Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3392 | 1 Wp Humans.txt Project | 1 Wp Humans.txt | 2025-05-07 | N/A | 4.8 MEDIUM |
|
The WP Humans.txt WordPress plugin through 1.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2022-2190 | 1 Enviragallery | 1 Envira Gallery | 2025-05-07 | N/A | 6.1 MEDIUM |
|
The Gallery Plugin for WordPress plugin before 1.8.4.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
|
|||||
| CVE-2022-2167 | 1 Tagdiv | 1 Newspaper | 2025-05-07 | N/A | 6.1 MEDIUM |
|
The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2021-38728 | 1 Sem-cms | 1 Semcms | 2025-05-07 | N/A | 6.1 MEDIUM |
|
SEMCMS SHOP v 1.1 is vulnerable to Cross Site Scripting (XSS) via Ant_M_Coup.php.
|
|||||
| CVE-2025-0984 | 2025-05-07 | N/A | 8.2 HIGH | ||
|
Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netoloji Software E-Flow allows Accessing Functionality Not Properly Constrained by ACLs, Stored XSS, File Content Injection.This issue affects E-Flow: before 3.23.00.
|
|||||
| CVE-2025-3020 | 2025-05-07 | N/A | 5.4 MEDIUM | ||
|
An low privileged remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into several fields of the configuration webpage with limited impact.
|
|||||
| CVE-2025-4220 | 2025-05-07 | N/A | 6.4 MEDIUM | ||
|
The Xavin's List Subpages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xls' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-4055 | 2025-05-07 | N/A | 6.4 MEDIUM | ||
|
The Multiple Post Type Order plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mpto' shortcode in all versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-4054 | 2025-05-07 | N/A | 6.1 MEDIUM | ||
|
The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the highlights functionality in all versions up to, and including, 4.24.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the search results.
|
|||||
| CVE-2025-4171 | 2025-05-07 | N/A | 6.4 MEDIUM | ||
|
The WZ Followed Posts – Display what visitors are reading plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wfp' shortcode in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-3782 | 2025-05-07 | N/A | 6.4 MEDIUM | ||
|
The Cision Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-3860 | 2025-05-07 | N/A | 6.4 MEDIUM | ||
|
The CarDealerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘saleclass' parameter in all versions up to, and including, 6.7.2504.00 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-49362 | 1 Joplin Project | 1 Joplin | 2025-05-07 | N/A | 7.7 HIGH |
|
Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an <a> link within untrusted notes. The issue arises due to insufficient sanitization of <a> tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution.
|
|||||
| CVE-2023-49952 | 1 Joinmastodon | 1 Mastodon | 2025-05-07 | N/A | 7.5 HIGH |
|
Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.
|
|||||
| CVE-2016-10878 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The wp-google-map-plugin plugin before 3.1.2 for WordPress has XSS.
|
|||||
| CVE-2015-9305 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The wp-google-map-plugin plugin before 2.3.7 for WordPress has XSS related to the add_query_arg() and remove_query_arg() functions.
|
|||||
| CVE-2023-23878 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | N/A | 5.9 MEDIUM |
|
Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in flippercode WordPress Plugin for Google Maps – WP MAPS plugin <= 4.3.9 versions.
