Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-26450 | 1 Piwigo | 1 Piwigo | 2025-05-13 | N/A | 5.4 MEDIUM |
|
An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing remote JavaScript. This can be used to upload a new PHP file under an administrator and directly call that file from the victim's instance to connect back to a malicious listener.
|
|||||
| CVE-2024-24035 | 1 Setorinformatica | 1 S.i.l. | 2025-05-13 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Setor Informatica SIL 3.1 allows attackers to run arbitrary code via the hmessage parameter.
|
|||||
| CVE-2020-36844 | 1 Knowbe4 | 1 Security Awareness Training | 2025-05-13 | N/A | 6.1 MEDIUM |
|
The KnowBe4 Security Awareness Training application before 2020-01-10 allows reflected XSS. The response has a SCRIPT element that sets window.location.href to a JavaScript URL.
|
|||||
| CVE-2024-3751 | 1 Castos | 1 Seriously Simple Podcasting | 2025-05-13 | N/A | 4.8 MEDIUM |
|
The Seriously Simple Podcasting WordPress plugin before 3.3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-3753 | 1 Kibokolabs | 1 Hostel | 2025-05-13 | N/A | 5.9 MEDIUM |
|
The Hostel WordPress plugin before 1.1.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-3919 | 1 Arnesonium | 1 Openpgp Form Encryption | 2025-05-13 | N/A | 4.6 MEDIUM |
|
The OpenPGP Form Encryption for WordPress plugin before 1.5.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-3964 | 1 Wisdmlabs | 1 Product Enquiry For Woocommerce | 2025-05-13 | N/A | 5.9 MEDIUM |
|
The Product Enquiry for WooCommerce WordPress plugin before 3.1.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2025-0483 | 1 Native-php-cms Project | 1 Native-php-cms | 2025-05-13 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability has been found in Fanli2012 native-php-cms 1.0 and classified as problematic. This vulnerability affects unknown code of the file /fladmin/jump.php. The manipulation of the argument message/error leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-29772 | 1 Open-emr | 1 Openemr | 2025-05-13 | N/A | 6.1 MEDIUM |
|
OpenEMR is a free and open source electronic health records and medical practice management application. The POST parameter hidden_subcategory is output to the page without being properly processed. This leads to a reflected cross-site scripting (XSS) vul;nerability in CAMOS new.php. This vulnerability is fixed in 7.0.3.
|
|||||
| CVE-2025-0613 | 1 10web | 1 Photo Gallery | 2025-05-13 | N/A | 6.1 MEDIUM |
|
The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed
|
|||||
| CVE-2024-10558 | 1 10web | 1 Form Maker | 2025-05-13 | N/A | 3.5 LOW |
|
The Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-34241 | 1 Rocketsoft | 1 Rocket Lms | 2025-05-13 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Rocketsoft Rocket LMS 1.9 allows an administrator to store a JavaScript payload using the admin web interface when creating new courses and new course notifications.
|
|||||
| CVE-2024-2218 | 1 Theluckywp | 1 Luckywp Table Of Contents | 2025-05-13 | N/A | 4.6 MEDIUM |
|
The LuckyWP Table of Contents WordPress plugin through 2.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-4271 | 1 Svgator | 1 Svgator | 2025-05-13 | N/A | 4.6 MEDIUM |
|
The SVGator WordPress plugin through 1.2.6 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.
|
|||||
| CVE-2024-3236 | 1 Ghozylab | 1 Popup Builder | 2025-05-13 | N/A | 5.4 MEDIUM |
|
The Popup Builder WordPress plugin before 1.1.33 does not sanitise and escape some of its Notification fields, which could allow users such as contributor and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-4305 | 1 Wpxpo | 1 Postx | 2025-05-13 | N/A | 6.8 MEDIUM |
|
The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress plugin before 4.1.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-2369 | 1 Godaddy | 1 Coblocks | 2025-05-13 | N/A | 5.4 MEDIUM |
|
The Page Builder Gutenberg Blocks WordPress plugin before 3.1.7 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-2263 | 1 Themify | 1 Woocommerce Product Filter | 2025-05-13 | N/A | 4.8 MEDIUM |
|
Themify WordPress plugin before 1.4.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-32325 | 1 Totolink | 2 Ex200, Ex200 Firmware | 2025-05-13 | N/A | 2.4 LOW |
|
TOTOLINK EX200 V4.0.3c.7646_B20201211 contains a Cross-site scripting (XSS) vulnerability through the ssid parameter in the setWiFiExtenderConfig function.
