Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-24771 | 2025-07-08 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Content Manager Light allows Reflected XSS. This issue affects Content Manager Light: from n/a through 3.2.
|
|||||
| CVE-2025-30983 | 2025-07-08 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus Card flip image slideshow allows DOM-Based XSS. This issue affects Card flip image slideshow: from n/a through 1.5.
|
|||||
| CVE-2025-24735 | 2025-07-08 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chatra Chatra Live Chat + ChatBot + Cart Saver allows Stored XSS. This issue affects Chatra Live Chat + ChatBot + Cart Saver: from n/a through 1.0.11.
|
|||||
| CVE-2025-53566 | 2025-07-08 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) allows Stored XSS. This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through 7.8.
|
|||||
| CVE-2025-49866 | 2025-07-08 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nikel Beautiful Cookie Consent Banner allows Reflected XSS. This issue affects Beautiful Cookie Consent Banner: from n/a through 4.6.1.
|
|||||
| CVE-2025-30943 | 2025-07-08 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aakif Kadiwala Posts Slider Shortcode allows DOM-Based XSS. This issue affects Posts Slider Shortcode: from n/a through 1.0.
|
|||||
| CVE-2025-49247 | 2025-07-08 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cmoreira Team Showcase allows DOM-Based XSS. This issue affects Team Showcase: from n/a through n/a.
|
|||||
| CVE-2025-28957 | 2025-07-08 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OwnerRez OwnerRez allows Stored XSS. This issue affects OwnerRez: from n/a through 1.2.1.
|
|||||
| CVE-2025-6944 | 2025-07-08 | N/A | 6.4 MEDIUM | ||
|
The Uncode Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uncode_hl_text' and 'uncode_text_icon' shortcodes in all versions up to, and including, 2.9.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-52776 | 2025-07-08 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thanhtungtnt Video List Manager allows Stored XSS. This issue affects Video List Manager: from n/a through 1.7.
|
|||||
| CVE-2025-6673 | 2025-07-08 | N/A | 6.4 MEDIUM | ||
|
The Easy restaurant menu manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's nsc_eprm_menu_link shortcode in versions up to, and including 2.0.1, due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-53487 | 2025-07-08 | N/A | 5.4 MEDIUM | ||
|
The ApprovedRevs extension for MediaWiki is vulnerable to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. Attackers can exploit this by injecting JavaScript payloads via the uselang=x-xss language override, which causes crafted message keys to be rendered unescaped.
This issue affects Mediawiki - ApprovedRevs extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
|
|||||
| CVE-2025-7057 | 2025-07-08 | N/A | 5.4 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Quiz Extension allows Stored XSS.This issue affects Mediawiki - Quiz Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
|
|||||
| CVE-2025-53491 | 2025-07-08 | N/A | 5.4 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - FlaggedRevs Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FlaggedRevs Extension: from 1.43.X before 1.43.2.
|
|||||
| CVE-2025-53486 | 2025-07-08 | N/A | 5.4 MEDIUM | ||
|
The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud.
The vulnerability exists because the linkstyle parameter is only passed through Sanitizer: ...
Show More |
|||||
| CVE-2025-7056 | 2025-07-08 | N/A | 6.3 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - UrlShortener Extension allows Stored XSS.This issue affects Mediawiki - UrlShortener Extension: from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
|
|||||
| CVE-2025-53497 | 2025-07-08 | N/A | 5.4 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - RelatedArticles Extension allows Stored XSS.This issue affects Mediawiki - RelatedArticles Extension: from 1.43.X before 1.43.2.
|
|||||
| CVE-2025-53543 | 2025-07-08 | N/A | 4.2 MEDIUM | ||
|
Kestra is an event-driven orchestration platform. The error message in execution "Overview" tab is vulnerable to stored XSS due to improper handling of HTTP response received. This vulnerability is fixed in 0.22.0.
|
|||||
| CVE-2025-53478 | 2025-07-08 | N/A | 5.4 MEDIUM | ||
|
The CheckUser extension’s Special:Investigate interface is vulnerable to reflected XSS due to improper escaping of certain internationalized system messages rendered on the “IPs and User agents” tab.