|
|||||
| CVE-2021-24502 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | 3.5 LOW | 4.8 MEDIUM |
|
The WP Google Map WordPress plugin before 1.7.7 did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2024-9428 | 1 Sygnoos | 1 Popup Builder | 2025-05-07 | N/A | 4.8 MEDIUM |
|
The Popup Builder WordPress plugin before 4.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-10010 | 1 Thimpress | 1 Learnpress | 2025-05-07 | N/A | 4.8 MEDIUM |
|
The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-10637 | 1 Kadencewp | 1 Gutenberg Blocks With Ai | 2025-05-07 | N/A | 5.4 MEDIUM |
|
The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.54 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-9641 | 1 Theluckywp | 1 Luckywp Table Of Contents | 2025-05-07 | N/A | 4.8 MEDIUM |
|
The LuckyWP Table of Contents WordPress plugin before 2.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-9881 | 1 Thimpress | 1 Learnpress | 2025-05-07 | N/A | 4.8 MEDIUM |
|
The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-2278 | 1 Themify | 1 Woocommerce Product Filter | 2025-05-07 | N/A | 6.1 MEDIUM |
|
Themify WordPress plugin before 1.4.4 does not sanitise and escape some of its Filters settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-1274 | 1 Joedolson | 1 My Calendar | 2025-05-07 | N/A | 5.4 MEDIUM |
|
The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)
|
|||||
| CVE-2024-10704 | 1 10web | 1 Photo Gallery | 2025-05-07 | N/A | 4.8 MEDIUM |
|
The Photo Gallery by 10Web WordPress plugin before 1.8.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-10980 | 1 Bdthemes | 1 Element Pack | 2025-05-07 | N/A | 5.4 MEDIUM |
|
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) WordPress plugin before 5.10.3 does not validate and escape some of its Cookie Consent block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-10551 | 1 Sanil | 1 Sticky Social Icons | 2025-05-07 | N/A | 4.8 MEDIUM |
|
The Sticky Social Icons WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-11183 | 1 Rumspeed | 1 Simple Side Tab | 2025-05-06 | N/A | 4.8 MEDIUM |
|
The Simple Side Tab WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-9651 | 1 Fluentforms | 1 Contact Form | 2025-05-06 | N/A | 6.1 MEDIUM |
|
The Fluent Forms WordPress plugin before 5.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-45986 | 1 Projectworlds | 1 Online Voting System Project | 2025-05-06 | N/A | 5.4 MEDIUM |
|
A stored Cross-Site Scripting (XSS) vulnerability was identified in Projectworld Online Voting System 1.0 that occurs when an account is registered with a malicious javascript payload. The payload is stored and subsequently executed in the voter.php and profile.php pages whenever the account information is accessed.
|
|||||
| CVE-2023-6081 | 1 Chartjs Project | 1 Chartjs | 2025-05-06 | N/A | 5.4 MEDIUM |
|
The chartjs WordPress plugin through 2023.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2022-3420 | 1 Official Integration For Billingo Project | 1 Official Integration For Billingo | 2025-05-06 | N/A | 4.8 MEDIUM |
|
The Official Integration for Billingo WordPress plugin before 3.4.0 does not sanitise and escape some of its settings, which could allow high privilege users with a role as low as Shop Manager to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2022-3408 | 1 Redlettuce | 1 Wp Word Count | 2025-05-06 | N/A | 4.8 MEDIUM |
|
The WP Word Count WordPress plugin through 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
|
|||||
| CVE-2024-45967 | 1 Pagekit | 1 Pagekit | 2025-05-06 | N/A | 4.7 MEDIUM |
|
Pagekit 1.0.18 is vulnerable to Cross Site Scripting (XSS) in index.php/admin/site/widget.
|
|||||
| CVE-2024-28150 | 1 Jenkins | 1 Html Publisher | 2025-05-06 | N/A | 4.7 MEDIUM |
|
Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
|
|||||
| CVE-2024-28149 | 1 Jenkins | 1 Html Publisher | 2025-05-06 | N/A | 6.5 MEDIUM |
|
Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists.
|
|||||
| CVE-2022-40290 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 6.1 MEDIUM |
|
The application was vulnerable to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in the barcode generation functionality, allowing attackers to generate an unsafe link that could compromise users.
|
|||||
| CVE-2022-40289 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 9.0 CRITICAL |
|
The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files.
|
|||||
| CVE-2022-40288 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 9.0 CRITICAL |
|
The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the user profile data fields, which could be leveraged to escalate privileges within and compromise any account that views their user profile.
|
|||||