Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-7086 | 1 Ablyperu | 1 Svg Uploads Support | 2025-06-12 | N/A | 5.4 MEDIUM |
|
The SVG Uploads Support WordPress plugin through 2.1.1 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
|
|||||
| CVE-2023-7088 | 1 Inventivo | 1 Inventivo | 2025-06-12 | N/A | 5.4 MEDIUM |
|
The Add SVG Support for Media Uploader | inventivo WordPress plugin through 1.0.5 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
|
|||||
| CVE-2025-44110 | 1 Fluxbb | 1 Fluxbb | 2025-06-12 | N/A | 5.4 MEDIUM |
|
FluxBB 1.5.11 is vulnerable to Cross Site Scripting (XSS) in via the Forum Description Field in admin_forums.php.
|
|||||
| CVE-2025-47885 | 1 Jenkins | 1 Health Advisor By Cloudbees | 2025-06-12 | N/A | 8.8 HIGH |
|
Jenkins Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Jenkins Health Advisor server responses.
|
|||||
| CVE-2025-48051 | 1 Lichess | 1 Powertip.ts | 2025-06-12 | N/A | 4.7 MEDIUM |
|
powertip.ts in Lila (for Lichess) before ab0beaf allows XSS in some applications because of an innerHTML usage pattern in which text is extracted from a DOM node and interpreted as HTML.
|
|||||
| CVE-2024-45516 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 6.1 MEDIUM |
|
An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerabil ...
Show More |
|||||
| CVE-2024-45517 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.4 MEDIUM |
|
An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL.
|
|||||
| CVE-2024-45513 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 4.8 MEDIUM |
|
An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A stored Cross-Site Scripting (XSS) vulnerability exists in the /modern/contacts/print endpoint of Zimbra webmail. This allows an attacker to inject and execute arbitrary JavaScript code in the context of the victim's browser when a crafted vCard (VCF) file is processed and printed. This could lead to unauthorized actions within the victim's session.
|
|||||
| CVE-2024-45514 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.4 MEDIUM |
|
An issue was discovered in Zimbra Collaboration (ZCS) through v10.1. A Cross-Site Scripting (XSS) vulnerability exists in one of the endpoints of Zimbra Webmail due to insufficient sanitization of the packages parameter. Attackers can bypass the existing checks by using encoded characters, allowing the injection and execution of arbitrary JavaScript within a victim's session.
|
|||||
| CVE-2024-45512 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.4 MEDIUM |
|
An issue was discovered in webmail in Zimbra Collaboration (ZCS) through 10.1. An attacker can exploit this vulnerability by creating a folder in the Briefcase module with a malicious payload and sharing it with a victim. When the victim interacts with the folder share notification, the malicious script executes in their browser. This stored Cross-Site Scripting (XSS) vulnerability can lead to unauthorized actions within the victim's session.
|
|||||
| CVE-2024-45511 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.4 MEDIUM |
|
An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A reflected Cross-Site Scripting (XSS) issue exists through the Briefcase module due to improper sanitization of file content by the OnlyOffice formatter. This occurs when the victim opens a crafted URL pointing to a shared folder containing a malicious file uploaded by the attacker. The vulnerability allows the attacker to execute arbitrary JavaScript in the context of the victim's session.
|
|||||
| CVE-2024-12716 | 1 Wpkube | 1 Simple Basic Contact Form | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The Simple Basic Contact Form WordPress plugin before 20250114 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2023-6541 | 1 Wphelpline | 1 Allow Svg | 2025-06-11 | N/A | 6.1 MEDIUM |
|
The Allow SVG WordPress plugin before 1.2.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
|
|||||
| CVE-2023-6783 | 1 Wolfnettech | 1 Wolfnet Idx For Wordpress | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The WolfNet IDX for WordPress plugin through 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-45510 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.4 MEDIUM |
|
An issue was discovered in Zimbra Collaboration (ZCS) through 10.0. Zimbra Webmail (Modern UI) is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper sanitization of user input. This allows an attacker to inject malicious code into specific fields of an e-mail message. When the victim adds the attacker to their contacts, the malicious code is stored and executed when viewing the contact list. This can lead to unauthorized actions such as arbitrary mail sending, mailbox exfil ...
