Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5802 | 1 Mythemeshop | 1 Url Shortener | 2025-03-13 | N/A | 4.8 MEDIUM |
|
The URL Shortener by Myhop WordPress plugin through 1.0.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2024-48937 | 1 Znuny | 1 Znuny | 2025-03-13 | N/A | 6.1 MEDIUM |
|
Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. JavaScript code in the short description of the SLA field in Activity Dialogues is executed.
|
|||||
| CVE-2024-44716 | 1 Dedebiz | 1 Dedebiz | 2025-03-13 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in DedeBIZ v6.3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2024-3986 | 1 Themeboy | 1 Sportspress | 2025-03-13 | N/A | 4.8 MEDIUM |
|
The SportsPress WordPress plugin before 2.7.22 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-39126 | 1 Roundup-tracker | 1 Roundup | 2025-03-13 | N/A | 5.4 MEDIUM |
|
Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents.
|
|||||
| CVE-2024-37878 | 1 Twcms | 1 Twcms | 2025-03-13 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in TWCMS v.2.0.3 allows a remote attacker to execute arbitrary code via the /TWCMS-gh-pages/twcms/runtime/twcms_view/default,index.htm.php" PHP directly echoes parameters input from external sources
|
|||||
| CVE-2024-24507 | 1 Act-on | 1 Act-on | 2025-03-13 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Act-On 2023 allows a remote attacker to execute arbitrary code via the newUser parameter in the login.jsp component.
|
|||||
| CVE-2024-5901 | 1 Siteorigin | 1 Siteorigin Widgets Bundle | 2025-03-13 | N/A | 6.4 MEDIUM |
|
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Grid widget in all versions up to, and including, 1.62.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-47632 | 1 Detheme | 1 Dethemekit For Elementor | 2025-03-13 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in deTheme DethemeKit For Elementor allows Stored XSS.This issue affects DethemeKit For Elementor: from n/a through 2.1.7.
|
|||||
| CVE-2024-47360 | 1 Ba-booking | 1 Ba Book Everything | 2025-03-13 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Booking Algorithms BA Book Everything allows Reflected XSS.This issue affects BA Book Everything: from n/a through 1.6.20.
|
|||||
| CVE-2024-39203 | 1 Zblogcn | 1 Z-blogphp | 2025-03-13 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the Backend Theme Management module of Z-BlogPHP v1.7.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2024-50437 | 1 Ayecode | 1 Geodirectory | 2025-03-13 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AyeCode GeoDirectory allows Stored XSS.This issue affects GeoDirectory: from n/a through 2.3.80.
|
|||||
| CVE-2024-12119 | 1 Fooplugins | 1 Foogallery | 2025-03-13 | N/A | 6.4 MEDIUM |
|
The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the default_gallery_title_size parameter in all versions up to, and including, 2.4.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with granted gallery and album creator roles, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected pag ...
Show More |
|||||
| CVE-2025-1354 | 2025-03-13 | 3.3 LOW | 2.4 LOW | ||
|
A cross-site scripting (XSS) vulnerability in the RT-N10E/ RT-N12E 2.0.0.x firmware . This vulnerability caused by improper input validation and can be triggered via the manipulation of the SSID argument in the sysinfo.asp file, leading to disclosure of sensitive information. Note: All versions of RT-N10E and RT-N12E are unsupported (End-of-Life, EOL). Consumers can mitigate this vulnerability by disabling the remote access features from WAN
|
|||||
| CVE-2025-1503 | 2025-03-13 | N/A | 6.4 MEDIUM | ||
|
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Roundup Recipe Name field in all versions up to, and including, 9.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-1559 | 2025-03-13 | N/A | 6.4 MEDIUM | ||
|
The CC-IMG-Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'img' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-30200 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2025-03-13 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 BEAR allows Reflected XSS.This issue affects BEAR: from n/a through 1.1.4.2.
|
|||||
| CVE-2024-1328 | 1 Newsletter2go | 1 Newsletter2go | 2025-03-13 | N/A | 6.4 MEDIUM |
|
The Newsletter2Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 4.0.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-2031 | 1 Imdpen | 1 Video Conferencing With Zoom | 2025-03-13 | N/A | 6.4 MEDIUM |
|
The Video Conferencing with Zoom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zoom_recordings_by_meeting' shortcode in all versions up to, and including, 4.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-1723 | 1 Siteorigin | 1 Siteorigin Widgets Bundle | 2025-03-13 | N/A | 6.4 MEDIUM |
|
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 1.58.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Affected parameters include: $instance['fonts']['title_options']['tag'], $headline_tag, ...