This issue affects Mediawiki - CheckUser extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
|
|||||
| CVE-2024-43334 | 2025-07-08 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gavias Halpes allows Reflected XSS.This issue affects Halpes: from n/a before 1.2.5.
|
|||||
| CVE-2025-42973 | 2025-07-08 | N/A | 5.4 MEDIUM | ||
|
Due to a Cross-Site Scripting vulnerability in SAP Data Services Management Console, an authenticated attacker could exploit the search functionality associated with DQ job status reports. By intercepting requests, malicious script can be injected and subsequently executed when a user loads the affected page. This results in a limited impact on the confidentiality and integrity of user session information, while availability remains unaffected.
|
|||||
| CVE-2025-42969 | 2025-07-08 | N/A | 6.1 MEDIUM | ||
|
SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject a malicious script into a dynamically crafted URL. The victim, when tricked into clicking on this crafted URL unknowingly executes the malicious payload in their browser. On successful exploitation, the attacker can access or modify sensitive information within the scope of victim's web browser, with no impact on availability of the application.
|
|||||
| CVE-2025-42962 | 2025-07-08 | N/A | 6.1 MEDIUM | ||
|
SAP Business Warehouse (Business Explorer Web) allows an attacker to create a malicious link. If an authenticated user clicks on this link, the injected script gets executed within the scope of victim�s browser. This potentially leads to an impact on confidentiality and integrity. Availability is not impacted.
|
|||||
| CVE-2024-6986 | 1 Lollms | 1 Lollms Web Ui | 2025-07-08 | N/A | 5.4 MEDIUM |
|
A Cross-site Scripting (XSS) vulnerability exists in the Settings page of parisneo/lollms-webui version 9.8. The vulnerability is due to the improper use of the 'v-html' directive, which inserts the content of the 'full_template' variable directly as HTML. This allows an attacker to execute malicious JavaScript code by injecting a payload into the 'System Template' input field under main configurations.
|
|||||
| CVE-2025-2205 | 1 Mooveagency | 1 Gdpr Cookie Compliance | 2025-07-08 | N/A | 4.4 MEDIUM |
|
The GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.15.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affe ...
Show More |
|||||
| CVE-2025-5585 | 1 Siteorigin | 1 Siteorigin Widgets Bundle | 2025-07-08 | N/A | 6.4 MEDIUM |
|
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-6689 | 1 Fl3r | 1 Fl3r Accessibility Suite | 2025-07-08 | N/A | 6.4 MEDIUM |
|
The FL3R Accessibility Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fl3raccessibilitysuite shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-6462 | 1 Ieonly | 1 Ez Sql Reports Shortcode Widget And Db Backup | 2025-07-08 | N/A | 6.4 MEDIUM |
|
The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's SQLREPORT shortcode in all versions up to, and including, 5.25.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-6551 | 1 Java-aodeng | 1 Hope-boot | 2025-07-08 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in java-aodeng Hope-Boot 1.0.0 and classified as problematic. This issue affects the function Login of the file /src/main/java/com/hope/controller/WebController.java. The manipulation of the argument errorMsg leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-50699 | 1 Phpgurukul | 1 Online Dj Booking Management System | 2025-07-08 | N/A | 6.1 MEDIUM |
|
PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Cross Site Scripting (XSS) in odms/admin/view-user-queries.php.
|
|||||
| CVE-2025-52896 | 1 Frappe | 1 Frappe | 2025-07-08 | N/A | 5.4 MEDIUM |
|
Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading.
|
|||||
| CVE-2025-6686 | 1 Pwrplugins | 1 Magic Buttons For Elementor | 2025-07-08 | N/A | 6.4 MEDIUM |
|
The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-6687 | 1 Pwrplugins | 1 Magic Buttons For Elementor | 2025-07-08 | N/A | 6.4 MEDIUM |
|
The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-5842 | 1 Getbutterfly | 1 Modern Design Library | 2025-07-08 | N/A | 6.4 MEDIUM |
|
The Modern Design Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-6212 | 1 Themefic | 1 Ultimate Addons For Contact Form 7 | 2025-07-08 | N/A | 7.2 HIGH |
|
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Database module in versions 3.5.11 to 3.5.19 due to insufficient input sanitization and output escaping. The unfiltered field names are stored alongside the sanitized values. Later, the admin-side AJAX endpoint ajax_get_table_data() returns those raw names as JSON column headers, and the client-side DataTables renderer injects them directly into the DOM without any HTML encoding. This ma ...
Show More |
|||||
| CVE-2025-5338 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-07-08 | N/A | 6.4 MEDIUM |
|
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.7.1024 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-6546 | 1 Azumbro | 1 Drive Folder Embedder | 2025-07-08 | N/A | 6.4 MEDIUM |
|
The Drive Folder Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tablecssclass’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-6537 | 1 Mdezign | 1 Namasha | 2025-07-08 | N/A | 6.4 MEDIUM |
|
The Namasha By Mdesign plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘playicon_title’ parameter in all versions up to, and including, 1.2.00 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-5929 | 1 Zourbuth | 1 The Countdown | 2025-07-08 | N/A | 6.4 MEDIUM |
|
The The Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘clientId’ parameter in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-6290 | 1 Blakelong | 1 Tournament Bracket Generator | 2025-07-08 | N/A | 6.4 MEDIUM |
|
The Tournament Bracket Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bracket' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||