Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6941 | 1 Keap | 1 Official Opt-in Forms | 2025-06-20 | N/A | 4.8 MEDIUM |
|
The Keap Official Opt-in Forms WordPress plugin through 1.0.11 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
|
|||||
| CVE-2023-51064 | 1 Qstar | 1 Archive Storage Manager | 2025-06-20 | N/A | 6.1 MEDIUM |
|
QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 was discovered to contain a DOM Based reflected XSS vulnerability within the component qnme-ajax?method=tree_table.
|
|||||
| CVE-2023-4757 | 1 Miniorange | 1 Staff \/ Employee Business Directory For Active Directory | 2025-06-20 | N/A | 5.4 MEDIUM |
|
The Staff / Employee Business Directory for Active Directory WordPress plugin before 1.2.3 does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin.
|
|||||
| CVE-2023-3647 | 1 Indigitall | 1 Iurny | 2025-06-20 | N/A | 4.8 MEDIUM |
|
The IURNY by INDIGITALL WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2023-3372 | 1 Lana | 1 Lana Shortcodes | 2025-06-20 | N/A | 5.4 MEDIUM |
|
The Lana Shortcodes WordPress plugin before 1.2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2023-0479 | 1 Tychesoftwares | 1 Print Invoice \& Delivery Notes For Woocommerce | 2025-06-20 | N/A | 6.1 MEDIUM |
|
The Print Invoice & Delivery Notes for WooCommerce WordPress plugin before 4.7.2 is vulnerable to reflected XSS by echoing a GET value in an admin note within the WooCommerce orders page. This means that this vulnerability can be exploited for users with the edit_others_shop_orders capability. WooCommerce must be installed and active. This vulnerability is caused by a urldecode() after cleanup with esc_url_raw(), allowing double encoding.
|
|||||
| CVE-2022-3829 | 1 Newnine | 1 Font Awesome 4 Menus | 2025-06-20 | N/A | 4.8 MEDIUM |
|
The Font Awesome 4 Menus WordPress plugin through 4.7.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2022-3739 | 1 Subina | 1 Wp Best Quiz | 2025-06-20 | N/A | 5.4 MEDIUM |
|
The WP Best Quiz WordPress plugin through 1.0 does not sanitize and escape some parameters, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks.
|
|||||
| CVE-2022-0402 | 1 Super-forms | 1 Super Forms | 2025-06-20 | N/A | 6.1 MEDIUM |
|
The Super Forms - Drag & Drop Form Builder WordPress plugin before 6.0.4 does not escape the bob_czy_panstwa_sprawa_zostala_rozwiazana parameter before outputting it back in an attribute via the super_language_switcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking CSRF, making the attack easier to perform against any user.
|
|||||
| CVE-2021-24559 | 1 Patrickposner | 1 Qyrr | 2025-06-20 | N/A | 5.4 MEDIUM |
|
The Qyrr WordPress plugin before 0.7 does not escape the data-uri of the QR Code when outputting it in a src attribute, allowing for Cross-Site Scripting attacks. Furthermore, the data_uri_to_meta AJAX action, available to all authenticated users, only had a CSRF check in place, with the nonce available to users with a role as low as Contributor allowing any user with such role (and above) to set a malicious data-uri in arbitrary QR Code posts, leading to a Stored Cross-Site Scripting issue.
|
|||||
| CVE-2025-3440 | 1 Ibm | 1 Security Guardium | 2025-06-20 | N/A | 5.5 MEDIUM |
|
IBM Security Guardium 11.5 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2025-1155 | 1 Webkul | 1 Qloapps | 2025-06-20 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in Webkul QloApps 1.6.1. This affects an unknown part of the file /stores of the component Your Location Search. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. It is planned to remove this page in the long term.
|
|||||
| CVE-2025-1114 | 1 Newbee-mall Project | 1 Newbee-mall | 2025-06-20 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic has been found in newbee-mall 1.0. Affected is the function save of the file /admin/categories/save of the component Add Category Page. The manipulation of the argument categoryName leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases a ...
Show More |
|||||
| CVE-2025-3900 | 1 Colorbox Project | 1 Colorbox | 2025-06-20 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS).This issue affects Colorbox: from 0.0.0 before 2.1.3.
|
|||||
| CVE-2023-51252 | 1 Publiccms | 1 Publiccms | 2025-06-20 | N/A | 5.4 MEDIUM |
|
PublicCMS 4.0 is vulnerable to Cross Site Scripting (XSS). Because files can be uploaded and online preview function is provided, pdf files and html files containing malicious code are uploaded, an XSS popup window is realized through online viewing.
|
|||||
| CVE-2020-26628 | 1 Phpgurukul | 1 Hospital Management System | 2025-06-20 | N/A | 6.1 MEDIUM |
|
A Cross-Site Scripting (XSS) vulnerability was discovered in Hospital Management System V4.0 which allows an attacker to execute arbitrary web scripts or HTML code via a malicious payload appended to a username on the 'Edit Profile" page and triggered by another user visiting the profile.
|
|||||
| CVE-2025-5886 | 1 Emlog | 1 Emlog | 2025-06-20 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in Emlog up to 2.5.7 and classified as problematic. This issue affects some unknown processing of the file /admin/article.php. The manipulation of the argument active_post leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-48447 | 1 Lightgallery Project | 1 Lightgallery | 2025-06-20 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Lightgallery allows Cross-Site Scripting (XSS).This issue affects Lightgallery: from 0.0.0 before 1.6.0.
|
|||||
| CVE-2025-5138 | 2025-06-20 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability was found in Bitwarden up to 2.25.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-3901 | 1 Bootstrap Site Alert Project | 1 Bootstrap Site Alert | 2025-06-18 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Bootstrap Site Alert allows Cross-Site Scripting (XSS).This issue affects Bootstrap Site Alert: from 0.0.0 before 1.13.0, from 3.0.0 before 3.0.4.
|
|||||
| CVE-2024-21133 | 1 Oracle | 1 Reports Developer | 2025-06-18 | N/A | 6.1 MEDIUM |
|
Vulnerability in the Oracle Reports Developer product of Oracle Fusion Middleware (component: Servlet). Supported versions that are affected are 12.2.1.4.0 and 12.2.1.19.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Reports Developer. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Reports Developer, attacks may significantly impact additional pro ...
