Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2613 | 2025-04-21 | N/A | 4.4 MEDIUM | ||
|
The Login Manager – Design Login Page, View Login Activity, Limit Login Attempts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom logo and background URLs in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only a ...
Show More |
|||||
| CVE-2025-3809 | 2025-04-21 | N/A | 7.2 HIGH | ||
|
The Debug Log Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the auto-refresh debug log in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-3275 | 2025-04-21 | N/A | 6.4 MEDIUM | ||
|
The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TF E Slider widget in all versions up to, and including, 2.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-3840 | 2025-04-21 | N/A | N/A | ||
|
An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. An actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions.
|
|||||
| CVE-2025-39469 | 2025-04-21 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pantherius Modal Survey allows Reflected XSS.This issue affects Modal Survey: from n/a through 2.0.2.0.1.
|
|||||
| CVE-2025-3661 | 2025-04-21 | N/A | 6.4 MEDIUM | ||
|
The SB Chart block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-3806 | 2025-04-21 | 3.3 LOW | 2.4 LOW | ||
|
A vulnerability, which was classified as problematic, has been found in dazhouda lecms up to 3.0.3. Affected by this issue is some unknown functionality of the file /admin of the component Edit Profile Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3598 | 2025-04-21 | N/A | 6.1 MEDIUM | ||
|
The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the commission_summary parameter in all versions up to, and including, .6.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2025-1457 | 2025-04-21 | N/A | 6.4 MEDIUM | ||
|
The Element Pack Addons for Elementor – Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Wrapper Link, Countdown and Gallery widgets in all versions up to, and including, 5.10.28 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an i ...
Show More |
|||||
| CVE-2025-3056 | 2025-04-21 | N/A | 5.4 MEDIUM | ||
|
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
|
|||||
| CVE-2023-0097 | 1 Shapedplugin | 1 Smart Post Show | 2025-04-21 | N/A | 5.4 MEDIUM |
|
The Post Grid, Post Carousel, & List Category Posts WordPress plugin before 2.4.19 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2022-4699 | 1 Mediaelementjs | 1 Mediaelement.js | 2025-04-21 | N/A | 5.4 MEDIUM |
|
The MediaElement.js WordPress plugin through 4.2.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high-privilege users such as admins.
|
|||||
| CVE-2022-4749 | 1 Infornweb | 1 Posts List Designer | 2025-04-21 | N/A | 5.4 MEDIUM |
|
The Posts List Designer by Category WordPress plugin before 3.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
|
|||||
| CVE-2022-4667 | 1 Themeisle | 1 Rss Aggregator By Feedzy | 2025-04-21 | N/A | 5.4 MEDIUM |
|
The RSS Aggregator by Feedzy WordPress plugin before 4.1.1 does not validate and escape some of its block options before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
|
|||||
| CVE-2025-2583 | 1 Simplemachines | 1 Simple Machines Forum | 2025-04-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in SimpleMachines SMF 2.1.4. It has been classified as problematic. This affects an unknown part of the file ManageNews.php. The manipulation of the argument subject/message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor does not declare this issue a security vulnerability due to authentication ...
Show More |
|||||
| CVE-2025-2582 | 1 Simplemachines | 1 Simple Machines Forum | 2025-04-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this issue is some unknown functionality of the file ManageAttachments.php. The manipulation of the argument Notice leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor does not declare this issue a security vulnerability due to authenticatio ...
