Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3581 | 1 Thenewsletterplugin | 1 Newsletter | 2025-06-12 | N/A | 4.8 MEDIUM |
|
The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2025-4652 | 1 Broadstreetads | 1 Broadstreet | 2025-06-12 | N/A | 6.1 MEDIUM |
|
The Broadstreet WordPress plugin before 1.51.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2025-48143 | 2025-06-12 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in salesup2019 Formulario de contacto SalesUp! allows Reflected XSS. This issue affects Formulario de contacto SalesUp!: from n/a through 1.0.14.
|
|||||
| CVE-2025-31917 | 2025-06-12 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player allows Reflected XSS. This issue affects Universal Video Player: from n/a through 3.8.3.
|
|||||
| CVE-2025-32305 | 2025-06-12 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sneeit FlatNews allows Reflected XSS. This issue affects FlatNews: from n/a through 5.8.
|
|||||
| CVE-2025-31638 | 2025-06-12 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeton Spare allows Reflected XSS. This issue affects Spare: from n/a through 1.7.
|
|||||
| CVE-2025-49130 | 2025-06-12 | N/A | N/A | ||
|
Laravel Translation Manager is a package to manage Laravel translation files. Prior to version 0.6.8, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. Only authenticated users with access t ...
Show More |
|||||
| CVE-2025-31925 | 2025-06-12 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup SHOUT allows Reflected XSS. This issue affects SHOUT: from n/a through 3.5.3.
|
|||||
| CVE-2025-47487 | 2025-06-12 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in moreconvert MC Woocommerce Wishlist allows Reflected XSS. This issue affects MC Woocommerce Wishlist: from n/a through 1.9.1.
|
|||||
| CVE-2025-31426 | 2025-06-12 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Sticky Radio Player allows Reflected XSS. This issue affects Sticky Radio Player: from n/a through 3.4.
|
|||||
| CVE-2025-47598 | 2025-06-12 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in click5 History Log by click5 allows Stored XSS. This issue affects History Log by click5: from n/a through 1.0.13.
|
|||||
| CVE-2025-31058 | 2025-06-12 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Revolution Video Player allows Reflected XSS. This issue affects Revolution Video Player: from n/a through 2.9.2.
|
|||||
| CVE-2025-39539 | 2025-06-12 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in quitenicestuff Soho Hotel allows Reflected XSS. This issue affects Soho Hotel: from n/a through 4.2.5.
|
|||||
| CVE-2025-47477 | 2025-06-12 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in revmakx Backup and Staging by WP Time Capsule allows Reflected XSS. This issue affects Backup and Staging by WP Time Capsule: from n/a through 1.22.23.
|
|||||
| CVE-2025-48279 | 2025-06-12 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Richard Perdaan WC MyParcel Belgium allows Reflected XSS. This issue affects WC MyParcel Belgium: from 4.5.5 through beta.
|
|||||
| CVE-2025-31057 | 2025-06-12 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player allows Reflected XSS. This issue affects Universal Video Player: from n/a through 1.4.0.
|
|||||
| CVE-2025-31061 | 2025-06-12 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redqteam Wishlist allows Reflected XSS. This issue affects Wishlist: from n/a through 2.1.0.
|
|||||
| CVE-2025-31325 | 2025-06-12 | N/A | 5.8 MEDIUM | ||
|
Due to a Cross-Site Scripting vulnerability in SAP NetWeaver (ABAP Keyword Documentation), an unauthenticated attacker could inject malicious JavaScript into a web page through an unprotected parameter. When a victim accesses the affected page, the script executes in their browser, providing the attacker limited access to restricted information. The vulnerability does not affect data integrity or availability and operates entirely within the context of the client's browser.
|
|||||
| CVE-2025-5742 | 2025-06-12 | N/A | 5.4 MEDIUM | ||
|
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
vulnerability exists when an authenticated user modifies configuration parameters on the web server
|
|||||
| CVE-2025-3117 | 2025-06-12 | N/A | 5.4 MEDIUM | ||
|
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability
exists impacting configuration file paths that could cause an unvalidated data injected by authenticated
malicious user leading to modify or read data in a victim’s browser.
|
|||||
| CVE-2025-42990 | 2025-06-12 | N/A | 3.0 LOW | ||
|
Unprotected SAPUI5 applications allow an attacker with basic privileges to inject malicious HTML code into a webpage, with the goal of redirecting users to the attacker controlled URL. This issue could impact the integrity of the application. Confidentiality or Availability are not impacted.
