Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5967 | 2025-07-03 | N/A | N/A | ||
|
A stored cross-site scripting vulnerability in ENS HX 10.0.4 allows a malicious user to inject arbitrary HTML into the ENS HX Malware Scan Name field, resulting in the exposure of sensitive data.
|
|||||
| CVE-2025-5314 | 2025-07-03 | N/A | 6.1 MEDIUM | ||
|
The Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to DOM-Based Reflected Cross-Site Scripting via the ‘pdf-source’ parameter in all versions up to, and including, 2.3.65 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2025-49032 | 2025-07-03 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Gutenberg Blocks allows Stored XSS.This issue affects Gutenberg Blocks: from n/a through 3.3.1.
|
|||||
| CVE-2025-6725 | 2025-07-03 | N/A | 5.4 MEDIUM | ||
|
In the PdfViewer component, a Cross-Site Scripting (XSS) vulnerability is possible if a specially-crafted document has already been loaded and the user engages with a tool that requires the DOM to be re-rendered.
|
|||||
| CVE-2025-2540 | 2025-07-03 | N/A | 6.4 MEDIUM | ||
|
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled prettyPhoto library (version 3.1.6) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-2537 | 2025-07-03 | N/A | 6.4 MEDIUM | ||
|
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled ThickBox JavaScript library (version 3.1) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-52462 | 2025-07-03 | N/A | 6.1 MEDIUM | ||
|
Cross-site scripting vulnerability exists in Active! mail 6 BuildInfo: 6.30.01004145 to 6.60.06008562. If this vulnerability is exploited, an arbitrary script may be executed on the logged-in user's web browser when the user is accessing a specially crafted URL.
|
|||||
| CVE-2025-40723 | 2025-07-03 | N/A | N/A | ||
|
Stored Cross-Site Scripting (XSS) vulnerability in versions prior to Flatboard 3.2.2 of Flatboard Pro, consisting of a stored XSS due to lack of proper validation of user input, through the footer_text and announcement parameters in config.php.
|
|||||
| CVE-2024-9017 | 2025-07-03 | N/A | 7.2 HIGH | ||
|
The PeepSo Core: Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Group Description field in all versions up to, and including, 6.4.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-5647 | 2025-07-03 | N/A | 6.4 MEDIUM | ||
|
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream libr ...
Show More |
|||||
| CVE-2025-40722 | 2025-07-03 | N/A | N/A | ||
|
Stored Cross-Site Scripting (XSS) vulnerability in versions prior to Flatboard 3.2.2 of Flatboard Pro, consisting of a stored XSS due to lack of proper validation of user input, through the replace parameter in /config.php/tags.
|
|||||
| CVE-2024-33210 | 1 Flatpress | 1 Flatpress | 2025-07-03 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability has been identified in Flatpress 1.3. This vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users.
|
|||||
| CVE-2024-45960 | 1 Tribalsystems | 1 Zenario | 2025-07-03 | N/A | 4.8 MEDIUM |
|
Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting (XSS) attack.
|
|||||
| CVE-2024-45964 | 1 Tribalsystems | 1 Zenario | 2025-07-03 | N/A | 4.8 MEDIUM |
|
Zenario 9.7.61188 is vulnerable to Cross Site Scripting (XSS) in the Image library via the "Organizer tags" field.
|
|||||
| CVE-2024-46409 | 1 Seeddms | 1 Seeddms | 2025-07-03 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in SeedDMS v6.0.28 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter in the Calendar page.
|
|||||
| CVE-2024-42901 | 1 Limesurvey | 1 Limesurvey | 2025-07-03 | N/A | 4.8 MEDIUM |
|
A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file.
|
|||||
| CVE-2024-44085 | 1 Onlyoffice | 1 Onlyoffice | 2025-07-03 | N/A | 6.1 MEDIUM |
|
ONLYOFFICE Docs before 8.1.0 allows XSS via a GeneratorFunction Object attack against a macro. This is related to use of an immediately-invoked function expression (IIFE) for a macro. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446 and CVE-2023-50883.
|
|||||
| CVE-2024-57599 | 1 Douco | 1 Douphp | 2025-07-03 | N/A | 4.8 MEDIUM |
|
Cross Site Scripting vulnerability in DouPHP v.1.8 Release 20231203 allows attackers to execute arbitrary code via a crafted payload injected into the description parameter in /admin/article.php
|
|||||
| CVE-2024-33297 | 1 Microweber | 1 Microweber | 2025-07-03 | N/A | 4.7 MEDIUM |
|
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function
|
|||||
| CVE-2024-33298 | 1 Microweber | 1 Microweber | 2025-07-03 | N/A | 6.1 MEDIUM |
|
Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup
|
|||||
| CVE-2024-33299 | 1 Microweber | 1 Microweber | 2025-07-03 | N/A | 4.7 MEDIUM |
|
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users
|
|||||
| CVE-2024-53620 | 1 Spip | 1 Spip | 2025-07-03 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the Article module of SPIP v4.3.3 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter.
