Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3866 | 2025-04-29 | N/A | 6.1 MEDIUM | ||
|
The Add Google +1 (Plus one) social share Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the google-plus-one-share-button page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-46521 | 2025-04-29 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Silver Muru WS Force Login Page allows Stored XSS. This issue affects WS Force Login Page: from n/a through 3.0.3.
|
|||||
| CVE-2025-3752 | 2025-04-29 | N/A | 6.4 MEDIUM | ||
|
The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-46501 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in biancardi Mixcloud Embed allows Stored XSS. This issue affects Mixcloud Embed: from n/a through 2.2.0.
|
|||||
| CVE-2025-46479 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DevynCJohnson BBCode Deluxe allows DOM-Based XSS. This issue affects BBCode Deluxe: from n/a through 2020.08.01.2.
|
|||||
| CVE-2025-46475 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in terrillthompson Able Player allows DOM-Based XSS. This issue affects Able Player: from n/a through 1.2.1.
|
|||||
| CVE-2025-46538 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webplanetsoft Inline Text Popup allows DOM-Based XSS. This issue affects Inline Text Popup: from n/a through 1.0.0.
|
|||||
| CVE-2025-3867 | 2025-04-29 | N/A | 6.1 MEDIUM | ||
|
The Ajax Comment Form CST plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation via the 'acform_cst_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-46472 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webangon The Pack Elementor addons allows Stored XSS. This issue affects The Pack Elementor addons: from n/a through 2.1.2.
|
|||||
| CVE-2025-1294 | 2025-04-29 | N/A | 7.2 HIGH | ||
|
The eForm - WordPress Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.18.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-46542 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeXpert Xpert Tab allows Stored XSS. This issue affects Xpert Tab: from n/a through 1.3.
|
|||||
| CVE-2025-3870 | 2025-04-29 | N/A | 6.1 MEDIUM | ||
|
The 1 Decembrie 1918 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.dec.2012. This is due to missing or incorrect nonce validation on the 1-decembrie-1918/1-decembrie-1918.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-46534 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DanielRiera Image Style Hover allows DOM-Based XSS. This issue affects Image Style Hover: from n/a through 1.0.6.
|
|||||
| CVE-2025-46471 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gnanavelshenll WP Custom Post Popup allows DOM-Based XSS. This issue affects WP Custom Post Popup: from n/a through 1.0.1.
|
|||||
| CVE-2025-46469 | 2025-04-29 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Buddle Send From allows Stored XSS. This issue affects Send From: from n/a through 2.2.
|
|||||
| CVE-2025-46499 | 2025-04-29 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hccoder PayPal Express Checkout allows Stored XSS. This issue affects PayPal Express Checkout: from n/a through 2.1.2.
|
|||||
| CVE-2025-46467 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rahendra Putra K™ RAphicon allows DOM-Based XSS. This issue affects RAphicon: from n/a through 2.1.2.
|
|||||
| CVE-2025-46491 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matthew Muro Multi-Column Taxonomy List allows Stored XSS. This issue affects Multi-Column Taxonomy List: from n/a through 1.5.
|
|||||
| CVE-2025-46447 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFable Fable Extra allows DOM-Based XSS. This issue affects Fable Extra: from n/a through 1.0.6.
|
|||||
| CVE-2025-46478 | 2025-04-29 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaloha Dropdown Content allows Stored XSS. This issue affects Dropdown Content: from n/a through 1.0.2.
|
|||||
| CVE-2025-46476 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nayon46 Awesome Wp Image Gallery allows Stored XSS. This issue affects Awesome Wp Image Gallery: from n/a through 1.0.
|
|||||
| CVE-2025-39382 | 2025-04-29 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in danielpataki ACF: Google Font Selector allows Reflected XSS. This issue affects ACF: Google Font Selector: from n/a through 3.0.1.
|
|||||
| CVE-2025-46517 | 2025-04-29 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdiscover Blog Manager WP allows Stored XSS. This issue affects Blog Manager WP: from n/a through 1.0.5.