Show More |
|||||
| CVE-2025-29094 | 1 Motivian | 1 Content Management System | 2025-06-11 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Motivian Content Mangment System v.41.0.0 allows a remote attacker to execute arbitrary code via the Marketing/Forms, Marketing/Offers and Content/Pages components.
|
|||||
| CVE-2022-3836 | 1 Seedwebs | 1 Seed Social | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The Seed Social WordPress plugin before 2.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-12722 | 1 Mohsinrasool | 1 Twitter Bootstrap Collapse Aka Accordian Shortcode | 2025-06-11 | N/A | 5.4 MEDIUM |
|
The Twitter Bootstrap Collapse aka Accordian Shortcode WordPress plugin through 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-12724 | 1 Codeflock | 1 Wp Desklite | 2025-06-11 | N/A | 6.1 MEDIUM |
|
The WP DeskLite WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2024-12725 | 1 Smartdatasoft | 1 Clasify Classified Listing | 2025-06-11 | N/A | 6.1 MEDIUM |
|
The Clasify Classified Listing WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2024-12726 | 1 Takien | 1 Clipart | 2025-06-11 | N/A | 6.1 MEDIUM |
|
The ClipArt WordPress plugin through 0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2024-21911 | 1 Tiny | 1 Tinymce | 2025-06-11 | N/A | 6.1 MEDIUM |
|
TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
|
|||||
| CVE-2023-6456 | 1 Ljapps | 1 Wp Review Slider | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The WP Review Slider WordPress plugin before 13.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2023-5943 | 1 Markusbegerow | 1 Wp-adv-quiz | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The Wp-Adv-Quiz WordPress plugin before 1.0.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
|
|||||
| CVE-2023-4925 | 1 Yikesinc | 1 Easy Forms For Mailchimp | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The Easy Forms for Mailchimp WordPress plugin through 6.8.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2023-48127 | 1 Linecorp | 1 Line | 2025-06-11 | N/A | 5.4 MEDIUM |
|
An issue in myGAKUYA mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.
|
|||||
| CVE-2023-43999 | 1 Linecorp | 1 Line | 2025-06-11 | N/A | 5.4 MEDIUM |
|
An issue in COLORFUL_laundry mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.
|
|||||
| CVE-2023-43988 | 1 Linecorp | 1 Line | 2025-06-11 | N/A | 5.4 MEDIUM |
|
An issue in nature fitness saijo mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.
|
|||||
| CVE-2023-0389 | 1 Codepeople | 1 Calculated Fields Form | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The Calculated Fields Form WordPress plugin before 1.1.151 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2021-24432 | 1 Berocket | 1 Advanced Ajax Product Filters | 2025-06-11 | N/A | 6.1 MEDIUM |
|
The Advanced AJAX Product Filters WordPress plugin does not sanitise the 'term_id' POST parameter before outputting it in the page, leading to reflected Cross-Site Scripting issue.
|
|||||
| CVE-2024-12739 | 1 Annabansaghi | 1 Mobile Contact Bar | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The Mobile Contact Bar WordPress plugin before 3.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-6693 | 1 Wp-buy | 1 Wp Content Copy Protection \& No Right Click | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The wccp-pro WordPress plugin before 15.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-6712 | 1 Acugis | 1 Mapfig Studio | 2025-06-11 | N/A | 6.1 MEDIUM |
|
The MapFig Studio WordPress plugin through 0.2.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
|
|||||
| CVE-2024-6713 | 1 Freebiesdownload | 1 Pvn Auth Popup | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The PVN Auth Popup WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-7556 | 1 Missionmike | 1 Simple Share | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The Simple Share WordPress plugin through 0.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-7759 | 1 Magazine3 | 1 Pwa For Wp \& Amp | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The PWA for WP WordPress plugin before 1.7.72 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-7761 | 1 Presstigers | 1 Simple Job Board | 2025-06-11 | N/A | 6.1 MEDIUM |
|
In the process of testing the Simple Job Board WordPress plugin before 2.12.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor
|
|||||
| CVE-2024-7769 | 1 Clicksold | 1 Clicksold Idx | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The ClickSold IDX WordPress plugin through 1.90 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-5440 | 1 If-so | 1 Dynamic Content Personalization | 2025-06-11 | N/A | 5.4 MEDIUM |
|
The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-6335 | 1 Data443 | 1 Tracking Code Manager | 2025-06-11 | N/A | 4.8 MEDIUM |
|
The Tracking Code Manager WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||