Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4669 | 1 Wpbookingcalendar | 1 Wp Booking Calendar | 2025-06-04 | N/A | 6.4 MEDIUM |
|
The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpbc shortcode in all versions up to, and including, 10.11.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-6708 | 1 Cozmoslabs | 1 Profile Builder | 2025-06-04 | N/A | 4.8 MEDIUM |
|
The User Profile Builder WordPress plugin before 3.12.2 does not sanitise and escape some parameters before outputting its content on the admin area, which allows Admin+ users to perform Cross-Site Scripting attacks.
|
|||||
| CVE-2024-7758 | 1 Stylishpricelist | 1 Stylish Price List | 2025-06-04 | N/A | 4.8 MEDIUM |
|
The Stylish Price List WordPress plugin before 7.1.8 does not sanitise and escape some of its settings, which could allow high privilege users of contributor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-8493 | 1 Stellarwp | 1 The Events Calendar | 2025-06-04 | N/A | 4.8 MEDIUM |
|
The Events Calendar WordPress plugin before 6.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-8542 | 1 Wpeverest | 1 Everest Forms | 2025-06-04 | N/A | 4.8 MEDIUM |
|
The Everest Forms WordPress plugin before 3.0.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-8617 | 1 Ays-pro | 1 Quiz Maker | 2025-06-04 | N/A | 4.8 MEDIUM |
|
The Quiz Maker WordPress plugin before 6.5.9.9 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-8619 | 1 Wp-dreams | 1 Ajax Search | 2025-06-04 | N/A | 4.8 MEDIUM |
|
The Ajax Search Lite WordPress plugin before 4.12.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-8620 | 1 Mappresspro | 1 Mappress | 2025-06-04 | N/A | 4.8 MEDIUM |
|
The MapPress Maps for WordPress plugin before 2.93 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-8670 | 1 10web | 1 Photo Gallery | 2025-06-04 | N/A | 4.8 MEDIUM |
|
The Photo Gallery by 10Web WordPress plugin before 1.8.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-9390 | 1 Metagauss | 1 Registrationmagic | 2025-06-04 | N/A | 4.8 MEDIUM |
|
The RegistrationMagic WordPress plugin before 6.0.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-9599 | 1 Ays-pro | 1 Popup Box | 2025-06-04 | N/A | 5.4 MEDIUM |
|
The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-9645 | 1 Pickplugins | 1 Post Grid | 2025-06-04 | N/A | 5.4 MEDIUM |
|
The Post Grid, Posts Slider, Posts Carousel, Post Filter, Post Masonry WordPress plugin before 2.2.93 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-51475 | 1 Ibm | 1 Content Navigator | 2025-06-04 | N/A | 5.4 MEDIUM |
|
IBM Content Navigator 3.0.11, 3.0.15, and 3.1.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
|
|||||
| CVE-2025-27706 | 1 Absolute | 1 Secure Access | 2025-06-04 | N/A | 3.4 LOW |
|
CVE-2025-27706 is a cross-site scripting vulnerability in the management
console of Absolute Secure Access prior to version 13.54. Attackers
with system administrator permissions can interfere with another system
administrator’s use of the management console when the second
administrator visits the page. Attack complexity is low, there are no
preexisting attack requirements, privileges required are high and active
user interaction is required. There is no impact on confidentiality,
the im ...
Show More |
|||||
| CVE-2025-41406 | 1 Uchida | 2 Wivia 5, Wivia 5 Firmware | 2025-06-04 | N/A | 6.1 MEDIUM |
|
Cross-site scripting vulnerability exists in wivia 5 all versions. If exploited, when a user connects to the affected device with a specific operation, an arbitrary script may be executed on the web browser of the moderator user.
|
|||||
| CVE-2025-48486 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 5.4 MEDIUM |
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the cross-site scripiting (XSS) vulnerability is caused by the lack of input validation and sanitization in both \Session::flash and __, allowing user input to be executed without proper filtering. This issue has been patched in version 1.8.180.
|
|||||
| CVE-2025-48487 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 4.8 MEDIUM |
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when creating a translation of a phrase that appears in a flash-message after a completed action, it is possible to inject a payload to exploit XSS vulnerability. This issue has been patched in version 1.8.180.
|
|||||
| CVE-2025-48488 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 5.4 MEDIUM |
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, deleting the file .htaccess allows an attacker to upload an HTML file containing malicious JavaScript code to the server, which can result in a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.180.
|
|||||
| CVE-2025-48489 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 4.8 MEDIUM |
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to insufficient data validation and sanitization during data reception. This issue has been patched in version 1.8.180.
|
|||||
| CVE-2025-48875 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 5.4 MEDIUM |
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181.
|
|||||
| CVE-2024-4419 | 1 Pjaudiomv | 1 Fetch Jft | 2025-06-04 | N/A | 4.4 MEDIUM |
|
The Fetch JFT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been dis ...
