Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3135 | 1 Seo Smart Links Project | 1 Seo Smart Links | 2025-05-21 | N/A | 4.8 MEDIUM |
|
The SEO Smart Links WordPress plugin through 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2022-2861 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2025-05-21 | N/A | 6.5 MEDIUM |
|
Inappropriate implementation in Extensions API in Google Chrome prior to 104.0.5112.101 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts into WebUI via a crafted HTML page.
|
|||||
| CVE-2022-2404 | 1 Themehunk | 1 Wp Popup Builder | 2025-05-21 | N/A | 6.1 MEDIUM |
|
The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-1755 | 1 Benbodhi | 1 Svg Support | 2025-05-21 | N/A | 5.4 MEDIUM |
|
The SVG Support WordPress plugin before 2.5 does not properly handle SVG added via an URL, which could allow users with a role as low as author to perform Cross-Site Scripting attacks
|
|||||
| CVE-2025-26998 | 1 Sktthemes | 1 Skt Blocks | 2025-05-21 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 1.8.
|
|||||
| CVE-2024-13853 | 1 Zynit | 1 Seo Tools | 2025-05-21 | N/A | 6.1 MEDIUM |
|
The SEO Tools WordPress plugin through 4.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-13862 | 1 S3bubble | 1 S3bubble-amazon-web-services-oembed-media-streaming-support | 2025-05-21 | N/A | 7.1 HIGH |
|
The S3Bubble Media Streaming (AWS|Elementor|YouTube|Vimeo Functionality) WordPress plugin through 8.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2025-0629 | 1 Gallagherwebsitedesign | 1 Coronavirus \(covid-19\) Notice Message | 2025-05-21 | N/A | 4.8 MEDIUM |
|
The Coronavirus (COVID-19) Notice Message WordPress plugin through 1.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2025-25925 | 1 Openmrs | 1 Openmrs | 2025-05-21 | N/A | 4.8 MEDIUM |
|
A stored cross-scripting (XSS) vulnerability in Openmrs v2.4.3 Build 0ff0ed allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the personName.middleName parameter at /openmrs/admin/patients/shortPatientForm.form.
|
|||||
| CVE-2022-38975 | 1 Ec-cube | 1 Ec-cube | 2025-05-21 | N/A | 5.4 MEDIUM |
|
DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page.
|
|||||
| CVE-2024-6334 | 1 Magazine3 | 1 Easy Table Of Contents | 2025-05-21 | N/A | 6.1 MEDIUM |
|
The Easy Table of Contents WordPress plugin before 2.0.67.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
|
|||||
| CVE-2024-3410 | 1 Digireturn | 1 Footer Contacts Bar | 2025-05-21 | N/A | 4.3 MEDIUM |
|
The DN Footer Contacts WordPress plugin before 1.6.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-4057 | 1 Kadencewp | 1 Gutenberg Blocks With Ai | 2025-05-21 | N/A | 6.1 MEDIUM |
|
The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.37 does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-3937 | 1 Info-d-74 | 1 Playlist For Youtube | 2025-05-21 | N/A | 4.8 MEDIUM |
|
The Playlist for Youtube WordPress plugin through 1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-3921 | 1 Takahashifumiki | 1 Gianism | 2025-05-21 | N/A | 4.8 MEDIUM |
|
The Gianism WordPress plugin through 5.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-3939 | 1 Metaphorcreations | 1 Ditty | 2025-05-21 | N/A | 5.4 MEDIUM |
|
The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-3920 | 1 Flattr | 1 Flattr | 2025-05-21 | N/A | 3.5 LOW |
|
The Flattr WordPress plugin through 1.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-3918 | 1 Dianakcury | 1 Pet Manager | 2025-05-21 | N/A | 4.8 MEDIUM |
|
The Pet Manager WordPress plugin through 1.4 does not sanitise and escape some of its Pet settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-3917 | 1 Dianakcury | 1 Pet Manager | 2025-05-21 | N/A | 6.1 MEDIUM |
|
The Pet Manager WordPress plugin through 1.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-3594 | 1 Themeatelier | 1 Idonate | 2025-05-21 | N/A | 8.7 HIGH |
|
The IDonate WordPress plugin through 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-4290 | 1 Jontasc | 1 Sailthru Triggermail | 2025-05-21 | N/A | 7.1 HIGH |
|