Show More |
|||||
| CVE-2024-21066 | 1 Oracle | 1 Database Server | 2025-06-18 | N/A | 4.2 MEDIUM |
|
Vulnerability in the RDBMS component of Oracle Database Server. Supported versions that are affected are 19.3-19.22 and 21.3-21.13. Easily exploitable vulnerability allows high privileged attacker having Authenticated User privilege with logon to the infrastructure where RDBMS executes to compromise RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete ...
Show More |
|||||
| CVE-2024-33670 | 1 Passbolt | 1 Passbolt Api | 2025-06-18 | N/A | 4.3 MEDIUM |
|
Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page.
|
|||||
| CVE-2023-40287 | 1 Supermicro | 6 X11sae-f, X11sae-f Firmware, X11sse-f and 3 more | 2025-06-18 | N/A | 8.3 HIGH |
|
An issue was discovered on Supermicro X11SSM-F, X11SAE-F, and X11SSE-F 1.66 devices. An attacker could exploit an XSS issue.
|
|||||
| CVE-2023-40288 | 1 Supermicro | 6 X11sae-f, X11sae-f Firmware, X11sse-f and 3 more | 2025-06-18 | N/A | 8.3 HIGH |
|
An issue was discovered on Supermicro X11SSM-F, X11SAE-F, and X11SSE-F 1.66 devices. An attacker could exploit an XSS issue.
|
|||||
| CVE-2023-40290 | 1 Supermicro | 6 X11sae-f, X11sae-f Firmware, X11sse-f and 3 more | 2025-06-18 | N/A | 8.3 HIGH |
|
An issue was discovered on Supermicro X11SSM-F, X11SAE-F, and X11SSE-F 1.66 devices. An attacker could exploit an XSS issue that affects Internet Explorer 11 on Windows.
|
|||||
| CVE-2023-40286 | 1 Supermicro | 6 X11sae-f, X11sae-f Firmware, X11sse-f and 3 more | 2025-06-18 | N/A | 8.3 HIGH |
|
An issue was discovered on Supermicro X11SSM-F, X11SAE-F, and X11SSE-F 1.66 devices. An attacker could exploit an XSS issue.
|
|||||
| CVE-2024-34899 | 1 Wwbn | 1 Avideo | 2025-06-18 | N/A | 5.4 MEDIUM |
|
WWBN AVideo 12.4 is vulnerable to Cross Site Scripting (XSS).
|
|||||
| CVE-2023-6627 | 1 Codecabin | 1 Wp Go Maps | 2025-06-18 | N/A | 6.1 MEDIUM |
|
The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.28 does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site.
|
|||||
| CVE-2023-6555 | 1 I13websolution | 1 Email Subscription Popup | 2025-06-18 | N/A | 6.1 MEDIUM |
|
The Email Subscription Popup WordPress plugin before 1.2.20 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2023-6529 | 1 Rextheme | 1 Wp Vr | 2025-06-18 | N/A | 6.1 MEDIUM |
|
The WP VR WordPress plugin before 8.3.15 does not authorisation and CSRF in a function hooked to admin_init, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities.
|
|||||
| CVE-2023-27000 | 1 Netscout | 1 Ngeniusone | 2025-06-18 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability found in NetScoutnGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code via the name parameter of the Profile and Exclusion List page(s).
|
|||||
| CVE-2024-36656 | 1 Minthcm | 1 Minthcm | 2025-06-18 | N/A | 6.1 MEDIUM |
|
In MintHCM 4.0.3, a registered user can execute arbitrary JavaScript code and achieve a reflected Cross-site Scripting (XSS) attack.
|
|||||
| CVE-2023-6621 | 1 Wpexperts | 1 Post Smtp | 2025-06-18 | N/A | 6.1 MEDIUM |
|
The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2023-6141 | 1 G5plus | 1 Essential Real Estate | 2025-06-18 | N/A | 5.4 MEDIUM |
|
The Essential Real Estate WordPress plugin before 4.4.0 does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Stored XSS attacks.
|
|||||
| CVE-2023-5911 | 1 Hamidrezasepehr | 1 Wp Custom Cursors \| Wordpress Cursor Plugin | 2025-06-18 | N/A | 4.8 MEDIUM |
|
The WP Custom Cursors | WordPress Cursor Plugin WordPress plugin through 3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2023-27739 | 1 Easyxdm | 1 Easyxdm | 2025-06-18 | N/A | 6.1 MEDIUM |
|
easyXDM 2.5 allows XSS via the xdm_e parameter.
|
|||||
| CVE-2025-48915 | 1 Drupal | 1 Cookies Consent Management | 2025-06-18 | N/A | 8.6 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.
|
|||||
| CVE-2025-48914 | 1 Drupal | 1 Cookies Consent Management | 2025-06-18 | N/A | 8.6 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.
|
|||||
| CVE-2025-5420 | 1 Juzaweb | 1 Cms | 2025-06-18 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic was found in juzaweb CMS up to 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/file-manager/upload of the component Profile Page. The manipulation of the argument Upload leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||