|
|||||
| CVE-2025-46234 | 2025-04-29 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Habibur Rahman Razib Control Listings allows Reflected XSS. This issue affects Control Listings: from n/a through 1.0.4.1.
|
|||||
| CVE-2025-46509 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andrey Mikhalchuk 360 View allows Stored XSS. This issue affects 360 View: from n/a through 1.1.0.
|
|||||
| CVE-2025-46451 | 2025-04-29 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Floating Social Bar allows Stored XSS. This issue affects Floating Social Bar: from n/a through 1.1.7.
|
|||||
| CVE-2025-46595 | 2025-04-29 | N/A | 6.4 MEDIUM | ||
|
An XSS issue was discovered in the Flag module before 1.x-3.6.2 for Backdrop CMS. Flag is a module that allows flags to be added to nodes, comments, users, and any other type of entity. It doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow crafted HTML to result in Cross Site Scripting. This is mitigated by the fact that an attacker must have a role with permission to create links on the website, for e ...
Show More |
|||||
| CVE-2025-46496 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in oniswap Mini twitter feed allows Stored XSS. This issue affects Mini twitter feed: from n/a through 3.0.
|
|||||
| CVE-2025-46445 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pReya External Markdown allows Stored XSS. This issue affects External Markdown: from n/a through 0.0.1.
|
|||||
| CVE-2025-4011 | 2025-04-29 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability has been found in Redmine 6.0.0/6.0.1/6.0.2/6.0.3 and classified as problematic. This vulnerability affects unknown code of the component Custom Query Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 6.0.4 is able to address this issue. It is recommended to upgrade the affected component.
|
|||||
| CVE-2025-3706 | 2025-04-29 | N/A | 6.1 MEDIUM | ||
|
The eHRMS from 104 Corporation has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.
|
|||||
| CVE-2025-3130 | 1 Drupal | 1 Obfuscate | 2025-04-29 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Obfuscate allows Stored XSS.This issue affects Obfuscate: from 0.0.0 before 2.0.1.
|
|||||
| CVE-2022-42989 | 1 Sankhya | 1 Sankhya Om | 2025-04-29 | N/A | 9.0 CRITICAL |
|
ERP Sankhya before v4.11b81 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Caixa de Entrada.
|
|||||
| CVE-2022-38724 | 1 Silverstripe | 3 Asset Admin, Assets, Framework | 2025-04-29 | N/A | 5.4 MEDIUM |
|
Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 allow XSS.
|
|||||
| CVE-2022-38462 | 1 Silverstripe | 1 Framework | 2025-04-29 | N/A | 6.1 MEDIUM |
|
Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return URL on a /dev/build or /Security/login request.
|
|||||
| CVE-2022-35501 | 1 Amasty | 1 Blog Pro | 2025-04-28 | N/A | 5.4 MEDIUM |
|
Stored Cross-site Scripting (XSS) exists in the Amasty Blog Pro 2.10.3 and 2.10.4 plugin for Magento 2 because of the duplicate post function.
|
|||||
| CVE-2022-35500 | 1 Amasty | 1 Blog Pro | 2025-04-28 | N/A | 5.4 MEDIUM |
|
Amasty Blog 2.10.3 is vulnerable to Cross Site Scripting (XSS) via leave comment functionality.
|
|||||
| CVE-2022-45224 | 1 Web-based Student Clearance System Project | 1 Web-based Student Clearance System | 2025-04-28 | N/A | 4.8 MEDIUM |
|
Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in Admin/add-admin.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtfullname parameter.
|
|||||
| CVE-2022-45223 | 1 Web-based Student Clearance System Project | 1 Web-based Student Clearance System | 2025-04-28 | N/A | 4.8 MEDIUM |
|
Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /Admin/add-student.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtfullname parameter.
|
|||||
| CVE-2025-29018 | 1 Codeastro | 1 Internet Banking System | 2025-04-28 | N/A | 4.8 MEDIUM |
|
A Stored Cross-Site Scripting (XSS) vulnerability exists in the name parameter of pages_add_acc_type.php in Code Astro Internet Banking System 2.0.0.
|
|||||