|
|||||
| CVE-2025-3899 | 2025-06-12 | N/A | 5.4 MEDIUM | ||
|
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability
exists in Certificates page on Webserver that could cause an unvalidated data injected by authenticated
malicious user leading to modify or read data in a victim’s browser.
|
|||||
| CVE-2025-3905 | 2025-06-12 | N/A | 5.4 MEDIUM | ||
|
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability
exists impacting PLC system variables that could cause an unvalidated data injected by authenticated
malicious user leading to modify or read data in a victim’s browser.
|
|||||
| CVE-2025-32465 | 2025-06-12 | N/A | N/A | ||
|
A stored XSS vulnerability in RSTickets! component 1.9.12 - 3.3.0 for Joomla was discovered. It allows attackers to perform cross-site scripting (XSS) attacks via sending crafted payload.
|
|||||
| CVE-2025-3302 | 2025-06-12 | N/A | 7.2 HIGH | ||
|
The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘HTTP_REFERER’ parameter in all versions up to, and including, 7.1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.1.0.0.
|
|||||
| CVE-2025-4666 | 2025-06-12 | N/A | 6.4 MEDIUM | ||
|
The Zotpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nickname’ parameter in all versions up to, and including, 7.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-8701 | 1 Snumb130 | 1 Events Calendar | 2025-06-12 | N/A | 4.8 MEDIUM |
|
The events-calendar WordPress plugin through 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-8492 | 1 Wpmudev | 1 Hustle | 2025-06-12 | N/A | 4.8 MEDIUM |
|
The Hustle WordPress plugin through 7.8.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2024-8397 | 1 Webtoffee | 1 Gdpr Cookie Consent | 2025-06-12 | N/A | 5.4 MEDIUM |
|
The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Consent report' page and the malicious script is executed in the admin context.
|
|||||
| CVE-2024-8284 | 1 W3eden | 1 Download Manager | 2025-06-12 | N/A | 4.8 MEDIUM |
|
The Download Manager WordPress plugin before 3.2.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2024-11266 | 1 Pixeljar | 1 Geocache Stat Bar Widget | 2025-06-12 | N/A | 4.8 MEDIUM |
|
The Geocache Stat Bar Widget WordPress plugin through 0.911 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-24062 | 1 Aitangbao | 1 Springboot-manager | 2025-06-12 | N/A | 5.4 MEDIUM |
|
springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/role.
|
|||||
| CVE-2024-24060 | 1 Aitangbao | 1 Springboot-manager | 2025-06-12 | N/A | 5.4 MEDIUM |
|
springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/user.
|
|||||
| CVE-2023-5758 | 1 Mozilla | 1 Firefox | 2025-06-12 | N/A | 6.1 MEDIUM |
|
When opening a page in reader mode, the redirect URL could have caused attacker-controlled script to execute in a reflected Cross-Site Scripting (XSS) attack. This vulnerability affects Firefox for iOS < 119.
|
|||||
| CVE-2024-11221 | 1 Mohsinrasool | 1 Full Screen \(page\) Background Image Slideshow | 2025-06-12 | N/A | 4.8 MEDIUM |
|
The Full Screen (Page) Background Image Slideshow WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-11190 | 1 Jidaikobo | 1 Jwp-a11y | 2025-06-12 | N/A | 4.8 MEDIUM |
|
The jwp-a11y WordPress plugin through 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-11141 | 1 Jontasc | 1 Sailthru Triggermail | 2025-06-12 | N/A | 6.1 MEDIUM |
|
The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape some of its settings and is missing CSRF protection which could allow subscribers to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-10818 | 1 Wvega | 1 Jsfiddle Shortcode | 2025-06-12 | N/A | 5.4 MEDIUM |
|
The JSFiddle Shortcode WordPress plugin before 1.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-10639 | 1 Klarned | 1 Auto Prune Posts | 2025-06-12 | N/A | 4.8 MEDIUM |
|
The Auto Prune Posts WordPress plugin before 3.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-10143 | 1 Deluxeblogtips | 1 Mb Custom Post Types \& Custom Taxonomies | 2025-06-12 | N/A | 4.8 MEDIUM |
|
The MB Custom Post Types & Custom Taxonomies WordPress plugin before 2.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||