based XSS"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T15:56:56.283Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/ht-mega-for-wpbakery/vulnerability/wordpress-ht-mega-absolute-addons-for-wpbakery-page-builder-plugin-1-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress HT Mega \u2013 Absolute Addons for WPBakery Page Builder Plugin \u003c= 1.0.9 - Cross Site Scripting (XSS) Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-53463",
    "datePublished": "2025-09-22T18:25:35.584Z",
    "dateReserved": "2025-06-30T10:46:37.789Z",
    "dateUpdated": "2026-04-01T15:56:56.283Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-54015 (GCVE-0-2025-54015)

Vulnerability from cvelistv5 – Published: 2025-07-16 10:36 – Updated: 2026-04-01 15:57
VLAI?
Title
WordPress HT Contact Form 7 plugin <= 2.0.0 - Local File Inclusion Vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows PHP Local File Inclusion.This issue affects HT Contact Form 7: from n/a through <= 2.0.0.
Severity ?
No CVSS data available.
CWE
  • CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
Impacted products
Vendor Product Version
HT Plugins HT Contact Form 7 Affected: 0 , ≤ 2.0.0 (custom)
Create a notification for this product.
Date Public ?
2026-04-01 16:42
Credits
Ananda Dhakal (Patchstack)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54015",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-16T13:30:29.267337Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-16T14:39:19.530Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "ht-contactform",
          "product": "HT Contact Form 7",
          "vendor": "HT Plugins",
          "versions": [
            {
              "changes": [
                {
                  "at": "2.1.0",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "2.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ananda Dhakal (Patchstack)"
        }
      ],
      "datePublic": "2026-04-01T16:42:02.504Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows PHP Local File Inclusion.\u003cp\u003eThis issue affects HT Contact Form 7: from n/a through \u003c= 2.0.0.\u003c/p\u003e"
            }
          ],
          "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows PHP Local File Inclusion.This issue affects HT Contact Form 7: from n/a through \u003c= 2.0.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-252",
          "descriptions": [
            {
              "lang": "en",
              "value": "PHP Local File Inclusion"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-98",
              "description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T15:57:11.205Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/ht-contactform/vulnerability/wordpress-ht-contact-form-7-plugin-2-0-0-local-file-inclusion-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress HT Contact Form 7 plugin \u003c= 2.0.0 - Local File Inclusion Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-54015",
    "datePublished": "2025-07-16T10:36:42.762Z",
    "dateReserved": "2025-07-16T08:51:37.992Z",
    "dateUpdated": "2026-04-01T15:57:11.205Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-53206 (GCVE-0-2025-53206)

Vulnerability from cvelistv5 – Published: 2025-06-27 13:21 – Updated: 2026-04-01 15:56
VLAI?
Title
WordPress HT Mega – Absolute Addons for WPBakery Page Builder plugin <= 1.0.8 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Mega – Absolute Addons for WPBakery Page Builder ht-mega-for-wpbakery allows Stored XSS.This issue affects HT Mega – Absolute Addons for WPBakery Page Builder: from n/a through <= 1.0.8.
Severity ?
No CVSS data available.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
HT Plugins HT Mega – Absolute Addons for WPBakery Page Builder Affected: 0 , ≤ 1.0.8 (custom)
Create a notification for this product.
Date Public ?
2026-04-01 16:41
Credits
theviper17 | Patchstack Bug Bounty Program
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53206",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-27T14:37:35.985397Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-27T14:46:41.811Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "ht-mega-for-wpbakery",
          "product": "HT Mega \u2013 Absolute Addons for WPBakery Page Builder",
          "vendor": "HT Plugins",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.0.9",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.0.8",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "theviper17 | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:41:44.064Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in HT Plugins HT Mega \u2013 Absolute Addons for WPBakery Page Builder ht-mega-for-wpbakery allows Stored XSS.\u003cp\u003eThis issue affects HT Mega \u2013 Absolute Addons for WPBakery Page Builder: from n/a through \u003c= 1.0.8.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in HT Plugins HT Mega \u2013 Absolute Addons for WPBakery Page Builder ht-mega-for-wpbakery allows Stored XSS.This issue affects HT Mega \u2013 Absolute Addons for WPBakery Page Builder: from n/a through \u003c= 1.0.8."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stored XSS"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T15:56:28.621Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/ht-mega-for-wpbakery/vulnerability/wordpress-ht-mega-absolute-addons-for-wpbakery-page-builder-plugin-1-0-8-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress HT Mega \u2013 Absolute Addons for WPBakery Page Builder plugin \u003c= 1.0.8 - Cross Site Scripting (XSS) Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-53206",
    "datePublished": "2025-06-27T13:21:01.852Z",
    "dateReserved": "2025-06-27T10:27:45.005Z",
    "dateUpdated": "2026-04-01T15:56:28.621Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-53199 (GCVE-0-2025-53199)

