Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities by Eli
CVE-2025-68872 (GCVE-0-2025-68872)
Vulnerability from nvd – Published: 2026-06-15 20:17 – Updated: 2026-06-16 17:12
VLAI
Title
WordPress Eli's WordCents adSense Widget with Analytics plugin <= 1.3.03.27 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eli | Eli's WordCents adSense Widget with Analytics |
Affected:
n/a , ≤ 1.3.03.27
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T13:30:09.681193Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T17:12:28.652Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wordcents",
"product": "Eli\u0026#039;s WordCents adSense Widget with Analytics",
"vendor": "Eli",
"versions": [
{
"lessThanOrEqual": "1.3.03.27",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Skalucy | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauthenticated Cross Site Scripting (XSS) in Eli\u0026#039;s WordCents adSense Widget with Analytics \u003c= 1.3.03.27 versions."
}
],
"value": "Unauthenticated Cross Site Scripting (XSS) in Eli\u0026#039;s WordCents adSense Widget with Analytics \u003c= 1.3.03.27 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T20:17:28.836Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/wordcents/vulnerability/wordpress-eli-s-wordcents-adsense-widget-with-analytics-plugin-1-3-03-27-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Eli\u0027s WordCents adSense Widget with Analytics plugin \u003c= 1.3.03.27 - Reflected Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-68872",
"datePublished": "2026-06-15T20:17:28.836Z",
"dateReserved": "2025-12-24T14:00:24.760Z",
"dateUpdated": "2026-06-16T17:12:28.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47514 (GCVE-0-2025-47514)
Vulnerability from nvd – Published: 2025-05-07 14:20 – Updated: 2026-04-28 16:12
VLAI
Title
WordPress ELI's Related Posts Footer Links and Widget plugin <= 1.2.04.20 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Eli ELI's Related Posts Footer Links and Widget spostarbust allows Stored XSS.This issue affects ELI's Related Posts Footer Links and Widget: from n/a through <= 1.2.04.20.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eli | ELI's Related Posts Footer Links and Widget |
Affected:
0 , ≤ 1.2.04.20
(custom)
|
Date Public
2026-04-01 16:40
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47514",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T17:21:10.620142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T18:20:51.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "spostarbust",
"product": "ELI\u0027s Related Posts Footer Links and Widget",
"vendor": "Eli",
"versions": [
{
"changes": [
{
"at": "1.2.04.25",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.04.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "johska | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:05.161Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Eli ELI\u0027s Related Posts Footer Links and Widget spostarbust allows Stored XSS.\u003cp\u003eThis issue affects ELI\u0027s Related Posts Footer Links and Widget: from n/a through \u003c= 1.2.04.20.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Eli ELI\u0027s Related Posts Footer Links and Widget spostarbust allows Stored XSS.This issue affects ELI\u0027s Related Posts Footer Links and Widget: from n/a through \u003c= 1.2.04.20."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:43.402Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/spostarbust/vulnerability/wordpress-eli-s-related-posts-footer-links-and-widget-plugin-1-2-04-20-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress ELI\u0027s Related Posts Footer Links and Widget plugin \u003c= 1.2.04.20 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-47514",
"datePublished": "2025-05-07T14:20:03.010Z",
"dateReserved": "2025-05-07T09:39:30.830Z",
"dateUpdated": "2026-04-28T16:12:43.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30788 (GCVE-0-2025-30788)
Vulnerability from nvd – Published: 2025-03-27 10:54 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin <= 5.25.08 - CSRF to SQL Injection vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows SQL Injection.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through <= 5.25.08.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eli | EZ SQL Reports Shortcode Widget and DB Backup |
Affected:
0 , ≤ 5.25.08
(custom)
|
Date Public
2026-04-01 16:36
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30788",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T13:59:22.405350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:05:17.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "elisqlreports",
"product": "EZ SQL Reports Shortcode Widget and DB Backup",
"vendor": "Eli",
"versions": [
{
"changes": [
{
"at": "5.25.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.25.08",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:21.566Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows SQL Injection.\u003cp\u003eThis issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through \u003c= 5.25.08.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows SQL Injection.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through \u003c= 5.25.08."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:57.299Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/elisqlreports/vulnerability/wordpress-ez-sql-reports-shortcode-widget-and-db-backup-plugin-5-25-08-csrf-to-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin \u003c= 5.25.08 - CSRF to SQL Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30788",
"datePublished": "2025-03-27T10:54:48.817Z",
"dateReserved": "2025-03-26T09:20:11.232Z",
"dateUpdated": "2026-04-28T16:11:57.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30787 (GCVE-0-2025-30787)
Vulnerability from nvd – Published: 2025-03-27 10:54 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin <= 5.25.08 - CSRF to Stored XSS vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows Stored XSS.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through <= 5.25.08.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eli | EZ SQL Reports Shortcode Widget and DB Backup |
Affected:
0 , ≤ 5.25.08
(custom)
|
