Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-40287 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 9.0 CRITICAL |
|
The application was found to be vulnerable to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in messaging functionality, leading to privilege escalation or a compromise of a targeted account.
|
|||||
| CVE-2022-3441 | 1 Rockcontent | 1 Rock Convert | 2025-05-06 | N/A | 4.8 MEDIUM |
|
The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2022-3440 | 1 Rockcontent | 1 Rock Convert | 2025-05-06 | N/A | 6.1 MEDIUM |
|
The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape an URL before outputting it back in an attribute when a specific widget is present on a page, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2018-19904 | 1 Xsltcms.org Project | 1 Xsltcms.org | 2025-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Persistent XSS exists in XSLT CMS via the create/?action=items.edit&type=Page "body" field.
|
|||||
| CVE-2024-10679 | 1 Expresstech | 1 Quiz And Survey Master | 2025-05-06 | N/A | 6.1 MEDIUM |
|
The Quiz and Survey Master (QSM) WordPress plugin before 9.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2025-1452 | 1 Favoriteposts | 1 Favorites | 2025-05-06 | N/A | 3.5 LOW |
|
The Favorites WordPress plugin before 2.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2023-2304 | 1 Favoriteposts | 1 Favorites | 2025-05-06 | N/A | 6.4 MEDIUM |
|
The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'user_favorites' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-12682 | 1 Brijeshk89 | 1 Smart Maintenance Mode | 2025-05-06 | N/A | 6.1 MEDIUM |
|
The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2023-52430 | 1 Authcrunch | 1 Caddy-security | 2025-05-06 | N/A | 6.1 MEDIUM |
|
The caddy-security plugin 1.1.20 for Caddy allows reflected XSS via a GET request to a URL that contains an XSS payload and begins with either a /admin or /settings/mfa/delete/ substring.
|
|||||
| CVE-2018-19918 | 1 Cuppacms | 1 Cuppacms | 2025-05-06 | 3.5 LOW | 5.4 MEDIUM |
|
CuppaCMS has XSS via an SVG document uploaded to the administrator/#/component/table_manager/view/cu_views URI.
|
|||||
| CVE-2018-19906 | 1 Razorcms | 1 Razorcms | 2025-05-06 | 3.5 LOW | 5.4 MEDIUM |
|
Stored XSS exists in razorCMS 3.4.8 via the /#/page description parameter.
|
|||||
| CVE-2018-19905 | 1 Razorcms | 1 Razorcms | 2025-05-06 | 3.5 LOW | 5.4 MEDIUM |
|
HTML injection exists in razorCMS 3.4.8 via the /#/page keywords parameter.
|
|||||
| CVE-2024-12683 | 1 Brijeshk89 | 1 Smart Maintenance Mode | 2025-05-06 | N/A | 3.5 LOW |
|
The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-44046 | 1 Themify | 1 Woocommerce Product Filter | 2025-05-06 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themify Themify – WooCommerce Product Filter allows Stored XSS.This issue affects Themify – WooCommerce Product Filter: from n/a through 1.5.1.
|
|||||
| CVE-2024-5968 | 1 10web | 1 Photo Gallery | 2025-05-06 | N/A | 4.8 MEDIUM |
|
The Photo Gallery by 10Web WordPress plugin before 1.8.28 does not properly sanitise and escape some of its Gallery settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-48622 | 1 Domainmod | 1 Domainmod | 2025-05-06 | N/A | 6.6 MEDIUM |
|
A cross-site scripting (XSS) issue in DomainMOD below v4.12.0 allows remote attackers to inject JavaScript code via admin/domain-fields/edit.php and the cdfid parameter.
|
|||||
| CVE-2024-48623 | 1 Domainmod | 1 Domainmod | 2025-05-06 | N/A | 5.3 MEDIUM |
|
In queue\index.php of DomainMOD below v4.12.0, the list_id and domain_id parameters in the GET request can be exploited to cause a reflected Cross Site Scripting (XSS).
|
|||||
| CVE-2024-48624 | 1 Domainmod | 1 Domainmod | 2025-05-06 | N/A | 5.3 MEDIUM |
|
In segments\edit.php of DomainMOD below v4.12.0, the segid parameter in the GET request can be exploited to cause a reflected Cross Site Scripting (XSS) vulnerability.
|
|||||
| CVE-2024-25381 | 1 Emlog | 1 Emlog | 2025-05-06 | N/A | 6.1 MEDIUM |
|
There is a Stored XSS Vulnerability in Emlog Pro 2.2.8 Article Publishing, due to non-filtering of quoted content.
