Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-32196 | 2025-04-07 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in blazethemes News Kit Elementor Addons allows Stored XSS. This issue affects News Kit Elementor Addons: from n/a through 1.3.1.
|
|||||
| CVE-2025-32173 | 2025-04-07 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Blocks - The ultimate block collection allows Stored XSS. This issue affects B Blocks - The ultimate block collection: from n/a through 2.0.0.
|
|||||
| CVE-2025-32130 | 2025-04-07 | N/A | 5.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Data443 Risk Migitation, Inc. Posts Footer Manager allows Stored XSS. This issue affects Posts Footer Manager: from n/a through 2.2.0.
|
|||||
| CVE-2025-32162 | 2025-04-07 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Morgan Kay Chamber Dashboard Business Directory allows DOM-Based XSS. This issue affects Chamber Dashboard Business Directory: from n/a through 3.3.11.
|
|||||
| CVE-2025-22281 | 2025-04-07 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in joshix Simplish allows Stored XSS.This issue affects Simplish: from n/a through 2.6.4.
|
|||||
| CVE-2025-31418 | 2025-04-07 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noonnoo Gravel allows Reflected XSS.This issue affects Gravel: from n/a through 1.6.
|
|||||
| CVE-2025-32186 | 2025-04-07 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Turbo Addons Turbo Addons for Elementor allows DOM-Based XSS. This issue affects Turbo Addons for Elementor: from n/a through 1.7.1.
|
|||||
| CVE-2025-3191 | 2025-04-07 | N/A | 6.1 MEDIUM | ||
|
All versions of the package react-draft-wysiwyg are vulnerable to Cross-site Scripting (XSS) via the Embedded button which will then result in saving the payload in the <iframe> tag.
|
|||||
| CVE-2025-32179 | 2025-04-07 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icopydoc Maps for WP allows Stored XSS. This issue affects Maps for WP: from n/a through 1.2.4.
|
|||||
| CVE-2025-2836 | 2025-04-07 | N/A | 6.4 MEDIUM | ||
|
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘payment_method’ parameter in all versions up to, and including, 6.0.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-2544 | 2025-04-07 | N/A | 6.4 MEDIUM | ||
|
The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
|
|||||
| CVE-2025-2889 | 2025-04-07 | N/A | 6.4 MEDIUM | ||
|
The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Link Additional Parameters in all versions up to, and including, 7.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-29839 | 1 Digitaldruid | 1 Hoteldruid | 2025-04-07 | N/A | 5.4 MEDIUM |
|
A Stored Cross Site Scripting (XSS) vulnerability exists in multiple pages of Hotel Druid version 3.0.4, which allows arbitrary execution of commands. The vulnerable fields are Surname, Name, and Nickname in the Document function.
|
|||||
| CVE-2025-28094 | 1 Shopxo | 1 Shopxo | 2025-04-07 | N/A | 6.5 MEDIUM |
|
shopxo v6.4.0 has a ssrf/xss vulnerability in multiple places.
|
|||||
| CVE-2025-28097 | 1 Onenav | 1 Onenav | 2025-04-07 | N/A | 5.5 MEDIUM |
|
OneNav 1.1.0 is vulnerable to Cross Site Scripting (XSS) in custom headers.
|
|||||
| CVE-2024-6497 | 1 Squirrly | 1 Seo Plugin By Squirrly Seo | 2025-04-05 | N/A | 8.8 HIGH |
|
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 12.3.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-4455 | 1 Yithemes | 1 Yith Woocommerce Ajax Search | 2025-04-04 | N/A | 7.2 HIGH |
|
The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘item’ parameter in versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2022-40704 | 1 Phoronix-media | 1 Phoronix Test Suite | 2025-04-04 | N/A | 6.1 MEDIUM |
|
A XSS vulnerability was found in phoromatic_r_add_test_details.php in phoronix-test-suite.
|
|||||
| CVE-2024-51994 | 1 Combodo | 1 Itop | 2025-04-04 | N/A | 5.4 MEDIUM |
|
Combodo iTop is a web based IT Service Management tool. In affected versions uploading a text file containing some java script in the portal will trigger an Cross-site Scripting (XSS) vulnerability. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
|
|||||
| CVE-2024-50991 | 1 Phpgurukul | 1 User Management System | 2025-04-04 | N/A | 4.8 MEDIUM |
|
A Cross Site Scripting (XSS) vulnerability was found in /ums-sp/admin/registered-users.php in PHPGurukul User Management System v1.0, which allows remote attackers to execute arbitrary code via the "fname" POST request parameter
|
|||||
| CVE-2022-4480 | 1 Holithemes | 1 Click To Chat | 2025-04-04 | N/A | 5.4 MEDIUM |
|
The Click to Chat WordPress plugin before 3.18.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
|
|||||
| CVE-2024-1134 | 1 Seopress | 1 Seopress | 2025-04-04 | N/A | 6.4 MEDIUM |
|
The SEOPress – On-site SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SEO title and description parameters as well as others in all versions up to, and including, 7.5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-23637 | 1 Unistra | 1 Impatient | 2025-04-04 | N/A | 7.6 HIGH |
|
IMPatienT before 1.5.2 allows stored XSS via onmouseover in certain text fields within a PATCH /modify_onto request to the ontology builder. This may allow attackers to steal Protected Health Information.
