Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-31682 | 1 Google Tag Project | 1 Google Tag | 2025-06-02 | N/A | 4.8 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Google Tag allows Cross-Site Scripting (XSS).This issue affects Google Tag: from 0.0.0 before 1.8.0, from 2.0.0 before 2.0.8.
|
|||||
| CVE-2025-25090 | 2025-06-02 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dreamstime Dreamstime Stock Photos dreamstime-stock-photos allows Reflected XSS.This issue affects Dreamstime Stock Photos: from n/a through 4.1.
|
|||||
| CVE-2023-7200 | 1 Myeventon | 1 Eventon | 2025-06-02 | N/A | 6.1 MEDIUM |
|
The EventON WordPress plugin before 4.4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-41513 | 1 4pace | 1 Cadclick | 2025-06-02 | N/A | 5.4 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in "Artikel.aspx" in CADClick v1.11.0 and before allows remote attackers to inject arbitrary web script or HTML via the "searchindex" parameter.
|
|||||
| CVE-2024-41514 | 1 4pace | 1 Cadclick | 2025-06-02 | N/A | 5.4 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in "PrevPgGroup.aspx" in CADClick v1.11.0 and before allows remote attackers to inject arbitrary web script or HTML via the "wer" parameter.
|
|||||
| CVE-2024-41515 | 1 4pace | 1 Cadclick | 2025-06-02 | N/A | 5.4 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in "ccHandlerResource.ashx" in CADClick <= 1.11.0 allows remote attackers to inject arbitrary web script or HTML via the "res_url" parameter.
|
|||||
| CVE-2024-41516 | 1 4pace | 1 Cadclick | 2025-06-02 | N/A | 5.4 MEDIUM |
|
A Reflected cross-site scripting (XSS) vulnerability in "ccHandler.aspx" CADClick <= 1.11.0 allows remote attackers to inject arbitrary web script or HTML via the "bomid" parameter.
|
|||||
| CVE-2025-5016 | 2025-06-02 | N/A | 4.7 MEDIUM | ||
|
The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Excerpt Highlights in all versions up to, and including, 4.24.5 (Free) and 2.27.6 (Premium) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-5290 | 2025-06-02 | N/A | 6.4 MEDIUM | ||
|
The Borderless – Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-4595 | 2025-06-02 | N/A | 6.4 MEDIUM | ||
|
The FastSpring plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fastspring/block-fastspringblocks-complete-product-catalog' block in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping on the 'color' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-5292 | 2025-06-02 | N/A | 6.4 MEDIUM | ||
|
The Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content’ parameter in all versions up to, and including, 5.11.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user ac ...
Show More |
|||||
| CVE-2025-4590 | 2025-06-02 | N/A | 6.4 MEDIUM | ||
|
The Daisycon prijsvergelijkers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'daisycon_uitvaart' shortcode in all versions up to, and including, 4.8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-48883 | 2025-06-02 | N/A | N/A | ||
|
Chrome PHP allows users to start playing with chrome/chromium in headless mode from PHP. Prior to version 1.14.0, CSS Selector expressions are not properly encoded, which can lead to XSS (cross-site scripting) vulnerabilities. This is patched in v1.14.0. As a workaround, users can apply encoding manually to their selectors if they are unable to upgrade.
|
|||||
| CVE-2025-5285 | 2025-06-02 | N/A | 6.4 MEDIUM | ||
|
The Product Subtitle for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmlTag’ parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-57783 | 2025-06-02 | N/A | 8.1 HIGH | ||
|
The desktop application in Dot through 0.9.3 allows XSS and resultant command execution because user input and LLM output are appended to the DOM with innerHTML (in render.js), and because the Electron window can access Node.js APIs.
|
|||||
| CVE-2025-31675 | 1 Drupal | 1 Drupal | 2025-06-02 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.
|
|||||
| CVE-2024-55635 | 1 Drupal | 1 Drupal | 2025-06-02 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.
|
|||||
| CVE-2024-12393 | 1 Drupal | 1 Drupal | 2025-06-02 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
|
|||||
| CVE-2023-0079 | 1 Cusrev | 1 Customer Reviews For Woocommerce | 2025-06-02 | N/A | 5.4 MEDIUM |
|
The Customer Reviews for WooCommerce WordPress plugin before 5.17.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2021-24433 | 1 Yukimichi | 1 Simple Sort\&search | 2025-06-02 | N/A | 5.4 MEDIUM |
|
The simple sort&search WordPress plugin through 0.0.3 does not make sure that the indexurl parameter of the shortcodes "category_sims", "order_sims", "orderby_sims", "period_sims", and "tag_sims" use allowed URL protocols, which can lead to stored cross-site scripting by users with a role as low as Contributor
|
|||||
| CVE-2024-35753 | 1 Templatesnext | 1 Onepager | 2025-06-02 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TemplatesNext TemplatesNext OnePager allows Stored XSS.This issue affects TemplatesNext OnePager: from n/a through 1.3.3.