|
|||||
| CVE-2024-55239 | 1 Portabilis | 1 I-educar | 2025-07-03 | N/A | 5.4 MEDIUM |
|
A reflected Cross-Site Scripting vulnerability in the standard documentation upload functionality in Portabilis i-Educar 2.9 allows attacker to craft malicious urls with arbitrary javascript in the 'titulo_documento' parameter.
|
|||||
| CVE-2025-49262 | 1 Sinaextra | 1 Sina Extension For Elementor | 2025-07-02 | N/A | 7.6 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shaonsina Sina Extension for Elementor allows Stored XSS. This issue affects Sina Extension for Elementor: from n/a through 3.6.1.
|
|||||
| CVE-2025-5291 | 1 Averta | 1 Master Slider | 2025-07-02 | N/A | 6.4 MEDIUM |
|
The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's masterslider_pb and ms_slide shortcodes in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-4955 | 1 Amauri | 1 Tarteaucitron.io | 2025-07-02 | N/A | 4.7 MEDIUM |
|
The tarteaucitron.io WordPress plugin before 1.9.5 uses query parameters from YouTube oEmbed URLs without sanitizing these parameters correctly, which could allow users with the contributor role and above to perform Stored Cross-site Scripting attacks.
|
|||||
| CVE-2025-45661 | 1 Heavenspell | 1 Minitcg | 2025-07-02 | N/A | 5.9 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in miniTCG v1.3.1 beta allows attackers to execute abritrary web scripts or HTML via injecting a crafted payload into the id parameter at /members/edit.php.
|
|||||
| CVE-2025-2714 | 1 Joomlaux | 1 Jux Real Estate | 2025-07-02 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /extensions/realestate/index.php/agents/agent-register/addagent. The manipulation of the argument plan_id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-13205 | 1 Kurniaramadhan | 1 E-commerce-php | 2025-07-02 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in kurniaramadhan E-Commerce-PHP 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/create_product.php of the component Create Product Page. The manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-12893 | 1 Portabilis | 1 I-educar | 2025-07-02 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar up to 2.9. Affected by this issue is some unknown functionality of the file /usuarios/tipos/2 of the component Tipo de Usuário Page. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-5034 | 1 Joomunited | 1 Wp File Download | 2025-07-02 | N/A | 7.1 HIGH |
|
The wp-file-download WordPress plugin before 6.2.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2025-46178 | 1 Vishalmathur | 1 Cloudclassroom-php Project | 2025-07-02 | N/A | 6.1 MEDIUM |
|
Cross-Site Scripting (XSS) vulnerability exists in askquery.php via the eid parameter in the CloudClassroom PHP Project. This allows remote attackers to inject arbitrary JavaScript in the context of a victim s browser session by sending a crafted URL, leading to session hijacking or defacement.
|
|||||
| CVE-2025-0513 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2025-07-02 | N/A | 5.4 MEDIUM |
|
In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message.
|
|||||
| CVE-2025-6613 | 1 Anujk305 | 1 Hospital Management System | 2025-07-02 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic was found in PHPGurukul Hospital Management System 4.0. Affected by this vulnerability is an unknown functionality of the file /doctor/manage-patient.php. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-44091 | 1 Yangyouwang | 1 Crud | 2025-07-02 | N/A | 5.4 MEDIUM |
|
yangyouwang crud v1.0.0 is vulnerable to Cross Site Scripting (XSS) via the role management function.
|
|||||
| CVE-2025-46611 | 1 Artec-it | 1 Ema | 2025-07-02 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in ARTEC EMA Mail v6.92 allows an attacker to execute arbitrary code via a crafted script.
|
|||||
| CVE-2025-32794 | 1 Open-emr | 1 Openemr | 2025-07-02 | N/A | 7.6 HIGH |
|
OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation privileges to inject arbitrary JavaScript code into the system by entering malicious payloads in the First and Last Name fields during patient registration. This code is later executed when viewing the patient's encounter under Orders → Procedure Orders. Version 7 ...
Show More |
|||||
| CVE-2025-43860 | 1 Open-emr | 1 Openemr | 2025-07-02 | N/A | 7.6 HIGH |
|
OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation and editing privileges to inject arbitrary JavaScript code into the system by entering malicious payloads in the (1) Text Box fields of Address, Address Line 2, Postal Code and City fields and (2) Drop Down menu options of Address Use, State and Country of the Ad ...
Show More |
|||||
| CVE-2021-36875 | 1 Stylemixthemes | 1 Ulisting | 2025-07-01 | 3.5 LOW | 5.9 MEDIUM |
|
Cross-site Scripting (XSS) vulnerability in Stylemix Directory Listings WordPress plugin – uListing allows Reflected XSS.This issue affects Directory Listings WordPress plugin – uListing: from n/a through 2.0.5.
|
|||||
| CVE-2025-27412 | 1 Redaxo | 1 Redaxo | 2025-07-01 | N/A | 6.1 MEDIUM |
|
REDAXO is a PHP-based CMS. In Redaxo from 5.0.0 through 5.18.2, the rex-api-result parameter is vulnerable to Reflected cross-site scripting (XSS) on the page of AddOns. This vulnerability is fixed in 5.18.3.
|
|||||