Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4669 | 1 Nicheaddons | 1 Events Addon For Elementor | 2025-05-28 | N/A | 6.4 MEDIUM |
|
The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Basic Slider, Upcoming Events, and Schedule widgets in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-0427 | 1 Reputeinfosystems | 1 Arforms | 2025-05-28 | N/A | 6.3 MEDIUM |
|
The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.4.1 does not properly escape user-controlled input when it is reflected in some of its AJAX actions.
|
|||||
| CVE-2023-6487 | 1 Theluckywp | 1 Luckywp Table Of Contents | 2025-05-28 | N/A | 4.4 MEDIUM |
|
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Header Title' field in all versions up to and including 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has ...
Show More |
|||||
| CVE-2024-2119 | 1 Theluckywp | 1 Luckywp Table Of Contents | 2025-05-28 | N/A | 6.1 MEDIUM |
|
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the attrs parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-2953 | 1 Theluckywp | 1 Luckywp Table Of Contents | 2025-05-28 | N/A | 5.5 MEDIUM |
|
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-1805 | 1 Wpbakery | 1 Page Builder | 2025-05-28 | N/A | 6.4 MEDIUM |
|
The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button onclick attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-1840 | 1 Wpbakery | 1 Page Builder | 2025-05-28 | N/A | 6.4 MEDIUM |
|
The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Author tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-1841 | 1 Wpbakery | 1 Page Builder | 2025-05-28 | N/A | 6.4 MEDIUM |
|
The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-1842 | 1 Wpbakery | 1 Page Builder | 2025-05-28 | N/A | 6.4 MEDIUM |
|
The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Heading tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-50378 | 1 Apache | 1 Ambari | 2025-05-28 | N/A | 6.1 MEDIUM |
|
Lack of proper input validation and constraint enforcement in Apache Ambari prior to 2.7.8
Impact : As it will be stored XSS, Could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads.
Users are recommended to upgrade to version 2.7.8 which fixes this issue.
|
|||||
| CVE-2024-27140 | 1 Apache | 1 Archiva | 2025-05-28 | N/A | 5.4 MEDIUM |
|
** UNSUPPORTED WHEN ASSIGNED **
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva.
This issue affects Apache Archiva: from 2.0.0.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. Alternatively, you could configure a HTTP proxy in front of your Archiva instance to only forward requests that do ...
Show More |
|||||
| CVE-2024-7082 | 1 Magazine3 | 1 Easy Table Of Contents | 2025-05-28 | N/A | 6.1 MEDIUM |
|
The Easy Table of Contents WordPress plugin before 2.0.68 does not sanitise and escape some parameters, which could allow users with a role as low as Editor to perform Cross-Site Scripting attacks.
|
|||||
| CVE-2024-7084 | 1 Wp-dreams | 1 Ajax Search | 2025-05-28 | N/A | 4.8 MEDIUM |
|
The Ajax Search Lite WordPress plugin before 4.12.1 does not sanitise and escape some parameters, which could allow users with a role as low as Admin+ to perform Cross-Site Scripting attacks.
|
|||||
| CVE-2024-3973 | 1 Shawon786 | 1 House Manager | 2025-05-28 | N/A | 4.8 MEDIUM |
|
The House Manager WordPress plugin through 1.0.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-6481 | 1 Codeamp | 1 Search \& Filter | 2025-05-28 | N/A | 4.8 MEDIUM |
|
The Search & Filter Pro WordPress plugin before 2.5.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2023-44855 | 1 Cobham | 2 Sailor 600 Vsat Ku, Sailor 600 Vsat Ku Firmware | 2025-05-28 | N/A | 6.5 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Cobham SAILOR VSAT Ku v.164B019 allows a remote attacker to execute arbitrary code via a crafted script to the rdiag, sender, and recipients parameters of the sub_219C4 function in the acu_web file.
|
|||||
| CVE-2024-1752 | 1 Persian-vc | 1 Font Farsi | 2025-05-28 | N/A | 6.1 MEDIUM |
|
The Font Farsi WordPress plugin through 1.6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-29776 | 1 Metagauss | 1 Eventprime | 2025-05-28 | N/A | 5.9 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Metagauss EventPrime.This issue affects EventPrime: from n/a through 3.3.9.
|
|||||
| CVE-2024-2864 | 1 Kainelabs | 1 Youzify | 2025-05-28 | N/A | 7.3 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KaineLabs Youzify - Buddypress Moderation.This issue affects Youzify - Buddypress Moderation: from n/a through 1.2.5.
