Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6158 | 2 Tiptoppress, Zephyrwest | 2 Term And Category Based Posts Widget, Category Posts Widget | 2025-05-27 | N/A | 4.8 MEDIUM |
|
The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Posts" widget settings before outputting them back in a page/post where the Widget is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-6843 | 1 Webdigit | 1 Chatbot With Chatgpt | 2025-05-27 | N/A | 6.1 MEDIUM |
|
The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not sanitise and escape user inputs, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins
|
|||||
| CVE-2022-28979 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-27 | N/A | 6.1 MEDIUM |
|
Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.
|
|||||
| CVE-2023-7230 | 1 Evanliewer | 1 Illi Link Party\! | 2025-05-27 | N/A | 6.1 MEDIUM |
|
The illi Link Party! WordPress plugin through 1.0 does not sanitize and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks.
|
|||||
| CVE-2024-6718 | 1 Freebiesdownload | 1 Pvn Auth Popup | 2025-05-27 | N/A | 5.4 MEDIUM |
|
The PVN Auth Popup WordPress plugin through 1.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-8095 | 1 Ryanchristenson | 1 Babeiz | 2025-05-27 | N/A | 6.1 MEDIUM |
|
The BabelZ WordPress plugin through 1.1.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
|
|||||
| CVE-2024-8187 | 1 Shapedplugin | 1 Smart Post Show | 2025-05-27 | N/A | 4.8 MEDIUM |
|
The Smart Post Show WordPress plugin before 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-8426 | 1 Pagelayer | 1 Pagelayer | 2025-05-27 | N/A | 4.8 MEDIUM |
|
The Page Builder: Pagelayer WordPress plugin before 1.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2024-8618 | 1 Pagelayer | 1 Pagelayer | 2025-05-27 | N/A | 4.8 MEDIUM |
|
The Page Builder: Pagelayer WordPress plugin before 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2025-3201 | 1 Kaliforms | 1 Kali Forms | 2025-05-27 | N/A | 5.9 MEDIUM |
|
The Contact Form builder with drag & drop for WordPress WordPress plugin before 2.4.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-47378 | 1 Wpcom | 1 Wpcom Member | 2025-05-27 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPCOM WPCOM Member allows Reflected XSS.This issue affects WPCOM Member: from n/a through 1.5.4.
|
|||||
| CVE-2023-26771 | 1 Taskcafe Project | 1 Taskcafe | 2025-05-27 | N/A | 6.5 MEDIUM |
|
Taskcafe 0.3.2 is vulnerable to Cross Site Scripting (XSS). There is a lack of validation in the filetype when uploading a SVG profile picture with a XSS payload on it. An authenticated attacker can exploit this vulnerability by uploading a malicious picture which will trigger the payload when the victim opens the file.
|
|||||
| CVE-2022-37246 | 1 Craftcms | 1 Craft Cms | 2025-05-27 | N/A | 5.4 MEDIUM |
|
Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.
|
|||||
| CVE-2022-28978 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-27 | N/A | 5.4 MEDIUM |
|
Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name.
|
|||||
| CVE-2024-46333 | 1 Piwigo | 1 Piwigo | 2025-05-27 | N/A | 4.8 MEDIUM |
|
An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Album Name parameter under the Add Album function.
|
|||||
| CVE-2024-43151 | 1 Brainstormforce | 1 Ultimate Addons For Beaver Builder | 2025-05-27 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for Beaver Builder – Lite allows Stored XSS.This issue affects Ultimate Addons for Beaver Builder – Lite: from n/a through 1.5.9.
|
|||||
| CVE-2024-43156 | 1 Addonmaster | 1 Post Grid Master | 2025-05-27 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AddonMaster Post Grid Master allows Reflected XSS.This issue affects Post Grid Master: from n/a through 3.4.10.
|
|||||
| CVE-2024-6724 | 1 Magic-post-thumbnail | 1 Magic Post Thumbnail | 2025-05-27 | N/A | 4.8 MEDIUM |
|
The Generate Images WordPress plugin before 5.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2022-38550 | 1 Jeesns | 1 Jeesns | 2025-05-27 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the /weibo/list component of Jeesns v2.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2022-28982 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-27 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.
|
|||||
| CVE-2022-28980 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-27 | N/A | 6.1 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.
|
|||||
| CVE-2025-32984 | 1 Netscout | 1 Ngeniusone | 2025-05-27 | N/A | 6.1 MEDIUM |
|
NETSCOUT nGeniusONE before 6.4.0 b2350 allows Stored Cross-Site Scripting (XSS) via a certain POST parameter.
|
|||||
| CVE-2024-32580 | 1 Averta | 1 Master Slider | 2025-05-27 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows Stored XSS.This issue affects Master Slider: from n/a through 3.9.8.