|
|||||
| CVE-2023-22296 | 1 Ate-mahoroba | 6 Maho-pbx Netdevancer, Maho-pbx Netdevancer Firmware, Maho-pbx Netdevancer Mobilegate and 3 more | 2025-04-04 | N/A | 6.1 MEDIUM |
|
Reflected cross-site scripting vulnerability in MAHO-PBX NetDevancer series MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allows a remote unauthenticated attacker to inject an arbitrary script.
|
|||||
| CVE-2022-45613 | 1 Book Store Management System Project | 1 Book Store Management System | 2025-04-04 | N/A | 5.4 MEDIUM |
|
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the publisher parameter.
|
|||||
| CVE-2024-1332 | 1 Brainstormforce | 1 Custom Fonts | 2025-04-04 | N/A | 6.4 MEDIUM |
|
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-5060 | 1 Kapasias | 1 Lottiefiles | 2025-04-04 | N/A | 6.4 MEDIUM |
|
The LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.10.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-5220 | 1 Nicdark | 1 Nd Shortcodes | 2025-04-04 | N/A | 6.4 MEDIUM |
|
The ND Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's upload feature in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-5229 | 1 Nicheaddons | 1 Primary Addon For Elementor | 2025-04-04 | N/A | 6.4 MEDIUM |
|
The Primary Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Table widget in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-1548 | 1 Iteachyou | 1 Dreamer Cms | 2025-04-04 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in iteachyou Dreamer CMS 4.1.3. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/archives/edit. The manipulation of the argument editorValue/answer/content leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2022-39195 | 1 Lsoft | 1 Listserv | 2025-04-04 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the LISTSERV 17 web interface allows remote attackers to inject arbitrary JavaScript or HTML via the c parameter.
|
|||||
| CVE-2023-6957 | 1 Fluentforms | 1 Contact Form | 2025-04-04 | N/A | 4.9 MEDIUM |
|
The Fluent Forms plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.9 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploitation level depends on who is granted the right to create forms by an administrator. This level can be as low as contributor, ...
Show More |
|||||
| CVE-2024-53635 | 1 Phpgurukul | 1 Covid19 Testing Management System | 2025-04-04 | N/A | 4.8 MEDIUM |
|
A Reflected Cross Site Scripting (XSS) vulnerability was found in /covid-tms/patient-search-report.php in PHPGurukul COVID 19 Testing Management System v1.0, which allows remote attackers to execute arbitrary code via the searchdata POST request parameter.
|
|||||
| CVE-2023-0513 | 1 Iteachyou | 1 Dreamer Cms | 2025-04-04 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability has been found in isoftforce Dreamer CMS up to 4.0.1 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.3 is able to address this issue. It is recommended to upgrade the affected component. VDB-219334 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2023-1746 | 1 Iteachyou | 1 Dreamer Cms | 2025-04-04 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, was found in Dreamer CMS up to 3.5.0. Affected is an unknown function of the component File Upload Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. VDB-224634 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2023-43857 | 1 Iteachyou | 1 Dreamer Cms | 2025-04-04 | N/A | 5.4 MEDIUM |
|
Dreamer CMS v4.1.3 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component /admin/u/toIndex.
|
|||||
| CVE-2024-34954 | 1 Code-projects | 1 Budget Management | 2025-04-04 | N/A | 6.1 MEDIUM |
|
Code-projects Budget Management 1.0 is vulnerable to Cross Site Scripting (XSS) via the budget parameter.
|
|||||
| CVE-2023-23019 | 1 Oretnom23 | 1 Blog Site | 2025-04-04 | N/A | 5.4 MEDIUM |
|
Cross site scripting (XSS) vulnerability in file main.php in sourcecodester oretnom23 Blog Site 1.0 via the name and email parameters to function user_add.\
|
|||||
| CVE-2022-43717 | 1 Apache | 1 Superset | 2025-04-04 | N/A | 5.4 MEDIUM |
|
Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.
|
|||||
| CVE-2024-32409 | 1 Sem-cms | 1 Semcms | 2025-04-04 | N/A | 7.1 HIGH |
|
An issue in SEMCMS v.4.8 allows a remote attacker to execute arbitrary code via a crafted script.
|
|||||