|
|||||
| CVE-2022-40487 | 1 Processwire | 1 Processwire | 2025-05-06 | N/A | 6.1 MEDIUM |
|
ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via injection of a crafted payload.
|
|||||
| CVE-2018-6341 | 1 Facebook | 1 React | 2025-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
|
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.
|
|||||
| CVE-2024-5075 | 1 Tipsandtricks-hq | 1 Wp Emember | 2025-05-06 | N/A | 5.9 MEDIUM |
|
The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-5079 | 1 Tipsandtricks-hq | 1 Wp Emember | 2025-05-06 | N/A | 6.1 MEDIUM |
|
The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape some of the fields when members register, which allows unauthenticated users to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-40576 | 1 Mayurik | 1 Best House Rental Management System | 2025-05-06 | N/A | 4.7 MEDIUM |
|
Cross Site Scripting vulnerability in Best House Rental Management System 1.0 allows a remote attacker to execute arbitrary code via the "House No" and "Description" parameters in the houses page at the index.php component.
|
|||||
| CVE-2024-6408 | 1 10web | 1 Slider | 2025-05-06 | N/A | 5.4 MEDIUM |
|
The Slider by 10Web WordPress plugin before 1.2.57 does not sanitise and escape its Slider Title, which could allow high privilege users such as editors and above to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2024-13825 | 1 Intricateweb | 1 Email Keep | 2025-05-06 | N/A | 6.1 MEDIUM |
|
The Email Keep WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2022-3237 | 1 Wpexperts | 1 Wp Contact Slider | 2025-05-06 | N/A | 4.8 MEDIUM |
|
The WP Contact Slider WordPress plugin before 2.4.8 does not sanitize and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2022-3096 | 1 Wp Total Hacks Project | 1 Wp Total Hacks | 2025-05-06 | N/A | 5.4 MEDIUM |
|
The WP Total Hacks WordPress plugin through 4.7.2 does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well.
|
|||||
| CVE-2024-13615 | 1 Socialsnap | 1 Social Snap | 2025-05-06 | N/A | 3.5 LOW |
|
The Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap WordPress plugin through 1.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-13836 | 1 Forsyspress | 1 Wp Login Control | 2025-05-06 | N/A | 7.1 HIGH |
|
The WP Login Control WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2023-6694 | 1 Fastlinemedia | 1 Beaver Themer | 2025-05-06 | N/A | 6.4 MEDIUM |
|
The Beaver Themer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping on user supplied custom fields. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-0662 | 1 Colorlib | 1 Fancybox | 2025-05-06 | N/A | 4.4 MEDIUM |
|
The FancyBox for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions 3.0.2 to 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disable ...
Show More |
|||||
| CVE-2024-1852 | 1 Butlerblog | 1 Wp-members | 2025-05-06 | N/A | 7.2 HIGH |
|
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.4.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page which is the edit users page. This vulnerability was partially patched in version 3.4.9.2, and was fully patch ...
Show More |
|||||
| CVE-2024-1960 | 1 Hasthemes | 1 Shoplentor | 2025-05-06 | N/A | 6.4 MEDIUM |
|
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Special Offer Day Widget Banner Link in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages th ...
Show More |
|||||
| CVE-2024-2026 | 1 Wpchill | 1 Passster | 2025-05-06 | N/A | 6.4 MEDIUM |
|
The Passster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_protector shortcode in all versions up to, and including, 4.2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-3858 | 1 Giorgi | 1 Formality | 2025-05-06 | N/A | 6.4 MEDIUM |
|
The Formality plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ parameter in all versions up to, and including, 1.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-3748 | 1 Pluginus | 1 Taxonomy Chain Menu | 2025-05-06 | N/A | 6.4 MEDIUM |
|
The Taxonomy Chain Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's pn_chain_menu shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-3510 | 1 Tagdiv | 1 Composer | 2025-05-06 | N/A | 6.4 MEDIUM |
|
The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2018-6333 | 1 Facebook | 1 Nuclide | 2025-05-06 | 7.5 HIGH | 9.8 CRITICAL |
|
The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0.
|
|||||
| CVE-2018-1000874 | 1 Cebe | 1 Markdown | 2025-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
|
PHP cebe markdown parser version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in all distributed parsers allowing a malicious crafted script to be executed that can result in the lose of user data and sensitive user information. This attack can be exploited by crafting a three backtick wrapped payload with a character in front: L: "```<script>alert();</script>```". NOTE: This has been argued as a non-issue (see references) since it is not the parser's job to sanitize mal ...
Show More |
|||||