The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-4289 | 1 Jontasc | 1 Sailthru Triggermail | 2025-05-21 | N/A | 6.1 MEDIUM |
|
The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-13119 | 1 Properfraction | 1 Profilepress | 2025-05-21 | N/A | 4.8 MEDIUM |
|
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-2189 | 1 Wpzoom | 1 Social Icons Widget | 2025-05-21 | N/A | 6.1 MEDIUM |
|
The Social Icons Widget & Block by WPZOOM WordPress plugin before 4.2.18 does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-3368 | 1 Aioseo | 1 All In One Seo | 2025-05-21 | N/A | 6.1 MEDIUM |
|
The All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields before outputting them back, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-2744 | 1 Imagely | 1 Nextgen Gallery | 2025-05-21 | N/A | 4.3 MEDIUM |
|
The NextGEN Gallery WordPress plugin before 3.59.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2024-13120 | 1 Properfraction | 1 Profilepress | 2025-05-21 | N/A | 4.8 MEDIUM |
|
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-13121 | 1 Properfraction | 1 Profilepress | 2025-05-21 | N/A | 3.5 LOW |
|
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-13125 | 1 Wpeverest | 1 Everest Forms | 2025-05-21 | N/A | 3.5 LOW |
|
The Everest Forms WordPress plugin before 3.0.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-13805 | 1 Advancedfilemanager | 1 Advanced File Manager | 2025-05-21 | N/A | 6.4 MEDIUM |
|
The Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.2.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses ...
Show More |
|||||
| CVE-2024-27752 | 1 Cszcms | 1 Csz Cms | 2025-05-21 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting vulnerability in CSZ CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the Default Keyword field in the settings function.
|
|||||
| CVE-2024-30885 | 1 Hadsky | 1 Hadsky | 2025-05-21 | N/A | 6.1 MEDIUM |
|
Reflected Cross-Site Scripting (XSS) vulnerability in HadSky v7.6.3, allows remote attackers to execute arbitrary code and obtain sensitive information via the chklogin.php component .
|
|||||
| CVE-2024-30886 | 1 Hadsky | 1 Hadsky | 2025-05-21 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the remotelink function of HadSky v7.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter.
|
|||||
| CVE-2025-2211 | 1 Aitangbao | 1 Springboot-manager | 2025-05-21 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in aitangbao springboot-manager 3.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /sysDictDetail/add. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-2210 | 1 Aitangbao | 1 Springboot-manager | 2025-05-21 | 3.3 LOW | 2.4 LOW |
|
A vulnerability has been found in aitangbao springboot-manager 3.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /sysJob/add. The manipulation of the argument name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-2209 | 1 Aitangbao | 1 Springboot-manager | 2025-05-21 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, was found in aitangbao springboot-manager 3.0. Affected is an unknown function of the file /sysDict/add. The manipulation of the argument name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-2208 | 1 Aitangbao | 1 Springboot-manager | 2025-05-21 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, has been found in aitangbao springboot-manager 3.0. This issue affects some unknown processing of the file /sysFiles/upload of the component Filename Handler. The manipulation of the argument name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-2207 | 1 Aitangbao | 1 Springboot-manager | 2025-05-21 | 3.3 LOW | 2.4 LOW |
|
A vulnerability classified as problematic was found in aitangbao springboot-manager 3.0. This vulnerability affects unknown code of the file /sys/dept. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-26771 | 1 Sktthemes | 1 Skt Blocks | 2025-05-21 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 1.7.
|
|||||
| CVE-2025-22635 | 1 Imithemes | 1 Eventer | 2025-05-21 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jyothis Joy Eventer allows Reflected XSS. This issue affects Eventer: from n/a through n/a.
|
|||||