|
|||||
| CVE-2024-25807 | 1 Lycheeorg | 1 Lychee | 2025-05-28 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Lychee 3.1.6, allows remote attackers to execute arbitrary code and obtain sensitive information via the title parameter when creating an album.
|
|||||
| CVE-2024-26557 | 1 Codiad | 1 Codiad | 2025-05-28 | N/A | 5.4 MEDIUM |
|
Codiad v2.8.4 allows reflected XSS via the components/market/dialog.php type parameter.
|
|||||
| CVE-2024-29271 | 1 Vvveb | 1 Vvvebjs | 2025-05-28 | N/A | 6.1 MEDIUM |
|
Reflected Cross-Site Scripting (XSS) vulnerability in VvvebJs before version 1.7.7, allows remote attackers to execute arbitrary code and obtain sensitive information via the action parameter in save.php.
|
|||||
| CVE-2024-9462 | 1 Ays-pro | 1 Poll Maker | 2025-05-28 | N/A | 5.5 MEDIUM |
|
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Stored Cross-Site Scripting via poll settings in all versions up to, and including, 5.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and ins ...
Show More |
|||||
| CVE-2024-3600 | 1 Ays-pro | 1 Poll Maker | 2025-05-28 | N/A | 7.2 HIGH |
|
The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start AJAX action in addition to insufficient escaping and sanitization in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to create quizzes and inject malicious web scripts into them that execute when a user visits the page.
|
|||||
| CVE-2024-48417 | 1 Edimax | 2 Br-6476ac, Br-6476ac Firmware | 2025-05-28 | N/A | 5.2 MEDIUM |
|
Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Cross Site Scripting (XSS) in : /bin/goahead via /goform/setStaticRoute, /goform/fromSetFilterUrlFilter, and /goform/fromSetFilterClientFilter.
|
|||||
| CVE-2025-3487 | 1 Wpmudev | 1 Forminator Forms | 2025-05-28 | N/A | 6.4 MEDIUM |
|
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘limit’ parameter in all versions up to, and including, 1.42.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-2162 | 1 Mappresspro | 1 Mappress | 2025-05-28 | N/A | 4.8 MEDIUM |
|
The MapPress Maps for WordPress plugin before 2.94.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2025-0961 | 1 Anisha | 1 Job Recruitment | 2025-05-28 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in code-projects Job Recruitment 1.0. Affected by this issue is some unknown functionality of the file /_parse/load_job-details.php. The manipulation of the argument business_stream_name/company_website_url leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-0348 | 1 Campcodes | 1 Deped Equipment Inventory System | 2025-05-28 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in CampCodes DepEd Equipment Inventory System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /data/add_employee.php. The manipulation of the argument data leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2023-49493 | 1 Dedecms | 1 Dedecms | 2025-05-28 | N/A | 6.1 MEDIUM |
|
DedeCMS v5.7.111 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the v parameter at selectimages.php.
|
|||||
| CVE-2022-41225 | 1 Jenkins | 1 Anchore Container Image Scanner | 2025-05-28 | N/A | 5.4 MEDIUM |
|
Jenkins Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine.
|
|||||
| CVE-2022-41224 | 1 Jenkins | 1 Jenkins | 2025-05-28 | N/A | 5.4 MEDIUM |
|
Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.
|
|||||
| CVE-2025-3513 | 1 Brainstormforce | 1 Sureforms | 2025-05-28 | N/A | 3.5 LOW |
|
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2025-3514 | 1 Brainstormforce | 1 Sureforms | 2025-05-28 | N/A | 3.5 LOW |
|
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-12679 | 1 Prisna | 1 Google Website Translator | 2025-05-28 | N/A | 4.8 MEDIUM |
|
The Prisna GWT WordPress plugin before 1.4.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-12680 | 1 Prisna | 1 Google Website Translator | 2025-05-28 | N/A | 4.8 MEDIUM |
|
The Prisna GWT WordPress plugin before 1.4.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-13482 | 1 Icegram | 1 Icegram Engage | 2025-05-28 | N/A | 4.8 MEDIUM |
|
The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-13486 | 1 Icegram | 1 Icegram Engage | 2025-05-28 | N/A | 4.8 MEDIUM |
|
The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-8703 | 1 Urbanbase | 1 Z-downloads | 2025-05-28 | N/A | 6.1 MEDIUM |
|
The Z-Downloads WordPress plugin before 1.11.6 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks when accessing share URLs.
|
|||||
| CVE-2025-0687 | 1 Mynamedia | 1 Spiritual Gifts Survey \(and Optional S.h.a.p.e Survey\) | 2025-05-28 | N/A | 6.1 MEDIUM |
|
The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
|
|||||