Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-43169 | 1 Rukovoditel | 1 Rukovoditel | 2025-05-08 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Users Access Groups feature (/index.php?module=users_groups/users_groups) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Group".
|
|||||
| CVE-2022-43167 | 1 Rukovoditel | 1 Rukovoditel | 2025-05-08 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add".
|
|||||
| CVE-2022-43166 | 1 Rukovoditel | 1 Rukovoditel | 2025-05-08 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Entity".
|
|||||
| CVE-2022-43165 | 1 Rukovoditel | 1 Rukovoditel | 2025-05-08 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after clicking "Create".
|
|||||
| CVE-2022-43164 | 1 Rukovoditel | 1 Rukovoditel | 2025-05-08 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add".
|
|||||
| CVE-2022-42466 | 1 Apache | 1 Isis | 2025-05-08 | N/A | 6.1 MEDIUM |
|
Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar and this would be executed. As of this release, the inputted strings are properly escaped when rendered.
|
|||||
| CVE-2024-1754 | 1 Computy | 1 Nps Computy | 2025-05-08 | N/A | 4.7 MEDIUM |
|
The NPS computy WordPress plugin through 2.7.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-10562 | 1 10web | 1 Form Maker | 2025-05-08 | N/A | 2.7 LOW |
|
The Form Maker by 10Web WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-11223 | 1 Wpforms | 1 Wpforms | 2025-05-08 | N/A | 4.7 MEDIUM |
|
The WPForms WordPress plugin before 1.9.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-10678 | 1 Dotcamp | 1 Ultimate Blocks | 2025-05-08 | N/A | 5.4 MEDIUM |
|
The Ultimate Blocks WordPress plugin before 3.2.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-6134 | 1 Tipsandtricks-hq | 1 Wp Estore | 2025-05-08 | N/A | 5.4 MEDIUM |
|
The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-6133 | 1 Tipsandtricks-hq | 1 Wp Estore | 2025-05-08 | N/A | 6.5 MEDIUM |
|
The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-12568 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-05-08 | N/A | 4.8 MEDIUM |
|
The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Workflow settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-12567 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-05-08 | N/A | 4.8 MEDIUM |
|
The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-12566 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-05-08 | N/A | 4.8 MEDIUM |
|
The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-11636 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-05-08 | N/A | 4.8 MEDIUM |
|
The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Text Block options, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2022-43425 | 1 Jenkins | 1 Custom Checkbox Parameter | 2025-05-08 | N/A | 5.4 MEDIUM |
|
Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
|
|||||
| CVE-2022-43420 | 1 Jenkins | 1 Contrast Continuous Application Security | 2025-05-08 | N/A | 5.4 MEDIUM |
|
Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast service API responses.
|
|||||
| CVE-2022-2627 | 1 Tagdiv | 1 Newspaper | 2025-05-08 | N/A | 6.1 MEDIUM |
|
The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting.
|
|||||
| CVE-2024-2159 | 1 Heateor | 1 Sassy Social Share | 2025-05-08 | N/A | 4.7 MEDIUM |
|
The Social Sharing Plugin WordPress plugin before 3.3.61 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-0905 | 1 Radykal | 1 Fancy Product Designer | 2025-05-08 | N/A | 6.3 MEDIUM |
|
The Fancy Product Designer WordPress plugin before 6.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against unauthenticated and admin-level users
|
|||||
| CVE-2024-3261 | 1 Wpchill | 1 Strong Testimonials | 2025-05-08 | N/A | 4.8 MEDIUM |
|
The Strong Testimonials WordPress plugin before 3.1.12 does not validate and escape some of its Testimonial fields before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The attack requires a specific view to be performed
|
|||||
| CVE-2024-2972 | 1 Premio | 1 Floating Chat Widget | 2025-05-08 | N/A | 3.8 LOW |
|
The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-2402 | 1 Utopique | 1 Better Comments | 2025-05-08 | N/A | 5.4 MEDIUM |
|
The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2025-2371 | 1 Phpgurukul | 1 Human Metapneumovirus Testing Management System | 2025-05-08 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /registered-user-testing.php of the component Registered Mobile Number Search. The manipulation of the argument regmobilenumber leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-2375 | 1 Phpgurukul | 1 Human Metapneumovirus Testing Management System | 2025-05-08 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. Affected is an unknown function of the file /profile.php of the component Admin Profile Page. The manipulation of the argument email leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-2908 | 1 Callnowbutton | 1 Call Now Button | 2025-05-08 | N/A | 4.3 MEDIUM |
|
The Call Now Button WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-2310 | 1 Ljapps | 1 Wp Google Review Slider | 2025-05-08 | N/A | 5.9 MEDIUM |
|
The WP Google Review Slider WordPress plugin before 13.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2021-33231 | 1 Easyvista | 1 Service Manager | 2025-05-08 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in New equipment page in EasyVista Service Manager 2018.1.181.1 allows remote attackers to run arbitrary code via the notes field.
|
|||||
| CVE-2018-8032 | 3 Apache, Debian, Oracle | 38 Axis, Debian Linux, Agile Engineering Data Management and 35 more | 2025-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.
|
|||||
| CVE-2016-5512 | 1 Oracle | 1 Agile Product Lifecycle Management | 2025-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2016-5521.
|
|||||
| CVE-2024-1746 | 1 Radiustheme | 1 Testimonial Slider And Showcase | 2025-05-08 | N/A | 5.4 MEDIUM |
|
The Testimonial Slider WordPress plugin before 2.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-1660 | 1 Wpdarko | 1 Top Bar | 2025-05-08 | N/A | 4.8 MEDIUM |
|
The Top Bar WordPress plugin before 3.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-2444 | 1 Data443 | 1 Inline Related Posts | 2025-05-08 | N/A | 4.8 MEDIUM |
|
The Inline Related Posts WordPress plugin before 3.5.0 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2024-3752 | 1 Crelly Slider Project | 1 Crelly Slider | 2025-05-08 | N/A | 5.4 MEDIUM |
|
The Crelly Slider WordPress plugin through 1.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-0904 | 1 Radykal | 1 Fancy Product Designer | 2025-05-08 | N/A | 5.9 MEDIUM |
|
The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-3692 | 1 Jegstudio | 1 Gutenverse | 2025-05-08 | N/A | 6.1 MEDIUM |
|
The Gutenverse WordPress plugin before 1.9.1 does not validate the htmlTag option in various of its block before outputting it back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-3637 | 1 Themehunk | 1 Contact Form \& Lead Form Elementor Builder | 2025-05-08 | N/A | 6.1 MEDIUM |
|
The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin through 1.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-25225 | 1 Code-projects | 1 Simple Admin Panel | 2025-05-08 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Simple Admin Panel App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter under the Add Category function.
|
|||||
| CVE-2022-42200 | 1 Simple Exam Reviewer Management System Project | 1 Simple Exam Reviewer Management System | 2025-05-08 | N/A | 5.4 MEDIUM |
|
Simple Exam Reviewer Management System v1.0 is vulnerable to Stored Cross Site Scripting (XSS) via the Exam List.
|
|||||