|
|||||
| CVE-2024-37222 | 1 Averta | 1 Master Slider | 2025-05-27 | N/A | 7.1 HIGH |
|
Cross Site Scripting (XSS) vulnerability in Averta Master Slider allows Reflected XSS.This issue affects Master Slider: from n/a through 3.10.0.
|
|||||
| CVE-2023-49485 | 1 Jfinalcms Project | 1 Jfinalcms | 2025-05-27 | N/A | 5.4 MEDIUM |
|
JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the column management department.
|
|||||
| CVE-2023-46494 | 1 Evershop | 1 Evershop | 2025-05-27 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in admin/productGrid/Grid.jsx.
|
|||||
| CVE-2023-44856 | 1 Cobham | 2 Sailor 600 Vsat Ku, Sailor 600 Vsat Ku Firmware | 2025-05-27 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Cobham SAILOR VSAT Ku v.164B019, allows a remote attacker to execute arbitrary code via a crafted script to the rstat, sender, and recipients' parameters of the sub_21D24 function in the acu_web file.
|
|||||
| CVE-2022-41319 | 1 Veritas | 1 Desktop And Laptop Option | 2025-05-27 | N/A | 6.1 MEDIUM |
|
A Reflected Cross-Site Scripting (XSS) vulnerability affects the Veritas Desktop Laptop Option (DLO) application login page (aka the DLOServer/restore/login.jsp URI). This affects versions before 9.8 (e.g., 9.1 through 9.7).
|
|||||
| CVE-2022-40088 | 1 Simple College Website Project | 1 Simple College Website | 2025-05-27 | N/A | 6.1 MEDIUM |
|
Simple College Website v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /college_website/index.php?page=. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the page parameter.
|
|||||
| CVE-2023-44854 | 1 Cobham | 2 Sailor 600 Vsat Ku, Sailor 600 Vsat Ku Firmware | 2025-05-27 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Cobham SAILOR VSAT Ku v.164B019, allows a remote attacker to execute arbitrary code via a crafted script to the c_set_rslog_decode function in the acu_web file.
|
|||||
| CVE-2023-44852 | 1 Cobham | 2 Sailor 600 Vsat Ku, Sailor 600 Vsat Ku Firmware | 2025-05-27 | N/A | 8.2 HIGH |
|
Cross Site Scripting (XSS) vulnerability in Cobham SAILOR VSAT Ku v.164B019, allows a remote attacker to execute arbitrary code via a crafted script to the c_set_traps_decode function in the acu_web file.
|
|||||
| CVE-2020-25730 | 1 Zoneminder | 1 Zoneminder | 2025-05-27 | N/A | 8.2 HIGH |
|
Cross Site Scripting (XSS) vulnerability in ZoneMinder before version 1.34.21, allows remote attackers execute arbitrary code, escalate privileges, and obtain sensitive information via PHP_SELF component in classic/views/download.php.
|
|||||
| CVE-2023-4709 | 1 Totvs | 1 Rm | 2025-05-27 | 2.6 LOW | 3.1 LOW |
|
A vulnerability classified as problematic has been found in TOTVS RM 12.1. Affected is an unknown function of the file Login.aspx of the component Portal. The manipulation of the argument VIEWSTATE leads to cross site scripting. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. It is possible to mitigate the problem by applying the configuration setting <pages validateRequest="true" [...] viewStateEncryptionMode= ...
Show More |
|||||
| CVE-2025-2206 | 1 Aitangbao | 1 Springboot-manager | 2025-05-26 | 3.3 LOW | 2.4 LOW |
|
A vulnerability classified as problematic has been found in aitangbao springboot-manager 3.0. This affects an unknown part of the file /sys/permission. The manipulation of the argument name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-1561 | 1 Apppresser | 1 Apppresser | 2025-05-26 | N/A | 7.2 HIGH |
|
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 4.4.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when logging is enabled that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-13350 | 1 Searchiq | 1 Searchiq | 2025-05-26 | N/A | 6.4 MEDIUM |
|
The SearchIQ – The Search Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siq_searchbox' shortcode in all versions up to, and including, 4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-11731 | 1 Averta | 1 Master Slider | 2025-05-26 | N/A | 6.4 MEDIUM |
|
The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ms_slider shortcode in all versions up to, and including, 3.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-13757 | 1 Averta | 1 Master Slider | 2025-05-26 | N/A | 6.4 MEDIUM |
|
The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ms_layer shortcode in all versions up to, and including, 3.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-13901 | 1 Wow-company | 1 Counter Box | 2025-05-26 | N/A | 4.4 MEDIUM |
|
The Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects mult ...
Show More |
|||||
| CVE-2025-0692 | 1 Maximize | 1 Simple Video Management System | 2025-05-26 | N/A | 3.5 LOW |
|
The Simple Video Management System WordPress plugin through 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||