|
|||||
| CVE-2024-21725 | 1 Joomla | 1 Joomla\! | 2025-06-02 | N/A | 6.1 MEDIUM |
|
Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.
|
|||||
| CVE-2024-23659 | 1 Spip | 1 Spip | 2025-06-02 | N/A | 6.1 MEDIUM |
|
SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js.
|
|||||
| CVE-2024-22877 | 1 Strangebee | 1 Thehive | 2025-06-02 | N/A | 5.4 MEDIUM |
|
StrangeBee TheHive 5.2.0 to 5.2.8 is vulnerable to Cross Site Scripting (XSS) in the case reporting functionality. This feature allows an attacker to insert malicious JavaScript code inside the template or its variables, that will be executed in the context of the TheHive application when the HTML report is opened.
|
|||||
| CVE-2024-20270 | 1 Cisco | 2 Broadworks Application Delivery Platform, Broadworks Xtended Services Platform | 2025-06-02 | N/A | 4.8 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a cr ...
Show More |
|||||
| CVE-2024-0381 | 1 Bootstrapped | 1 Wp Recipe Maker | 2025-06-02 | N/A | 6.4 MEDIUM |
|
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of the 'tag' attribute in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-0238 | 1 Myeventon | 1 Eventon | 2025-06-02 | N/A | 6.1 MEDIUM |
|
The EventON Premium WordPress plugin before 4.5.6, EventON WordPress plugin before 2.2.8 do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata.
|
|||||
| CVE-2023-6732 | 1 Supsystic | 1 Ultimate Maps | 2025-06-02 | N/A | 4.8 MEDIUM |
|
The Ultimate Maps by Supsystic WordPress plugin before 1.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2023-52069 | 1 Kodcloud | 1 Kodbox | 2025-06-02 | N/A | 5.4 MEDIUM |
|
kodbox v1.49.04 was discovered to contain a cross-site scripting (XSS) vulnerability via the URL parameter.
|
|||||
| CVE-2023-49943 | 1 Zohocorp | 1 Manageengine Servicedesk Plus Msp | 2025-06-02 | N/A | 5.4 MEDIUM |
|
Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.
|
|||||
| CVE-2023-48858 | 1 Abocms | 1 Abo.cms | 2025-06-02 | N/A | 6.1 MEDIUM |
|
A Cross-site scripting (XSS) vulnerability in login page php code in Armex ABO.CMS 5.9 allows remote attackers to inject arbitrary web script or HTML via the login.php? URL part.
|
|||||
| CVE-2023-46952 | 1 Abocms | 1 Abo.cms | 2025-06-02 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in ABO.CMS v.5.9.3 allows an attacker to execute arbitrary code via a crafted payload to the Referer header.
|
|||||
| CVE-2023-0769 | 1 Hiweb | 1 Migration Simple | 2025-06-02 | N/A | 6.1 MEDIUM |
|
The hiWeb Migration Simple WordPress plugin through 2.0.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.
|
|||||
| CVE-2023-0376 | 1 Themeum | 1 Qubely | 2025-06-02 | N/A | 5.4 MEDIUM |
|
The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-21726 | 1 Joomla | 1 Joomla\! | 2025-06-02 | N/A | 6.5 MEDIUM |
|
Inadequate content filtering leads to XSS vulnerabilities in various components.
|
|||||
| CVE-2024-28070 | 1 Mitel | 1 Micontact Center Business | 2025-06-02 | N/A | 6.8 MEDIUM |
|
A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input validation. A successful exploit could allow an attacker to access sensitive information and gain unauthorized access.
|
|||||
| CVE-2024-26468 | 1 Jstrieb | 1 Url Pages | 2025-06-02 | N/A | 6.1 MEDIUM |
|
A DOM based cross-site scripting (XSS) vulnerability in the component index.html of jstrieb/urlpages before commit 035b647 allows attackers to execute arbitrary Javascript via sending a crafted URL.
|
|||||
| CVE-2024-26467 | 1 Tabatkins | 1 Railroad-diagram Generator | 2025-06-02 | N/A | 6.1 MEDIUM |
|
A DOM based cross-site scripting (XSS) vulnerability in the component generator.html of tabatkins/railroad-diagrams before commit ea9a123 allows attackers to execute arbitrary Javascript via sending a crafted URL.
|
|||||
| CVE-2025-1647 | 2025-06-01 | N/A | 5.6 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting (XSS).This issue affects Bootstrap: from 3.4.1 before 4.0.0.
|
|||||
| CVE-2024-22569 | 1 Poscms | 1 Poscms | 2025-05-30 | N/A | 5.4 MEDIUM |
|
Stored Cross-Site Scripting (XSS) vulnerability in POSCMS v4.6.2, allows attackers to execute arbitrary code via a crafted payload to /index.php?c=install&m=index&step=2&is_install_db=0.
|
|||||