Vulnerability from cvelistv5 – Published: 2025-06-27 13:20 – Updated: 2026-04-01 15:56
VLAI?
Title
WordPress HT Slider For Elementor plugin <= 1.6.5 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Slider For Elementor ht-slider-for-elementor allows DOM-Based XSS.This issue affects HT Slider For Elementor: from n/a through <= 1.6.5.
Severity ?
No CVSS data available.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
HT Plugins HT Slider For Elementor Affected: 0 , ≤ 1.6.5 (custom)
Create a notification for this product.
Date Public ?
2026-04-01 16:41
Credits
theviper17 | Patchstack Bug Bounty Program
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53199",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-27T13:57:42.233715Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-27T13:57:48.176Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "ht-slider-for-elementor",
          "product": "HT Slider For Elementor",
          "vendor": "HT Plugins",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.6.6",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.6.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "theviper17 | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:41:43.752Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in HT Plugins HT Slider For Elementor ht-slider-for-elementor allows DOM-Based XSS.\u003cp\u003eThis issue affects HT Slider For Elementor: from n/a through \u003c= 1.6.5.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in HT Plugins HT Slider For Elementor ht-slider-for-elementor allows DOM-Based XSS.This issue affects HT Slider For Elementor: from n/a through \u003c= 1.6.5."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-588",
          "descriptions": [
            {
              "lang": "en",
              "value": "DOM-Based XSS"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T15:56:26.876Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/ht-slider-for-elementor/vulnerability/wordpress-ht-slider-for-elementor-plugin-1-6-5-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress HT Slider For Elementor plugin \u003c= 1.6.5 - Cross Site Scripting (XSS) Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-53199",
    "datePublished": "2025-06-27T13:20:59.265Z",
    "dateReserved": "2025-06-27T10:27:33.251Z",
    "dateUpdated": "2026-04-01T15:56:26.876Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-49309 (GCVE-0-2025-49309)

Vulnerability from cvelistv5 – Published: 2025-06-06 12:53 – Updated: 2026-04-01 15:55
VLAI?
Title
WordPress HT Team Member plugin <= 1.1.7 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Team Member ht-team-member allows Stored XSS.This issue affects HT Team Member: from n/a through <= 1.1.7.
Severity ?
No CVSS data available.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
HT Plugins HT Team Member Affected: 0 , ≤ 1.1.7 (custom)
Create a notification for this product.
Date Public ?
2026-04-01 16:40
Credits
Muhammad Yudha - DJ | Patchstack Bug Bounty Program
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49309",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-06T15:38:54.682435Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-06T16:04:49.008Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "ht-team-member",
          "product": "HT Team Member",
          "vendor": "HT Plugins",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.1.8",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.1.7",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:40:55.538Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in HT Plugins HT Team Member ht-team-member allows Stored XSS.\u003cp\u003eThis issue affects HT Team Member: from n/a through \u003c= 1.1.7.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in HT Plugins HT Team Member ht-team-member allows Stored XSS.This issue affects HT Team Member: from n/a through \u003c= 1.1.7."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stored XSS"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T15:55:16.876Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/ht-team-member/vulnerability/wordpress-ht-team-member-1-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress HT Team Member plugin \u003c= 1.1.7 - Cross Site Scripting (XSS) Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-49309",
    "datePublished": "2025-06-06T12:53:50.147Z",
    "dateReserved": "2025-06-04T09:42:00.390Z",
    "dateUpdated": "2026-04-01T15:55:16.876Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-30820 (GCVE-0-2025-30820)

Vulnerability from cvelistv5 – Published: 2025-03-27 10:55 – Updated: 2026-04-01 15:47
VLAI?
Title
WordPress WishSuite plugin <= 1.4.4 - Local File Inclusion Vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in HT Plugins WishSuite wishsuite allows PHP Local File Inclusion.This issue affects WishSuite: from n/a through <= 1.4.4.
Severity ?
No CVSS data available.
CWE
  • CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
Impacted products
Vendor Product Version
HT Plugins WishSuite Affected: 0 , ≤ 1.4.4 (custom)
Create a notification for this product.
Date Public ?
2026-04-01 16:36
Credits
LVT-tholv2k | Patchstack Bug Bounty Program
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-30820",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-27T13:20:41.641816Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T13:20:49.896Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "wishsuite",
          "product": "WishSuite",
          "vendor": "HT Plugins",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.4.5",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.4.4",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "LVT-tholv2k | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:36:41.528Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in HT Plugins WishSuite wishsuite allows PHP Local File Inclusion.\u003cp\u003eThis issue affects WishSuite: from n/a through \u003c= 1.4.4.\u003c/p\u003e"
            }
          ],
          "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in HT Plugins WishSuite wishsuite allows PHP Local File Inclusion.This issue affects WishSuite: from n/a through \u003c= 1.4.4."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-252",
          "descriptions": [
            {
              "lang": "en",
              "value": "PHP Local File Inclusion"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-98",
              "description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T15:47:38.573Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/wishsuite/vulnerability/wordpress-wishsuite-plugin-1-4-4-local-file-inclusion-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress WishSuite plugin \u003c= 1.4.4 - Local File Inclusion Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-30820",
    "datePublished": "2025-03-27T10:55:07.632Z",
    "dateReserved": "2025-03-26T09:20:32.697Z",
    "dateUpdated": "2026-04-01T15:47:38.573Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-24726 (GCVE-0-2025-24726)