Show More |
|||||
| CVE-2017-9624 | 1 Epesi | 1 Epesi | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EPESI 1.8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via crafted currency decimal-sign data.
|
|||||
| CVE-2017-6717 | 1 Cisco | 1 Secure Firewall Management Center | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface. More Information: CSCvc38801. Known Affected Releases: 6.0.1.3 6.2.1. Known Fixed Releases: 6.2.1.
|
|||||
| CVE-2017-6814 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js.
|
|||||
| CVE-2017-13762 | 1 Onosproject | 1 Onos | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS.
|
|||||
| CVE-2017-5020 | 1 Google | 1 Chrome | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to require a user gesture for powerful download operations, which allowed a remote attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted HTML page.
|
|||||
| CVE-2015-4707 | 1 Ipython | 1 Ipython | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in IPython before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/notebooks path.
|
|||||
| CVE-2015-8375 | 1 Php-fusion | 1 Php-fusion | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in PHP-Fusion 9.
|
|||||
| CVE-2017-9336 | 1 Wp Editor.md Project | 1 Wp Editor.md | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WP Editor.MD plugin 1.6 for WordPress has a stored XSS vulnerability in the content of a post.
|
|||||
| CVE-2015-4706 | 1 Ipython | 1 Ipython | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in IPython 3.x before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/contents path.
|
|||||
| CVE-2017-10838 | 1 Seopanel | 1 Seo Panel | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting vulnerability in SEO Panel prior to version 3.11.0 allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2017-9420 | 1 Sunnythemes | 1 Spiffy Calendar | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross site scripting (XSS) vulnerability in the Spiffy Calendar plugin before 3.3.0 for WordPress allows remote attackers to inject arbitrary JavaScript via the yr parameter.
|
|||||
| CVE-2017-15936 | 1 Artica | 1 Pandora Fms | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed.
|
|||||
| CVE-2017-1000160 | 1 Expressionengine | 1 Expressionengine | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection
|
|||||
| CVE-2017-1120 | 1 Ibm | 1 Websphere Portal | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 2000152.
|
|||||
| CVE-2017-3821 | 1 Cisco | 1 Unified Communications Manager | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A vulnerability in the serviceability page of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct reflected cross-site scripting (XSS) attacks. More Information: CSCvc49348. Known Affected Releases: 10.5(2.14076.1). Known Fixed Releases: 12.0(0.98000.209) 12.0(0.98000.478) 12.0(0.98000.609).
|
|||||
| CVE-2017-12591 | 1 Asus | 2 Dsl-n10s, Dsl-n10s Firmware | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
ASUS DSL-N10S V2.1.16_APAC devices have reflected and stored cross site scripting, as demonstrated by the snmpSysName parameter.
|
|||||
| CVE-2017-6817 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
|
|||||
| CVE-2015-7668 | 1 Easy2map | 1 Easy2map | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in includes/MapPinImageSave.php in the Easy2Map plugin before 1.3.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map_id parameter.
|
|||||
| CVE-2017-16782 | 1 Home-assistant | 1 Home-assistant | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markdown text, aka XSS.
|
|||||
| CVE-2017-15867 | 1 User-login-history Project | 1 User-login-history | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, (3) user_id, (4) username, (5) country_name, (6) browser, (7) operating_system, or (8) ip_address parameter to admin/partials/listing/listing.php.
|
|||||
| CVE-2016-8952 | 1 Ibm | 1 Emptoris Strategic Supply Management | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10.1.1.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118839.
|
|||||
| CVE-2017-6503 | 1 Qbittorrent | 1 Qbittorrent | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
WebUI in qBittorrent before 3.3.11 did not escape many values, which could potentially lead to XSS.
|
|||||
| CVE-2017-17933 | 1 Netwin | 1 Surgeftp | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
cgi/surgeftpmgr.cgi (aka the Web Manager interface on TCP port 7021 or 9021) in NetWin SurgeFTP version 23f2 has XSS via the classid, domainid, or username parameter.
|
|||||
| CVE-2015-3998 | 2 Clickfraud-monitoring, Phpwhois Project | 2 Adsense-click-fraud-monitoring, Phpwhois | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in phpwhois 4.2.5, as used in the adsense-click-fraud-monitoring plugin 1.7.5 for WordPress, allows remote attackers to inject arbitrary web script or HTML via the query parameter to whois.php.
|
|||||