Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5283 | 1 Tipsandtricks-hq | 1 Wp Affiliate Platform | 2025-05-19 | N/A | 6.1 MEDIUM |
|
The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-5282 | 1 Tipsandtricks-hq | 1 Wp Affiliate Platform | 2025-05-19 | N/A | 6.1 MEDIUM |
|
The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-5281 | 1 Tipsandtricks-hq | 1 Wp Affiliate Platform | 2025-05-19 | N/A | 6.1 MEDIUM |
|
The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-3641 | 1 Mndpsingh287 | 1 Newsletter Popup | 2025-05-19 | N/A | 6.1 MEDIUM |
|
The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins
|
|||||
| CVE-2024-3644 | 1 Mndpsingh287 | 1 Newsletter Popup | 2025-05-19 | N/A | 4.8 MEDIUM |
|
The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2023-6142 | 1 Armanidrisi | 1 Dev Blog | 2025-05-19 | N/A | 5.4 MEDIUM |
|
Dev blog v1.0 allows to exploit an XSS through an unrestricted file upload, together with a bad entropy of filenames. With this an attacker can upload a malicious HTML file, then guess the filename of the uploaded file and send it to a potential victim.
|
|||||
| CVE-2024-2968 | 1 Backie | 1 Wp-eggdrop | 2025-05-19 | N/A | 4.4 MEDIUM |
|
The WP-Eggdrop plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disa ...
Show More |
|||||
| CVE-2025-46464 | 2025-05-19 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scripteo Ads Pro Plugin allows Stored XSS. This issue affects Ads Pro Plugin: from n/a through 4.88.
|
|||||
| CVE-2025-48080 | 2025-05-19 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash allows Stored XSS. This issue affects Uncanny Toolkit for LearnDash: from n/a through 3.7.0.2.
|
|||||
| CVE-2025-47557 | 2025-05-19 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG allows Stored XSS. This issue affects MapSVG: from n/a through 8.5.31.
|
|||||
| CVE-2025-48112 | 2025-05-19 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in karimmughal Dot html,php,xml etc pages allows Reflected XSS. This issue affects Dot html,php,xml etc pages: from n/a through 1.0.
|
|||||
| CVE-2025-48113 | 2025-05-19 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Broadstreet Broadstreet allows Stored XSS. This issue affects Broadstreet: from n/a through 1.51.8.
|
|||||
| CVE-2025-4804 | 2025-05-19 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS via the spamBlocker module. This vulnerability requires an authenticated administrator session to a locally managed Firebox.
This issue affects Fireware OS: from 12.0 through 12.11.1.
|
|||||
| CVE-2025-4805 | 2025-05-19 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS. This vulnerability requires an authenticated administrator session to a locally managed Firebox.
This issue affects Fireware OS: from 12.0 through 12.11.1.
|
|||||
| CVE-2025-48121 | 2025-05-19 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Puddick WP Notes Widget allows DOM-Based XSS. This issue affects WP Notes Widget: from n/a through 1.0.6.
|
|||||
| CVE-2025-48131 | 2025-05-19 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saiful Islam UltraAddons Elementor Lite allows Stored XSS. This issue affects UltraAddons Elementor Lite: from n/a through 2.0.0.
|
|||||
| CVE-2025-4610 | 2025-05-19 | N/A | 6.4 MEDIUM | ||
|
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_user_memberships shortcode in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-3715 | 2025-05-19 | N/A | 6.4 MEDIUM | ||
|
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-text parameter in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-1958 | 1 Wpb Show Core Project | 1 Wpb Show Core | 2025-05-19 | N/A | 4.8 MEDIUM |
|
The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users
|
|||||
| CVE-2024-1956 | 1 Wpb Show Core Project | 1 Wpb Show Core | 2025-05-19 | N/A | 6.1 MEDIUM |
|
The wpb-show-core WordPress plugin before 2.7 does not sanitise and escape the parameters before outputting it back in the response of an unauthenticated request, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2024-1292 | 1 Wpb Show Core Project | 1 Wpb Show Core | 2025-05-19 | N/A | 4.7 MEDIUM |
|
The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2023-48903 | 1 Tramyardg | 1 Autoexpress | 2025-05-19 | N/A | 6.1 MEDIUM |
|
Stored Cross-Site Scripting (XSS) vulnerability in tramyardg autoexpress 1.3.0, allows remote unauthenticated attackers to inject arbitrary web script or HTML within parameter "imgType" via in uploadCarImages.php.
|
|||||
| CVE-2024-26466 | 1 Web-platform-tests | 1 Web-platform-tests | 2025-05-19 | N/A | 6.1 MEDIUM |
|
A DOM based cross-site scripting (XSS) vulnerability in the component /dom/ranges/Range-test-iframe.html of web-platform-tests/wpt before commit 938e843 allows attackers to execute arbitrary Javascript via sending a crafted URL.
|
|||||
| CVE-2025-4099 | 1 Sizeable | 1 List Children | 2025-05-19 | N/A | 6.4 MEDIUM |
|
The List Children plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'list_children' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-57776 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.6 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2024-57774 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2024-57773 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2024-57771 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2024-57772 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2024-12587 | 1 Edmonparker | 1 Contact Form Master | 2025-05-17 | N/A | 6.1 MEDIUM |
|
The Contact Form Master WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2024-12715 | 1 Outself | 1 Asgard Security Scanner | 2025-05-17 | N/A | 6.1 MEDIUM |
|
The Asgard Security Scanner WordPress plugin through 0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2024-12714 | 1 Syedfakharabbas | 1 Backlink Monitoring Manager | 2025-05-17 | N/A | 6.1 MEDIUM |
|
The Backlink Monitoring Manager WordPress plugin through 0.1.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2024-10568 | 1 Wp-dreams | 1 Ajax Search | 2025-05-17 | N/A | 4.7 MEDIUM |
|
The Ajax Search Lite WordPress plugin before 4.12.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-10518 | 1 Properfraction | 1 Profilepress | 2025-05-17 | N/A | 4.8 MEDIUM |
|
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Membership Plan settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-10517 | 1 Properfraction | 1 Profilepress | 2025-05-17 | N/A | 4.8 MEDIUM |
|
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Drag & Drop Builder fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-11841 | 1 Jordangillman | 1 Tithe.ly Giving Button | 2025-05-17 | N/A | 5.4 MEDIUM |
|
The Tithe.ly Giving Button WordPress plugin through 1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-7313 | 1 Getshieldsecurity | 1 Shield Security | 2025-05-17 | N/A | 6.1 MEDIUM |
|
The Shield Security WordPress plugin before 20.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2024-6879 | 1 Expresstech | 1 Quiz And Survey Master | 2025-05-17 | N/A | 4.7 MEDIUM |
|
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.1 fails to validate and escape certain Quiz fields before displaying them on a page or post where the Quiz is embedded, which could allows contributor and above roles to perform Stored Cross-Site Scripting (XSS) attacks.
|
|||||
| CVE-2024-3282 | 1 Wptablebuilder | 1 Wp Table Builder | 2025-05-17 | N/A | 4.8 MEDIUM |
|
The WP Table Builder WordPress plugin through 1.5.0 does not sanitise and escape some of its Table data, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-11107 | 1 Bowo | 1 System Dashboard | 2025-05-17 | N/A | 6.1 MEDIUM |
|
The System Dashboard WordPress plugin before 2.8.15 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks.
|
|||||