Vulnerability from cvelistv5 – Published: 2025-01-24 17:25 – Updated: 2026-04-01 15:44
VLAI?
Title
WordPress Contact Form 7 Widget plugin <= 1.2.1 - Stored Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT Contact Form 7: from n/a through <= 1.2.1.
Severity ?
No CVSS data available.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
HT Plugins HT Contact Form 7 Affected: 0 , ≤ 1.2.1 (custom)
Create a notification for this product.
Date Public ?
2026-04-01 16:34
Credits
Peter Thaleikis | Patchstack Bug Bounty Program
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24726",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T17:55:27.602842Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:01:16.387Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "ht-contactform",
          "product": "HT Contact Form 7",
          "vendor": "HT Plugins",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.2.2",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.2.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Thaleikis | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:34:39.745Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.\u003cp\u003eThis issue affects HT Contact Form 7: from n/a through \u003c= 1.2.1.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT Contact Form 7: from n/a through \u003c= 1.2.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stored XSS"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T15:44:37.850Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/ht-contactform/vulnerability/wordpress-contact-form-7-widget-plugin-1-2-1-stored-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Contact Form 7 Widget plugin \u003c= 1.2.1 - Stored Cross Site Scripting (XSS) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-24726",
    "datePublished": "2025-01-24T17:25:16.721Z",
    "dateReserved": "2025-01-23T14:52:44.768Z",
    "dateUpdated": "2026-04-01T15:44:37.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-24695 (GCVE-0-2025-24695)

Vulnerability from cvelistv5 – Published: 2025-01-24 17:24 – Updated: 2026-04-01 15:44
VLAI?
Title
WordPress Extensions For CF7 Plugin <= 3.2.0 - Server Side Request Forgery (SSRF) vulnerability
Summary
Server-Side Request Forgery (SSRF) vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Server Side Request Forgery.This issue affects Extensions For CF7: from n/a through <= 3.2.0.
Severity ?
No CVSS data available.
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
Vendor Product Version
HT Plugins Extensions For CF7 Affected: 0 , ≤ 3.2.0 (custom)
Create a notification for this product.
Date Public ?
2026-04-01 16:34
Credits
Marek Mikita | Patchstack Bug Bounty Program
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24695",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T17:56:29.815859Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:01:18.547Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "extensions-for-cf7",
          "product": "Extensions For CF7",
          "vendor": "HT Plugins",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.2.1",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.2.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Marek Mikita | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:34:38.150Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Server-Side Request Forgery (SSRF) vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Server Side Request Forgery.\u003cp\u003eThis issue affects Extensions For CF7: from n/a through \u003c= 3.2.0.\u003c/p\u003e"
            }
          ],
          "value": "Server-Side Request Forgery (SSRF) vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Server Side Request Forgery.This issue affects Extensions For CF7: from n/a through \u003c= 3.2.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-664",
          "descriptions": [
            {
              "lang": "en",
              "value": "Server Side Request Forgery"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T15:44:31.356Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/extensions-for-cf7/vulnerability/wordpress-extensions-for-cf7-plugin-3-2-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Extensions For CF7 Plugin \u003c= 3.2.0 - Server Side Request Forgery (SSRF) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-24695",
    "datePublished": "2025-01-24T17:24:56.863Z",
    "dateReserved": "2025-01-23T14:52:23.104Z",
    "dateUpdated": "2026-04-01T15:44:31.356Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-49630 (GCVE-0-2024-49630)

Vulnerability from cvelistv5 – Published: 2024-10-20 07:48 – Updated: 2026-04-01 15:36
VLAI?
Title
WordPress WP Education for Elementor plugin <= 1.2.8 - Stored Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DevItems WP Education wp-education allows Stored XSS.This issue affects WP Education: from n/a through <= 1.2.8.
Severity ?
No CVSS data available.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
DevItems WP Education Affected: 0 , ≤ 1.2.8 (custom)
Create a notification for this product.
Date Public ?
2026-04-01 16:28
Credits
Gab | Patchstack Bug Bounty Program
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-49630",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-20T13:35:00.641263Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-21T11:40:50.922Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "wp-education",
          "product": "WP Education",
          "vendor": "DevItems",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.2.9",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.2.8",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Gab | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:28:15.282Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in DevItems WP Education wp-education allows Stored XSS.\u003cp\u003eThis issue affects WP Education: from n/a through \u003c= 1.2.8.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in DevItems WP Education wp-education allows Stored XSS.This issue affects WP Education: from n/a through \u003c= 1.2.8."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stored XSS"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T15:36:25.037Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/wp-education/vulnerability/wordpress-wp-education-for-elementor-plugin-1-2-8-stored-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress WP Education for Elementor plugin \u003c= 1.2.8 - Stored Cross Site Scripting (XSS) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-49630",
    "datePublished": "2024-10-20T07:48:27.717Z",
    "dateReserved": "2024-10-17T09:51:28.653Z",
    "dateUpdated": "2026-04-01T15:36:25.037Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}