Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1672 | 2025-03-06 | N/A | 5.5 MEDIUM | ||
|
The Notibar – Notification Bar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations whe ...
Show More |
|||||
| CVE-2025-22623 | 2025-03-06 | N/A | N/A | ||
|
Ad Inserter - Ad Manager and AdSense Ads 2.8.0 was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/includes/dst/dst.php.
|
|||||
| CVE-2024-23186 | 1 Open-xchange | 1 Ox App Suite | 2025-03-05 | N/A | 6.5 MEDIUM |
|
E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer methods of handling external content when embedding displayname information to the web interface. No publicly available exploits are known.
|
|||||
| CVE-2024-23187 | 1 Open-xchange | 1 Ox App Suite | 2025-03-05 | N/A | 6.5 MEDIUM |
|
Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deploy the provided updates and patch releases. CID replacement has been hardened to omit invalid identifiers. No publicly available exploits are known.
|
|||||
| CVE-2025-0918 | 1 Yaycommerce | 1 Yaysmtp | 2025-03-05 | N/A | 7.2 HIGH |
|
The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-0953 | 1 Yaycommerce | 1 Yaysmtp | 2025-03-05 | N/A | 7.2 HIGH |
|
The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2021-33351 | 1 Wyomind | 1 Help Desk | 2025-03-05 | N/A | 9.0 CRITICAL |
|
Cross Site Scripting Vulnerability in Wyomind Help Desk Magento 2 extension v.1.3.6 and before and fixed in v.1.3.7 allows attackers to escalte privileges via a crafted payload in the ticket message field.
|
|||||
| CVE-2024-30232 | 1 Exclusiveaddons | 1 Exclusive Addons For Elementor | 2025-03-05 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Exclusive Addons Exclusive Addons Elementor allows Stored XSS.This issue affects Exclusive Addons Elementor: from n/a through 2.6.9.
|
|||||
| CVE-2024-30177 | 1 Exclusiveaddons | 1 Exclusive Addons For Elementor | 2025-03-05 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Exclusive Addons Exclusive Addons Elementor allows Stored XSS.This issue affects Exclusive Addons Elementor: from n/a through 2.6.8.
|
|||||
| CVE-2023-50961 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2025-03-05 | N/A | 4.8 MEDIUM |
|
IBM QRadar SIEM 7.5 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 275939.
|
|||||
| CVE-2024-27270 | 1 Ibm | 1 Websphere Application Server | 2025-03-05 | N/A | 4.7 MEDIUM |
|
IBM WebSphere Application Server Liberty 23.0.0.3 through 24.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in a specially crafted URI. IBM X-Force ID: 284576.
|
|||||
| CVE-2025-27500 | 1 Openziti | 1 Openziti | 2025-03-05 | N/A | 8.2 HIGH |
|
OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint(/api/upload) on the admin panel can be accessed without any form of authentication. This endpoint accepts an HTTP POST to upload a file which is then stored on the node and is available via URL. This can lead to a stored cross site scripting attack if the file uploaded contains malicious code and is then accessed and executed within the context of the user's browser. This function is no long ...
Show More |
|||||
| CVE-2025-1892 | 1 Qzw1210 | 1 Shishuocms | 2025-03-05 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in shishuocms 1.1. It has been classified as problematic. Affected is an unknown function of the file /manage/folder/add.json of the component Directory Deletion Page. The manipulation of the argument folderName leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-29774 | 1 Wpdirectorykit | 1 Wp Directory Kit | 2025-03-05 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpDirectoryKit WP Directory Kit allows Reflected XSS.This issue affects WP Directory Kit: from n/a through 1.2.9.
|
|||||
| CVE-2024-11132 | 1 Imithemes | 1 Eventer | 2025-03-05 | N/A | 6.4 MEDIUM |
|
The Eventer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-7015 | 1 Filemanagerpro.io | 1 File Manager Pro | 2025-03-05 | N/A | 6.1 MEDIUM |
|
The File Manager Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tb' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-1585 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2025-03-05 | N/A | 6.4 MEDIUM |
|
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-3714 | 1 Givewp | 1 Givewp | 2025-03-05 | N/A | 6.4 MEDIUM |
|
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'give_form' shortcode when used with a legacy form in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an ...
