Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-30429 | 1 Tuxlog | 1 Wp-forecast | 2025-02-27 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hans Matzen allows Stored XSS.This issue affects wp-forecast: from n/a through 9.2.
|
|||||
| CVE-2024-30428 | 1 Contest-gallery | 1 Contest Gallery | 2025-02-27 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Contest Gallery allows Reflected XSS.This issue affects Contest Gallery: from n/a through 21.3.5.
|
|||||
| CVE-2024-30427 | 1 Spiffyplugins | 1 Spiffy Calendar | 2025-02-27 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spiffy Plugins Spiffy Calendar allows Reflected XSS.This issue affects Spiffy Calendar: from n/a through 4.9.7.
|
|||||
| CVE-2024-1424 | 1 Givewp | 1 Givewp | 2025-02-27 | N/A | 6.4 MEDIUM |
|
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-2458 | 1 Codesupplyco | 1 Powerkit | 2025-02-27 | N/A | 6.4 MEDIUM |
|
The Powerkit – Supercharge your WordPress Site plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-29099 | 1 Evergreencontentposter | 1 Evergreen Content Poster | 2025-02-27 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Evergreen Content Poster allows Reflected XSS.This issue affects Evergreen Content Poster: from n/a through 1.4.1.
|
|||||
| CVE-2024-29128 | 1 Wpexperts | 1 Post Smtp | 2025-02-27 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Post SMTP POST SMTP allows Reflected XSS.This issue affects POST SMTP: from n/a through 2.8.6.
|
|||||
| CVE-2024-29127 | 1 Vasyltech | 1 Advanced Access Manager | 2025-02-27 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AAM Advanced Access Manager allows Reflected XSS.This issue affects Advanced Access Manager: from n/a through 6.9.20.
|
|||||
| CVE-2024-2247 | 1 Jfrog | 1 Artifactory | 2025-02-27 | N/A | 8.8 HIGH |
|
JFrog Artifactory versions below 7.77.7, 7.82.1, are vulnerable to DOM-based cross-site scripting due to improper handling of the import override mechanism.
|
|||||
| CVE-2024-12463 | 1 Arena.im | 1 Arena.im | 2025-02-27 | N/A | 6.4 MEDIUM |
|
The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'arena_embed_amp' shortcode in all versions up to, and including, 0.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5354 | 1 Getawesomesupport | 1 Awesome Support | 2025-02-26 | N/A | 6.1 MEDIUM |
|
The Awesome Support WordPress plugin before 6.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2023-5228 | 1 Wpeverest | 1 User Registration | 2025-02-26 | N/A | 4.8 MEDIUM |
|
The User Registration WordPress plugin before 3.0.4.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2023-5181 | 1 Sarveshmrao | 1 Wp Discord Invite | 2025-02-26 | N/A | 4.8 MEDIUM |
|
The WP Discord Invite WordPress plugin before 2.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2023-4858 | 1 Topcode | 1 Simple Table Manager | 2025-02-26 | N/A | 4.8 MEDIUM |
|
The Simple Table Manager WordPress plugin through 1.5.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2023-4810 | 1 Wpdarko | 1 Responsive Pricing Table | 2025-02-26 | N/A | 4.8 MEDIUM |
|
The Responsive Pricing Table WordPress plugin before 5.1.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2023-29623 | 1 Purchase Order Management Project | 1 Purchase Order Management | 2025-02-26 | N/A | 6.1 MEDIUM |
|
Purchase Order Management v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the password parameter at /purchase_order/classes/login.php.
|
|||||
| CVE-2023-28607 | 1 Misp-project | 1 Malware Information Sharing Platform | 2025-02-26 | N/A | 6.1 MEDIUM |
|
js/event-graph.js in MISP before 2.4.169 allows XSS via the event-graph relationship tooltip.
|
|||||
| CVE-2023-1025 | 1 Simplefilelist | 1 Simple File List | 2025-02-26 | N/A | 4.8 MEDIUM |
|
The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-34791 | 1 Wpbean | 1 Wpb Elementor Addons | 2025-02-26 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpbean WPB Elementor Addons allows Stored XSS.This issue affects WPB Elementor Addons: from n/a through 1.0.9.
|
|||||
| CVE-2023-27059 | 1 Churchcrm | 1 Churchcrm | 2025-02-26 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the Edit Group function of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Group Name text field.
|
|||||
| CVE-2023-28606 | 1 Misp-project | 1 Malware Information Sharing Platform | 2025-02-26 | N/A | 6.1 MEDIUM |
|
js/event-graph.js in MISP before 2.4.169 allows XSS via event-graph node tooltips.