Show More |
|||||
| CVE-2024-12348 | 1 Jpress | 1 Jpress | 2025-06-04 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in Guizhou Xiaoma Technology jpress 5.1.2. It has been classified as problematic. Affected is the function AttachmentUtils.isUnSafe of the file /commons/attachment/upload of the component Attachment Upload Handler. The manipulation of the argument files[] leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-4943 | 1 La-studioweb | 1 Element Kit For Elementor | 2025-06-04 | N/A | 6.4 MEDIUM |
|
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-lakit-element-link’ parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-5236 | 1 Ninjateam | 1 Chat For Telegram | 2025-06-04 | N/A | 6.4 MEDIUM |
|
The NinjaTeam Chat for Telegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘username’ parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-5235 | 1 Opensheetmusicdisplay | 1 Opensheetmusicdisplay | 2025-06-04 | N/A | 6.4 MEDIUM |
|
The OpenSheetMusicDisplay plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-1103 | 1 Codeastro | 1 Real Estate Management System | 2025-06-04 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in CodeAstro Real Estate Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file profile.php of the component Feedback Form. The manipulation of the argument Your Feedback with the input <img src=x onerror=alert(document.cookie)> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252458 is the identifier assigned to this vu ...
Show More |
|||||
| CVE-2024-33526 | 1 Ilias | 1 Ilias | 2025-06-04 | N/A | 7.1 HIGH |
|
A Stored Cross-site Scripting (XSS) vulnerability in the "Import of user role and title of user role" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file upload.
|
|||||
| CVE-2024-33527 | 1 Ilias | 1 Ilias | 2025-06-04 | N/A | 5.4 MEDIUM |
|
A Stored Cross-site Scripting (XSS) vulnerability in the "Import of Users and login name of user" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file upload.
|
|||||
| CVE-2024-33528 | 1 Ilias | 1 Ilias | 2025-06-04 | N/A | 4.7 MEDIUM |
|
A Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with tutor privileges to inject arbitrary web script or HTML via XML file upload.
|
|||||
| CVE-2024-48906 | 1 Sematell | 1 Replyone | 2025-06-04 | N/A | 6.1 MEDIUM |
|
Sematell ReplyOne 7.4.3.0 allows XSS via a ReplyDesk e-mail attachment name.
|
|||||
| CVE-2024-32674 | 1 Heateor | 1 Social Login | 2025-06-04 | N/A | 5.4 MEDIUM |
|
Heateor Social Login WordPress prior to 1.1.32 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product.
|
|||||
| CVE-2024-27728 | 1 Friendica | 1 Friendica | 2025-06-04 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the text parameter of the babel debug feature.
|
|||||
| CVE-2024-46278 | 1 Sismics | 1 Teedy | 2025-06-04 | N/A | 8.4 HIGH |
|
Teedy 1.11 is vulnerable to Cross Site Scripting (XSS) via the management console.
|
|||||
| CVE-2024-8521 | 1 Wavelog | 1 Wavelog | 2025-06-04 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in Wavelog up to 1.8.0. Affected is the function index of the file /qso of the component Live QSO. The manipulation of the argument manual leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.8.1 is able to address this issue. The patch is identified as b31002cec6b71ab5f738881806bb546430ec692e. It is recommended to upgrade th ...
Show More |
|||||
| CVE-2024-10076 | 1 Automattic | 2 Jetpack, Jetpack Boost | 2025-06-04 | N/A | 5.9 MEDIUM |
|
The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and above users to perform Stored XSS attacks
|
|||||
| CVE-2024-13238 | 1 Typogrify Project | 1 Typogrify | 2025-06-04 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Typogrify allows Cross-Site Scripting (XSS).This issue affects Typogrify: from 0.0.0 before 1.3.0.
|
|||||
| CVE-2024-13237 | 1 File Entity Project | 1 File Entity | 2025-06-04 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal File Entity (fieldable files) allows Cross-Site Scripting (XSS).This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.38.
|
|||||
| CVE-2024-8854 | 1 Codepeople | 1 Polls Cp | 2025-06-04 | N/A | 5.4 MEDIUM |
|
The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multi site setup).
|
|||||
| CVE-2024-8851 | 1 Codepeople | 1 Polls Cp | 2025-06-04 | N/A | 5.4 MEDIUM |
|
The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multi site setup).
|
|||||
| CVE-2023-5932 | 1 Travelpayouts | 1 Travelpayouts | 2025-06-04 | N/A | 4.8 MEDIUM |
|
The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||