Date Public
2026-04-01 16:36
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30787",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T13:59:25.399342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:05:23.155Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "elisqlreports",
"product": "EZ SQL Reports Shortcode Widget and DB Backup",
"vendor": "Eli",
"versions": [
{
"changes": [
{
"at": "5.25.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.25.08",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:21.540Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows Stored XSS.\u003cp\u003eThis issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through \u003c= 5.25.08.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows Stored XSS.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through \u003c= 5.25.08."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:57.217Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/elisqlreports/vulnerability/wordpress-ez-sql-reports-shortcode-widget-and-db-backup-plugin-5-25-08-csrf-to-stored-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin \u003c= 5.25.08 - CSRF to Stored XSS vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30787",
"datePublished": "2025-03-27T10:54:48.212Z",
"dateReserved": "2025-03-26T09:20:11.232Z",
"dateUpdated": "2026-04-28T16:11:57.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-26887 (GCVE-0-2025-26887)
Vulnerability from nvd – Published: 2025-02-25 14:17 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin <= 5.21.35 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows Stored XSS.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through <= 5.21.35.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eli | EZ SQL Reports Shortcode Widget and DB Backup |
Affected:
0 , ≤ 5.21.35
(custom)
|
Date Public
2026-04-01 16:35
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T15:26:15.790889Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T15:26:25.181Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "elisqlreports",
"product": "EZ SQL Reports Shortcode Widget and DB Backup",
"vendor": "Eli",
"versions": [
{
"changes": [
{
"at": "5.25.08",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.21.35",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:35:19.267Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows Stored XSS.\u003cp\u003eThis issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through \u003c= 5.21.35.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows Stored XSS.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through \u003c= 5.21.35."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:42.244Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/elisqlreports/vulnerability/wordpress-ez-sql-reports-shortcode-widget-and-db-backup-plugin-5-21-35-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin \u003c= 5.21.35 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-26887",
"datePublished": "2025-02-25T14:17:52.225Z",
"dateReserved": "2025-02-17T11:50:29.985Z",
"dateUpdated": "2026-04-28T16:11:42.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68872 (GCVE-0-2025-68872)
Vulnerability from cvelistv5 – Published: 2026-06-15 20:17 – Updated: 2026-06-16 17:12
VLAI
Title
WordPress Eli's WordCents adSense Widget with Analytics plugin <= 1.3.03.27 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eli | Eli's WordCents adSense Widget with Analytics |
Affected:
n/a , ≤ 1.3.03.27
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T13:30:09.681193Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T17:12:28.652Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wordcents",
"product": "Eli\u0026#039;s WordCents adSense Widget with Analytics",
"vendor": "Eli",
"versions": [
{
"lessThanOrEqual": "1.3.03.27",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Skalucy | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauthenticated Cross Site Scripting (XSS) in Eli\u0026#039;s WordCents adSense Widget with Analytics \u003c= 1.3.03.27 versions."
}
],
"value": "Unauthenticated Cross Site Scripting (XSS) in Eli\u0026#039;s WordCents adSense Widget with Analytics \u003c= 1.3.03.27 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T20:17:28.836Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/wordcents/vulnerability/wordpress-eli-s-wordcents-adsense-widget-with-analytics-plugin-1-3-03-27-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Eli\u0027s WordCents adSense Widget with Analytics plugin \u003c= 1.3.03.27 - Reflected Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-68872",
"datePublished": "2026-06-15T20:17:28.836Z",
"dateReserved": "2025-12-24T14:00:24.760Z",
"dateUpdated": "2026-06-16T17:12:28.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47514 (GCVE-0-2025-47514)
Vulnerability from cvelistv5 – Published: 2025-05-07 14:20 – Updated: 2026-04-28 16:12
VLAI
Title
WordPress ELI's Related Posts Footer Links and Widget plugin <= 1.2.04.20 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Eli ELI's Related Posts Footer Links and Widget spostarbust allows Stored XSS.This issue affects ELI's Related Posts Footer Links and Widget: from n/a through <= 1.2.04.20.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eli | ELI's Related Posts Footer Links and Widget |
Affected:
0 , ≤ 1.2.04.20
(custom)
|
Date Public
2026-04-01 16:40
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47514",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T17:21:10.620142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T18:20:51.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "spostarbust",
"product": "ELI\u0027s Related Posts Footer Links and Widget",
"vendor": "Eli",
"versions": [
{
"changes": [
{