|
|||||
| CVE-2023-27711 | 1 Typecho | 1 Typecho | 2025-02-26 | N/A | 4.8 MEDIUM |
|
Cross Site Scripting vulnerability found in Typecho v.1.2.0 allows a remote attacker to execute arbitrary code via the Comment Manager /admin/manage-comments.php component.
|
|||||
| CVE-2023-24278 | 1 Squidex.io | 1 Squidex | 2025-02-26 | N/A | 6.1 MEDIUM |
|
Squidex before 7.4.0 was discovered to contain a squid.svg cross-site scripting (XSS) vulnerability.
|
|||||
| CVE-2023-0370 | 1 Wpbean | 1 Wpb Advanced Faq | 2025-02-26 | N/A | 5.4 MEDIUM |
|
The WPB Advanced FAQ WordPress plugin through 1.0.6 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2022-45004 | 1 Getgophish | 1 Gophish | 2025-02-26 | N/A | 6.1 MEDIUM |
|
Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page.
|
|||||
| CVE-2020-19947 | 1 Markdown Edit Project | 1 Markdown Edit | 2025-02-26 | N/A | 9.6 CRITICAL |
|
Cross Site Scripting vulnerability found in Markdown Edit allows a remote attacker to execute arbitrary code via the edit parameter of the webpage.
|
|||||
| CVE-2023-27131 | 1 Typecho | 1 Typecho | 2025-02-26 | N/A | 4.8 MEDIUM |
|
Cross Site Scripting vulnerability found in Typecho v.1.2.0 allows a remote attacker to execute arbitrary code viathe Post Editorparameter.
|
|||||
| CVE-2023-27054 | 1 Mirotalk | 1 Mirotalk P2p | 2025-02-26 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in MiroTalk P2P before commit f535b35 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the settings module.
|
|||||
| CVE-2020-24857 | 1 Inex | 1 Ixp Manager | 2025-02-26 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerabilty found in IXPManager v.5.6.0 allows attackers to excute arbitrary code via the looking glass component.
|
|||||
| CVE-2025-22261 | 2025-02-26 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixelite WP FullCalendar wp-fullcalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through 1.5.
|
|||||
| CVE-2023-0369 | 1 Gotowp | 1 Gotowp | 2025-02-26 | N/A | 5.4 MEDIUM |
|
The GoToWP WordPress plugin through 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2023-0365 | 1 React Webcam Project | 1 React Webcam | 2025-02-26 | N/A | 5.4 MEDIUM |
|
The React Webcam WordPress plugin through 1.2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2023-0364 | 1 Real.kit Project | 1 Real.kit | 2025-02-26 | N/A | 5.4 MEDIUM |
|
The real.Kit WordPress plugin before 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2023-0145 | 1 Saan | 1 World Clock | 2025-02-26 | N/A | 5.4 MEDIUM |
|
The Saan World Clock WordPress plugin through 1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-27902 | 1 Sap | 1 Netweaver As Abap | 2025-02-26 | N/A | 5.4 MEDIUM |
|
Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. A successful attack can allow a malicious attacker to access and modify data through their ability to execute code in a user’s browser. There is no impact on the availability of the system
|
|||||
| CVE-2024-1528 | 1 Cmsmadesimple | 1 Cms Made Simple | 2025-02-26 | N/A | 7.4 HIGH |
|
CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.
|
|||||
| CVE-2024-1304 | 1 Badgermeter | 1 Monitool | 2025-02-26 | N/A | 6.3 MEDIUM |
|
Cross-site scripting vulnerability in Badger Meter Monitool that affects versions up to 4.6.3 and earlier. This vulnerability allows a remote attacker to send a specially crafted javascript payload to an authenticated user and partially hijack their browser session.
|
|||||
| CVE-2024-2391 | 1 Eve-ng | 1 Eve-ng | 2025-02-26 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in EVE-NG 5.0.1-13 and classified as problematic. Affected by this issue is some unknown functionality of the component Lab Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256442 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-2319 | 1 Neutronx | 1 Markdownx | 2025-02-26 | N/A | 5.4 MEDIUM |
|
Cross-Site Scripting (XSS) vulnerability in the Django MarkdownX project, affecting version 4.0.2. An attacker could store a specially crafted JavaScript payload in the upload functionality due to lack of proper sanitisation of JavaScript elements.
|
|||||
| CVE-2024-2211 | 1 Getgophish | 1 Gophish | 2025-02-26 | N/A | 4.6 MEDIUM |
|
Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. This vulnerability could allow an attacker to store a malicious JavaScript payload in the campaign menu and trigger the payload when the campaign is removed from the menu.
|
|||||