Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5529 | 1 Pagevisitcounter | 1 Advanced Page Visit Counter | 2025-06-04 | N/A | 4.8 MEDIUM |
|
The Advanced Page Visit Counter WordPress plugin before 8.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2025-3742 | 1 Dfactory | 1 Responsive Lightbox | 2025-06-04 | N/A | 6.8 MEDIUM |
|
The Responsive Lightbox & Gallery WordPress plugin before 2.5.1 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-2870 | 1 Swiftideas | 1 Swift Framework | 2025-06-04 | N/A | 6.1 MEDIUM |
|
The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-2696 | 1 Swiftideas | 1 Swift Framework | 2025-06-04 | N/A | 4.8 MEDIUM |
|
The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-23941 | 1 Group-office | 1 Group Office | 2025-06-04 | N/A | 5.4 MEDIUM |
|
Cross-site scripting vulnerability exists in Group Office prior to v6.6.182, prior to v6.7.64 and prior to v6.8.31, which may allow a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product.
|
|||||
| CVE-2024-23172 | 1 Mediawiki | 1 Mediawiki | 2025-06-04 | N/A | 5.4 MEDIUM |
|
An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCheckUserLog.
|
|||||
| CVE-2024-23031 | 1 Eyoucms | 1 Eyoucms | 2025-06-04 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in is_water parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
|
|||||
| CVE-2022-37137 | 1 Techvill | 1 Paymoney | 2025-06-04 | N/A | 5.4 MEDIUM |
|
PayMoney 3.3 is vulnerable to Stored Cross-Site Scripting (XSS) during replying the ticket. The XSS can be obtain from injecting under "Message" field with "description" parameter with the specially crafted payload to gain Stored XSS. The XSS then will prompt after that or can be access from the view ticket function.
|
|||||
| CVE-2024-13252 | 1 Tacjs Project | 1 Tacjs | 2025-06-04 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal TacJS allows Cross-Site Scripting (XSS).This issue affects TacJS: from 0.0.0 before 6.5.0.
|
|||||
| CVE-2025-48483 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 5.4 MEDIUM |
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data during mail signature sanitization. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. Additionally, if ...
Show More |
|||||
| CVE-2025-48484 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 5.4 MEDIUM |
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data in the conversation POST data body. This issue has been patched in version 1.8.178.
|
|||||
| CVE-2024-13247 | 1 Coffee Project | 1 Coffee | 2025-06-04 | N/A | 4.8 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Coffee allows Cross-Site Scripting (XSS).This issue affects Coffee: from 0.0.0 before 1.4.0.
|
|||||
| CVE-2025-31679 | 1 Ignition Error Pages Project | 1 Ignition Error Pages | 2025-06-04 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Ignition Error Pages allows Cross-Site Scripting (XSS).This issue affects Ignition Error Pages: from 0.0.0 before 1.0.4.
|
|||||
| CVE-2023-5958 | 1 Wpexperts | 1 Post Smtp | 2025-06-04 | N/A | 6.1 MEDIUM |
|
The POST SMTP Mailer WordPress plugin before 2.7.1 does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users.
|
|||||
| CVE-2025-3919 | 2025-06-04 | N/A | 6.4 MEDIUM | ||
|
The WordPress Comments Import & Export plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings function in all versions up to, and including, 2.4.3. Additionally, the plugin fails to properly sanitize and escape FTP settings parameters.
This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts on the plugin settings page that will execute whenever an administ ...
Show More |
|||||
| CVE-2025-5532 | 2025-06-04 | N/A | 6.4 MEDIUM | ||
|
The Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an in ...
Show More |
|||||
| CVE-2025-4224 | 2025-06-04 | N/A | 7.2 HIGH | ||
|
The wpForo + wpForo Advanced Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via media upload names in all versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-5340 | 2025-06-04 | N/A | 6.4 MEDIUM | ||
|
The Music Player for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘album_buy_url’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-4420 | 2025-06-04 | N/A | 6.4 MEDIUM | ||
|
The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerWidth’ parameter in all versions up to, and including, 1.3.1 due to a missing capability check on the vayu_blocks_option_panel_callback() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execut ...