"at": "1.2.04.25",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.04.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "johska | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:05.161Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Eli ELI\u0027s Related Posts Footer Links and Widget spostarbust allows Stored XSS.\u003cp\u003eThis issue affects ELI\u0027s Related Posts Footer Links and Widget: from n/a through \u003c= 1.2.04.20.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Eli ELI\u0027s Related Posts Footer Links and Widget spostarbust allows Stored XSS.This issue affects ELI\u0027s Related Posts Footer Links and Widget: from n/a through \u003c= 1.2.04.20."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:43.402Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/spostarbust/vulnerability/wordpress-eli-s-related-posts-footer-links-and-widget-plugin-1-2-04-20-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress ELI\u0027s Related Posts Footer Links and Widget plugin \u003c= 1.2.04.20 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-47514",
"datePublished": "2025-05-07T14:20:03.010Z",
"dateReserved": "2025-05-07T09:39:30.830Z",
"dateUpdated": "2026-04-28T16:12:43.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30788 (GCVE-0-2025-30788)
Vulnerability from cvelistv5 – Published: 2025-03-27 10:54 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin <= 5.25.08 - CSRF to SQL Injection vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows SQL Injection.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through <= 5.25.08.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eli | EZ SQL Reports Shortcode Widget and DB Backup |
Affected:
0 , ≤ 5.25.08
(custom)
|
Date Public
2026-04-01 16:36
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30788",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T13:59:22.405350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:05:17.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "elisqlreports",
"product": "EZ SQL Reports Shortcode Widget and DB Backup",
"vendor": "Eli",
"versions": [
{
"changes": [
{
"at": "5.25.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.25.08",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:21.566Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows SQL Injection.\u003cp\u003eThis issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through \u003c= 5.25.08.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows SQL Injection.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through \u003c= 5.25.08."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:57.299Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/elisqlreports/vulnerability/wordpress-ez-sql-reports-shortcode-widget-and-db-backup-plugin-5-25-08-csrf-to-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin \u003c= 5.25.08 - CSRF to SQL Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30788",
"datePublished": "2025-03-27T10:54:48.817Z",
"dateReserved": "2025-03-26T09:20:11.232Z",
"dateUpdated": "2026-04-28T16:11:57.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30787 (GCVE-0-2025-30787)
Vulnerability from cvelistv5 – Published: 2025-03-27 10:54 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin <= 5.25.08 - CSRF to Stored XSS vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows Stored XSS.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through <= 5.25.08.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eli | EZ SQL Reports Shortcode Widget and DB Backup |
Affected:
0 , ≤ 5.25.08
(custom)
|
Date Public
2026-04-01 16:36
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30787",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T13:59:25.399342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:05:23.155Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "elisqlreports",
"product": "EZ SQL Reports Shortcode Widget and DB Backup",
"vendor": "Eli",
"versions": [
{
"changes": [
{
"at": "5.25.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.25.08",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:21.540Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows Stored XSS.\u003cp\u003eThis issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through \u003c= 5.25.08.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows Stored XSS.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through \u003c= 5.25.08."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:57.217Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/elisqlreports/vulnerability/wordpress-ez-sql-reports-shortcode-widget-and-db-backup-plugin-5-25-08-csrf-to-stored-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin \u003c= 5.25.08 - CSRF to Stored XSS vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30787",
"datePublished": "2025-03-27T10:54:48.212Z",
"dateReserved": "2025-03-26T09:20:11.232Z",
"dateUpdated": "2026-04-28T16:11:57.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-26887 (GCVE-0-2025-26887)
Vulnerability from cvelistv5 – Published: 2025-02-25 14:17 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin <= 5.21.35 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows Stored XSS.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through <= 5.21.35.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eli | EZ SQL Reports Shortcode Widget and DB Backup |
Affected:
0 , ≤ 5.21.35
(custom)
|
Date Public
2026-04-01 16:35
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T15:26:15.790889Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T15:26:25.181Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "elisqlreports",
"product": "EZ SQL Reports Shortcode Widget and DB Backup",
"vendor": "Eli",
"versions": [
{
"changes": [
{
"at": "5.25.08",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.21.35",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:35:19.267Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows Stored XSS.\u003cp\u003eThis issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through \u003c= 5.21.35.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows Stored XSS.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through \u003c= 5.21.35."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:42.244Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/elisqlreports/vulnerability/wordpress-ez-sql-reports-shortcode-widget-and-db-backup-plugin-5-21-35-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin \u003c= 5.21.35 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-26887",
"datePublished": "2025-02-25T14:17:52.225Z",
"dateReserved": "2025-02-17T11:50:29.985Z",
"dateUpdated": "2026-04-28T16:11:42.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}