Show More |
|||||
| CVE-2023-0428 | 1 Kibokolabs | 1 Watu Quiz | 2025-03-12 | N/A | 6.1 MEDIUM |
|
The Watu Quiz WordPress plugin before 3.3.8.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2024-3672 | 1 Ba-booking | 1 Ba Book Everything | 2025-03-12 | N/A | 6.4 MEDIUM |
|
The BA Book Everything plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'all-items' shortcode in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping on user supplied attributes such as 'classes'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-32598 | 1 Ba-booking | 1 Ba Book Everything | 2025-03-12 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Booking Algorithms BA Book Everything allows Stored XSS.This issue affects BA Book Everything: from n/a through 1.6.8.
|
|||||
| CVE-2024-32576 | 1 Ba-booking | 1 Ba Book Everything | 2025-03-12 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Booking Algorithms BA Book Everything allows Stored XSS.This issue affects BA Book Everything: from n/a through 1.6.8.
|
|||||
| CVE-2024-3615 | 1 Maxfoundry | 1 Media Library Folders | 2025-03-12 | N/A | 6.1 MEDIUM |
|
The Media Library Folders plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 8.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-7301 | 1 Iptanus | 1 Wordpress File Upload | 2025-03-12 | N/A | 7.2 HIGH |
|
The WordPress File Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.24.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
|
|||||
| CVE-2024-56357 | 1 Getgrist | 1 Grist-core | 2025-03-12 | N/A | 8.1 HIGH |
|
grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the `javascript:` scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust.
|
|||||
| CVE-2024-56358 | 1 Getgrist | 1 Grist-core | 2025-03-12 | N/A | 8.1 HIGH |
|
grist-core is a spreadsheet hosting server. A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid previewing attachments in documents prepared by people they do not trust.
|
|||||
| CVE-2024-56359 | 1 Getgrist | 1 Grist-core | 2025-03-12 | N/A | 8.1 HIGH |
|
grist-core is a spreadsheet hosting server. A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid clicking on HyperLink cell links using a control modifier in doc ...
Show More |
|||||
| CVE-2025-2084 | 1 Phpgurukul | 1 Human Metapneumovirus | 2025-03-12 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file /search-report.php of the component Search Report Page. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2023-0231 | 1 Hasthemes | 1 Shoplentor | 2025-03-12 | N/A | 5.4 MEDIUM |
|
The ShopLentor WordPress plugin before 2.5.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2023-26214 | 1 Tibco | 1 Businessconnect | 2025-03-12 | N/A | 7.3 HIGH |
|
The BusinessConnect UI component of TIBCO Software Inc.'s TIBCO BusinessConnect contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect: versions 7.3.0 and below.
|
|||||
| CVE-2023-22427 | 1 Ss-proj | 1 Shirasagi | 2025-03-12 | N/A | 4.8 MEDIUM |
|
Stored cross-site scripting vulnerability in Theme switching function of SHIRASAGI v1.16.2 and earlier versions allows a remote attacker with an administrative privilege to inject an arbitrary script.
|
|||||
| CVE-2023-22425 | 1 Ss-proj | 1 Shirasagi | 2025-03-12 | N/A | 5.4 MEDIUM |
|
Stored cross-site scripting vulnerability in Schedule function of SHIRASAGI v1.16.2 and earlier versions allows a remote authenticated attacker to inject an arbitrary script.
|
|||||
| CVE-2023-0419 | 1 Smg-webdesign | 1 Shortcode For Font Awesome | 2025-03-12 | N/A | 5.4 MEDIUM |
|
The Shortcode for Font Awesome WordPress plugin before 1.4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2023-0285 | 1 Devowl | 1 Real Media Library | 2025-03-12 | N/A | 5.4 MEDIUM |
|
The Real Media Library WordPress plugin before 4.18.29 does not sanitise and escape the created folder names, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2022-4777 | 1 Bootstrap Shortcodes Project | 1 Bootstrap Shortcodes | 2025-03-12 | N/A | 5.4 MEDIUM |
|
The Bootstrap Shortcodes WordPress plugin through 3.4.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2022-4754 | 1 Easy Social Box Project | 1 Easy Social Box | 2025-03-12 | N/A | 5.4 MEDIUM |
|
The Easy Social Box / Page Plugin WordPress plugin through 4.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2022-48345 | 1 Paypal | 1 Braintree\/sanitize-url | 2025-03-12 | N/A | 6.1 MEDIUM |
|
sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.
|
|||||
| CVE-2021-33387 | 1 1234n | 1 Minicms | 2025-03-12 | N/A | 9.6 CRITICAL |
|
Cross Site Scripting Vulnerability in MiniCMS v.1.10 allows attacker to execute arbitrary code via a crafted get request.
|
|||||