Show More |
|||||
| CVE-2025-5116 | 2025-06-04 | N/A | 6.4 MEDIUM | ||
|
The WP Plugin Info Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerid’ parameter in all versions up to, and including, 5.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue is due to an incomplete patch for CVE-2025-31835.
|
|||||
| CVE-2025-4205 | 2025-06-04 | N/A | 6.4 MEDIUM | ||
|
The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘popupID' parameter in all versions up to, and including, 1.20.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-4392 | 2025-06-04 | N/A | 7.2 HIGH | ||
|
The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via html File uploads in all versions up to, and including, 1.7.48 due to insufficient input sanitization and output escaping within the sanitize_file() function. This makes it possible for unauthenticated attackers to bypass the plugin’s MIME-only checks and inject arbitrary web scripts in pages that will execute whenever a user accesses the html file.
|
|||||
| CVE-2025-4671 | 2025-06-04 | N/A | 6.4 MEDIUM | ||
|
The Profile Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's user_meta and compare shortcodes in all versions up to, and including, 3.13.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-5531 | 2025-06-04 | N/A | 6.4 MEDIUM | ||
|
The Employee Directory – Staff Listing & Team Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an inje ...
Show More |
|||||
| CVE-2025-48485 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 5.4 MEDIUM |
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data when an authenticated user updates the profile of an arbitrary customer. This issue has been patched in version 1.8.180.
|
|||||
| CVE-2025-32598 | 1 Wptablebuilder | 1 Wp Table Builder | 2025-06-04 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Table Builder WP Table Builder allows Reflected XSS.
This issue affects WP Table Builder: from n/a through 2.0.4.
|
|||||
| CVE-2024-23553 | 1 Hcltech | 1 Bigfix Platform | 2025-06-03 | N/A | 3.0 LOW |
|
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute.
|
|||||
| CVE-2024-22241 | 1 Vmware | 1 Aria Operations For Networks | 2025-06-03 | N/A | 4.3 MEDIUM |
|
Aria Operations for Networks contains a cross site scripting vulnerability. A malicious actor with admin privileges can inject a malicious payload into the login banner and takeover the user account.
|
|||||
| CVE-2024-22238 | 1 Vmware | 1 Aria Operations For Networks | 2025-06-03 | N/A | 6.4 MEDIUM |
|
Aria Operations for Networks contains a cross site scripting vulnerability. A malicious actor with admin privileges may be able to inject malicious code into user profile configurations due to improper input sanitization.
|
|||||
| CVE-2024-1143 | 1 Linecorp | 1 Central Dogma | 2025-06-03 | N/A | 9.3 CRITICAL |
|
Central Dogma versions prior to 0.64.1 is vulnerable to Cross-Site Scripting (XSS), which could allow for the leakage of user sessions and subsequent authentication bypass.
|
|||||
| CVE-2023-50933 | 1 Ibm | 1 Powersc | 2025-06-03 | N/A | 6.1 MEDIUM |
|
IBM PowerSC 1.3, 2.0, and 2.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 275113.
|
|||||
| CVE-2023-37531 | 1 Hcltech | 1 Bigfix Platform | 2025-06-03 | N/A | 3.3 LOW |
|
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a form field of a webpage by a user with privileged access.
|
|||||
| CVE-2023-37530 | 1 Hcltech | 1 Bigfix Platform | 2025-06-03 | N/A | 3.0 LOW |
|
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information.
|
|||||
| CVE-2023-37529 | 1 Hcltech | 1 Bigfix Platform | 2025-06-03 | N/A | 3.0 LOW |
|
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information. This is not the same vulnerability as identified in CVE-2023-37530.
|
|||||
| CVE-2023-37528 | 1 Hcltech | 1 Bigfix Platform | 2025-06-03 | N/A | 6.5 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attack to exploit an application parameter during execution of the Save Report.
|
|||||
| CVE-2023-37527 | 1 Hcltech | 1 Bigfix Platform | 2025-06-03 | N/A | 5.4 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code in the application session or in database, via remote injection, while rendering content in a web page.
|
|||||
| CVE-2023-37523 | 1 Hcltechsw | 1 Bigfix Bare Osd Metal Server Webui | 2025-06-03 | N/A | 5.6 MEDIUM |
|
Missing or insecure tags in the HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower could allow an attacker to execute a malicious script on the user's browser.
|
|||||
| CVE-2022-40712 | 1 Nokia | 1 1350 Optical Management System | 2025-06-03 | N/A | 6.1 MEDIUM |
|
An issue was discovered in NOKIA 1350OMS R14.2. Reflected XSS exists under different /cgi-bin/R14.2* endpoints.
|
|||||
| CVE-2022-37250 | 1 Craftcms | 1 Craft Cms | 2025-06-03 | N/A | 5.4 MEDIUM |
|
Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount.
|
|||||
| CVE-2025-5135 | 1 Project Team | 1 Tmall Demo | 2025-06-03 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, has been found in Tmall Demo up to 20250505. Affected by this issue is some unknown functionality of the file /tmall/admin/ of the component Product Details Page. The manipulation of the argument Product Name/Product Title leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version deta ...
Show More |
|||||