|
|||||
| CVE-2024-1846 | 1 Wpdarko | 1 Responsive Tabs | 2025-05-13 | N/A | 5.4 MEDIUM |
|
The Responsive Tabs WordPress plugin before 4.0.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-1664 | 1 Bdwm | 1 Responsive Gallery Grid | 2025-05-13 | N/A | 6.1 MEDIUM |
|
The Responsive Gallery Grid WordPress plugin before 2.3.11 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-2509 | 1 Kadencewp | 1 Gutenberg Blocks With Ai | 2025-05-13 | N/A | 6.5 MEDIUM |
|
The Gutenberg Blocks by Kadence Blocks WordPress plugin before 3.2.26 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-0719 | 1 Otwthemes | 1 Tabs Shortcode And Widget | 2025-05-13 | N/A | 5.4 MEDIUM |
|
The Tabs Shortcode and Widget WordPress plugin through 1.17 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-0711 | 1 Otwthemes | 1 Buttons Shortcode And Widget | 2025-05-13 | N/A | 6.1 MEDIUM |
|
The Buttons Shortcode and Widget WordPress plugin through 1.16 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-56338 | 1 Ibm | 1 Sterling B2b Integrator | 2025-05-12 | N/A | 4.8 MEDIUM |
|
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.3 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2025-1551 | 1 Ibm | 1 Operational Decision Manager | 2025-05-12 | N/A | 6.1 MEDIUM |
|
IBM Operational Decision Manager 8.11.0.1, 8.11.1.0, 8.12.0.1, and 9.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2025-2031 | 1 1000mz | 1 Chestnutcms | 2025-05-12 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical has been found in ChestnutCMS up to 1.5.2. This affects the function uploadFile of the file /dev-api/cms/file/upload. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-47547 | 1 Sendpulse | 1 Sendpulse Email Marketing Newsletter | 2025-05-12 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SendPulse SendPulse Email Marketing Newsletter allows Stored XSS. This issue affects SendPulse Email Marketing Newsletter: from n/a through 2.1.6.
|
|||||
| CVE-2022-42993 | 1 Password Storage Application Project | 1 Password Storage Application | 2025-05-12 | N/A | 5.4 MEDIUM |
|
Password Storage Application v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Setup page.
|
|||||
| CVE-2025-47623 | 1 Wpplugin | 1 Easy Paypal \& Stripe Buy Now Button | 2025-05-12 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Paterson Easy PayPal Buy Now Button allows Stored XSS. This issue affects Easy PayPal Buy Now Button: from n/a through 2.0.
|
|||||
| CVE-2025-47625 | 1 Apasionados | 1 Dofollow Case By Case | 2025-05-12 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in apasionados DoFollow Case by Case allows Stored XSS. This issue affects DoFollow Case by Case: from n/a through 3.5.1.
|
|||||
| CVE-2025-47626 | 1 Apasionados | 1 Submission Dom Tracking For Contact Form 7 | 2025-05-12 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in apasionados Submission DOM tracking for Contact Form 7 allows Stored XSS. This issue affects Submission DOM tracking for Contact Form 7: from n/a through 2.0.
|
|||||
| CVE-2025-47630 | 1 Connekthq | 1 Ajax Load More | 2025-05-12 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Darren Cooney Ajax Load More allows Stored XSS. This issue affects Ajax Load More: from n/a through 7.3.1.
|
|||||
| CVE-2025-47632 | 1 Raihancse | 1 Awesome Gallery | 2025-05-12 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raihanul Islam Awesome Gallery allows Stored XSS. This issue affects Awesome Gallery: from n/a through 1.0.
|
|||||
| CVE-2024-2583 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2025-05-12 | N/A | 5.4 MEDIUM |
|
The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.0.5 does not properly escape some of its shortcodes attributes before they are echoed back to users, making it possible for users with the contributor role to conduct Stored XSS attacks.
|
|||||
| CVE-2025-3929 | 1 Mdaemon | 1 Email Server | 2025-05-12 | N/A | 6.1 MEDIUM |
|
An XSS issue was discovered in MDaemon Email Server version 25.0.1 and below. An attacker can send a specially crafted HTML e-mail message with JavaScript in an img tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window, and access user data.
|
|||||
| CVE-2025-46689 | 1 Ververica | 1 Ververica Platform | 2025-05-12 | N/A | 5.4 MEDIUM |
|
Ververica Platform 2.14.0 contain an Reflected XSS vulnerability via a namespaces/default/formats URI.
|
|||||
| CVE-2025-3994 | 1 Totolink | 2 N150rt, N150rt Firmware | 2025-05-12 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been classified as problematic. Affected is an unknown function of the file /home.htm of the component IP Port Filtering. The manipulation of the argument Comment leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3995 | 1 Totolink | 2 N150rt, N150rt Firmware | 2025-05-12 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /boafrm/fromStaticDHCP of the component LAN Settings Page. The manipulation of the argument Hostname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3958 | 1 Withstars | 1 Books-management-system | 2025-05-12 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in withstars Books-Management-System 1.0. It has been classified as problematic. Affected is an unknown function of the file /book_edit_do.html of the component Book Edit Page. The manipulation of the argument Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. This vulnerability only affects products that are no longer supported by the ...
Show More |
|||||