Show More |
|||||
| CVE-2023-29854 | 1 Dircms Project | 1 Dircms | 2025-03-05 | N/A | 6.1 MEDIUM |
|
DirCMS 6.0.0 has a Cross Site Scripting (XSS) vulnerability in the foreground.
|
|||||
| CVE-2023-26950 | 1 Onekeyadmin | 1 Onekeyadmin | 2025-03-05 | N/A | 5.4 MEDIUM |
|
onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Title parameter under the Adding Categories module.
|
|||||
| CVE-2023-24657 | 1 Phpipam | 1 Phpipam | 2025-03-05 | N/A | 6.1 MEDIUM |
|
phpipam v1.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the closeClass parameter at /subnet-masks/popup.php.
|
|||||
| CVE-2023-24282 | 1 Poly | 2 Trio 8800, Trio 8800 Firmware | 2025-03-05 | N/A | 5.4 MEDIUM |
|
An arbitrary file upload vulnerability in Poly Trio 8800 7.2.2.1094 allows attackers to execute arbitrary code via a crafted ringtone file.
|
|||||
| CVE-2023-1325 | 1 Yikesinc | 1 Easy Forms For Mailchimp | 2025-03-05 | N/A | 5.4 MEDIUM |
|
The Easy Forms for Mailchimp WordPress plugin before 6.8.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-29763 | 1 Pluginus | 1 Wordpress Meta Data And Taxonomies Filter | 2025-03-05 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Reflected XSS.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.
|
|||||
| CVE-2024-29932 | 1 Pluginus | 1 Wordpress Meta Data And Taxonomies Filter | 2025-03-05 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Stored XSS.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.2.
|
|||||
| CVE-2024-29906 | 1 Pluginus | 1 Wordpress Meta Data And Taxonomies Filter | 2025-03-05 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Stored XSS.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.2.
|
|||||
| CVE-2024-55064 | 1 Easyvirt | 1 Dc Netscope | 2025-03-05 | N/A | 5.4 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities in EasyVirt DC NetScope <= 8.6.4 allow remote attackers to inject arbitrary JavaScript or HTML code via the (1) smtp_server, (2) smtp_account, (3) smtp_password, or (4) email_recipients parameter to /smtp/update; the (5) ntp or (6) dns parameter to /proxy/ntp/change; the (7) newVcenterAddress parameter to /process_new_vcenter.
|
|||||
| CVE-2025-0512 | 1 Wpsc-plugin | 1 Structured Content | 2025-03-05 | N/A | 6.4 MEDIUM |
|
The Structured Content (JSON-LD) #wpsc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_fs_local_business shortcode in all versions up to, and including, 6.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-0370 | 1 Vanokhin | 1 Shortcodes Ultimate | 2025-03-05 | N/A | 6.4 MEDIUM |
|
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘src’ parameter in all versions up to, and including, 7.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-3763 | 1 Emlog | 1 Emlog | 2025-03-05 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in Emlog Pro 2.2.10. It has been rated as problematic. This issue affects some unknown processing of the file /admin/tag.php of the component Post Tag Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-260603. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-3762 | 1 Emlog | 1 Emlog | 2025-03-05 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in Emlog Pro 2.2.10. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/twitter.php of the component Whisper Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-260602 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-40696 | 1 Ibm | 1 Sterling B2b Integrator | 2025-03-05 | N/A | 4.8 MEDIUM |
|
IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2024-47103 | 1 Ibm | 1 Sterling B2b Integrator | 2025-03-05 | N/A | 4.8 MEDIUM |
|
IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2024-47116 | 1 Ibm | 1 Sterling B2b Integrator | 2025-03-05 | N/A | 5.4 MEDIUM |
|
IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2024-27987 | 1 Givewp | 1 Givewp | 2025-03-05 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GiveWP Give allows Reflected XSS.This issue affects Give: from n/a through 3.3.1.
|
|||||
| CVE-2024-2123 | 1 Ultimatemember | 1 Ultimate Member | 2025-03-05 | N/A | 7.2 HIGH |
|
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-2075 | 1 Remyandrade | 1 Daily Habit Tracker | 2025-03-05 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in SourceCodester Daily Habit Tracker 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /endpoint/update-tracker.php. The manipulation of the argument day leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-255391.
|
|||||
| CVE-2025-22272 | 2025-03-05 | N/A | N/A | ||
|
In the "/EPMUI/ModalDlgHandler.ashx?value=showReadonlyDlg" endpoint, it is possible to inject code in the "modalDlgMsgInternal" parameter via POST, which is then executed in the browser. The risk of exploiting vulnerability is reduced due to the required additional bypassing the Content-Security-Policy policy
This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive an ...
Show More |
|||||
| CVE-2025-22270 | 2025-03-05 | N/A | N/A | ||
|
An attacker with access to the Administration panel, specifically the "Role Management"
tab, can
inject code by adding a new role in the "name" field. It should be noted, however, that the risk of exploiting vulnerability is reduced due to the
required additional error that allows bypassing the Content-Security-Policy policy, which
mitigates JS code execution while still allowing HTML injection.
This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other ...
Show More |
|||||
| CVE-2024-31913 | 1 Ibm | 1 Sterling B2b Integrator | 2025-03-05 | N/A | 5.5 MEDIUM |
|
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||