Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-1357 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-22 | N/A | 6.4 MEDIUM |
|
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aux_timeline shortcode in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping on user supplied attributes such as thumb_mode and date_type. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesse ...
Show More |
|||||
| CVE-2024-52701 | 1 Piwigo | 1 Piwigo | 2025-05-22 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Configuration page of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page banner parameter.
|
|||||
| CVE-2024-46606 | 1 Piwigo | 1 Piwigo | 2025-05-22 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field.
|
|||||
| CVE-2024-46605 | 1 Piwigo | 1 Piwigo | 2025-05-22 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field.
|
|||||
| CVE-2025-3516 | 1 Archetyped | 1 Simple Lightbox | 2025-05-22 | N/A | 5.9 MEDIUM |
|
The Simple Lightbox WordPress plugin before 2.9.4 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2022-40748 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-05-22 | N/A | 5.4 MEDIUM |
|
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 236586.
|
|||||
| CVE-2022-40359 | 1 Kfm Project | 1 Kfm | 2025-05-22 | N/A | 6.1 MEDIUM |
|
Cross site scripting (XSS) vulnerability in kfm through 1.4.7 via crafted GET request to /kfm/index.php.
|
|||||
| CVE-2022-3062 | 1 Simplefilelist | 1 Simple-file-list | 2025-05-22 | N/A | 6.1 MEDIUM |
|
The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
|
|||||
| CVE-2022-3025 | 1 Bitcoin\/altcoin Faucet Project | 1 Bitcoin\/altcoin Faucet | 2025-05-22 | N/A | 5.4 MEDIUM |
|
The Bitcoin / Altcoin Faucet WordPress plugin through 1.6.0 does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues
|
|||||
| CVE-2024-9545 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-22 | N/A | 6.4 MEDIUM |
|
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aux_contact_box and aux_gmaps shortcodes in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page ...
Show More |
|||||
| CVE-2024-12588 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-22 | N/A | 6.4 MEDIUM |
|
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Staff widget in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-12042 | 1 Inspireui | 1 Mstore Api | 2025-05-22 | N/A | 5.4 MEDIUM |
|
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file.
|
|||||
| CVE-2024-8486 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-22 | N/A | 6.4 MEDIUM |
|
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in the Modern Heading and Icon Picker widgets all versions up to, and including, 2.16.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2022-3074 | 1 Quantumcloud | 1 Slider Hero | 2025-05-22 | N/A | 4.8 MEDIUM |
|
The Slider Hero WordPress plugin before 8.4.4 does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks.
|
|||||
| CVE-2022-3070 | 1 Zealousweb | 1 Generate Pdf Using Contact Form 7 | 2025-05-22 | N/A | 4.8 MEDIUM |
|
The Generate PDF WordPress plugin before 3.6 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2022-3069 | 1 Wordlift | 1 Wordlift | 2025-05-22 | N/A | 4.8 MEDIUM |
|
The WordLift WordPress plugin before 3.37.2 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2025-48250 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Coupons & Add to Cart by URL Links for WooCommerce allows Stored XSS. This issue affects Coupons & Add to Cart by URL Links for WooCommerce: from n/a through 1.7.7.
|
|||||
| CVE-2025-48277 | 2025-05-21 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stylemix Cost Calculator Builder allows Stored XSS. This issue affects Cost Calculator Builder: from n/a through 3.2.74.
|
|||||
| CVE-2025-48237 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Wishlist for WooCommerce allows Stored XSS. This issue affects Wishlist for WooCommerce: from n/a through 3.2.2.
|
|||||
| CVE-2025-48240 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Cost of Goods for WooCommerce allows Stored XSS. This issue affects Cost of Goods for WooCommerce: from n/a through 3.7.0.
|
|||||
| CVE-2025-48249 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory EAN for WooCommerce allows Stored XSS. This issue affects EAN for WooCommerce: from n/a through 5.4.6.
|
|||||
| CVE-2025-48266 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 Active Products Tables for WooCommerce allows Stored XSS. This issue affects Active Products Tables for WooCommerce: from n/a through 1.0.6.8.
|
|||||
| CVE-2025-48248 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Sitewide Discount for WooCommerce: Apply Discount to All Products allows Stored XSS. This issue affects Sitewide Discount for WooCommerce: Apply Discount to All Products: from n/a through 2.2.1.
|
|||||
| CVE-2025-22678 | 2025-05-21 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mythemes my white allows Reflected XSS.This issue affects my white: from n/a through 2.0.8.
|
|||||
| CVE-2025-48251 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Emails & Recipients for WooCommerce allows Stored XSS. This issue affects Additional Custom Emails & Recipients for WooCommerce: from n/a through 3.5.1.
|
|||||
| CVE-2025-48234 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ultimate Blocks Ultimate Blocks allows DOM-Based XSS. This issue affects Ultimate Blocks: from n/a through 3.3.0.
|
|||||
| CVE-2025-48258 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jetmonsters Mega Menu Block allows Stored XSS. This issue affects Mega Menu Block: from n/a through 1.0.6.
|
|||||
| CVE-2025-48341 | 2025-05-21 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Form Maker by 10Web allows Stored XSS. This issue affects Form Maker by 10Web: from n/a through 1.15.33.
|
|||||
| CVE-2025-48276 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Visual Composer Visual Composer Website Builder allows Stored XSS. This issue affects Visual Composer Website Builder: from n/a through 45.11.0.
|
|||||
| CVE-2025-48235 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bogdan Bendziukov WP Image Mask allows DOM-Based XSS. This issue affects WP Image Mask: from n/a through 3.1.2.
|
|||||
| CVE-2025-48232 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xpro Xpro Addons For Beaver Builder – Lite allows Stored XSS. This issue affects Xpro Addons For Beaver Builder – Lite: from n/a through 1.5.5.
|
|||||
| CVE-2025-48269 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Greg Winiarski WPAdverts allows DOM-Based XSS. This issue affects WPAdverts: from n/a through 2.2.3.
|
|||||
| CVE-2025-48239 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Product Notes Tab & Private Admin Notes for WooCommerce allows Stored XSS. This issue affects Product Notes Tab & Private Admin Notes for WooCommerce: from n/a through 3.1.0.
|
|||||
| CVE-2025-48244 | 2025-05-21 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS. This issue affects Exclusive Addons Elementor: from n/a through 2.7.9.
|
|||||
| CVE-2025-48288 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Element Invader ElementInvader Addons for Elementor allows Stored XSS. This issue affects ElementInvader Addons for Elementor: from n/a through 1.3.5.
|
|||||
| CVE-2025-48236 | 2025-05-21 | N/A | 8.5 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bunny.net bunny.net allows Stored XSS. This issue affects bunny.net: from n/a through 2.3.0.
|
|||||
| CVE-2025-41228 | 2025-05-21 | N/A | 4.3 MEDIUM | ||
|
VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to improper input validation. A malicious actor with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this issue to steal cookies or redirect to malicious websites.
|
|||||
| CVE-2025-46543 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charly Leetham Enhanced Paypal Shortcodes allows Stored XSS.This issue affects Enhanced Paypal Shortcodes: from n/a through 0.5a.
|
|||||
| CVE-2024-5878 | 2025-05-21 | N/A | 6.4 MEDIUM | ||
|
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled SimpleLightbox JavaScript library (version 2.1.5) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-39372 | 2025-05-21 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in elbisnero WordPress Events Calendar Registration & Tickets allows Reflected XSS.This issue affects WordPress Events Calendar Registration & Tickets: from n/a through 2.6.0.
|
|||||