Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13363 | 1 Raptive | 1 Raptive Ads | 2025-02-26 | N/A | 6.1 MEDIUM |
|
The Raptive Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'poc' parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-6810 | 2025-02-26 | N/A | 4.4 MEDIUM | ||
|
The Quiz Organizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
|
|||||
| CVE-2024-0435 | 1 Mintplexlabs | 1 Anythingllm | 2025-02-25 | N/A | 5.4 MEDIUM |
|
User can send a chat that contains an XSS opportunity that will then run when the chat is sent and on subsequent page loads.
Given the minimum requirement for a user to send a chat is to be given access to a workspace via an admin the risk is low. Additionally, the location in which the XSS renders is only limited to the user who submits the XSS.
Ultimately, this attack is limited to the user attacking themselves. There is no anonymous chat submission unless the user does not take the minimum ...
Show More |
|||||
| CVE-2024-13135 | 1 Emlog | 1 Emlog | 2025-02-25 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability has been found in Emlog Pro 2.4.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/twitter.php of the component Subpage Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-9702 | 1 Wpsocialrocket | 1 Social Rocket | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialrocket-floating' shortcode in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-49633 | 1 Designinvento | 1 Directorypress | 2025-02-25 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Designinvento DirectoryPress allows Reflected XSS.This issue affects DirectoryPress: from n/a through 3.6.19.
|
|||||
| CVE-2024-56288 | 1 Androidbubble | 1 Wp Docs | 2025-02-25 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fahad Mahmood WP Docs allows Stored XSS.This issue affects WP Docs: from n/a through 2.2.1.
|
|||||
| CVE-2024-13132 | 1 Emlog | 1 Emlog | 2025-02-25 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic was found in Emlog Pro up to 2.4.3. This vulnerability affects unknown code of the file /admin/article.php of the component Subpage Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-12475 | 1 Wpexperts | 1 Wp Multi Store Locator | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The WP Multi Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-11930 | 1 Taskbuilder | 1 Taskbuilder | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The Taskbuilder – WordPress Project & Task Management plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppm_tasks shortcode in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-0175 | 1 Anisha | 1 Online Shop | 2025-02-25 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in code-projects Online Shop 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /view.php. The manipulation of the argument name/details leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-1024 | 1 Churchcrm | 1 Churchcrm | 2025-02-25 | N/A | 4.8 MEDIUM |
|
A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to steal session cookies, perform actions on behalf of an authenticated user, and gain unauthorized access to the application.
|
|||||
| CVE-2023-28670 | 1 Jenkins | 1 Pipeline Aggregator View | 2025-02-25 | N/A | 5.4 MEDIUM |
|
Jenkins Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.
|
|||||
| CVE-2023-28666 | 1 Pluginus | 1 Inpost Gallery | 2025-02-25 | N/A | 5.4 MEDIUM |
|
The InPost Gallery WordPress plugin, in versions < 2.2.2, is affected by a reflected cross-site scripting vulnerability in the 'imgurl' parameter to the add_inpost_gallery_slide_item action, which can only be triggered by an authenticated user.
|
|||||
| CVE-2023-28664 | 1 Pluginus | 1 Wordpress Meta Data And Taxonomies Filter | 2025-02-25 | N/A | 5.4 MEDIUM |
|
The Meta Data and Taxonomies Filter WordPress plugin, in versions < 1.3.1, is affected by a reflected cross-site scripting vulnerability in the 'tax_name' parameter of the mdf_get_tax_options_in_widget action, which can only be triggered by an authenticated user.
|
|||||
| CVE-2023-28331 | 1 Moodle | 1 Moodle | 2025-02-25 | N/A | 6.1 MEDIUM |
|
Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk.
|
|||||
| CVE-2024-13849 | 1 Dcurasi | 1 Cookie Notice Bar | 2025-02-25 | N/A | 5.5 MEDIUM |
|
The Cookie Notice Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
|
|||||
| CVE-2024-13748 | 1 Webcodingplace | 1 Ultimate Classified Listings | 2025-02-25 | N/A | 4.4 MEDIUM |
|
The Ultimate Classified Listings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title parameter in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has b ...
Show More |
|||||
| CVE-2025-1064 | 1 Xootix | 1 Login\/signup Popup | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's xoo_el_action shortcode in all versions up to, and including, 2.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-0897 | 1 Wow-company | 1 Modal Window | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The Modal Window – create popup modal window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 6.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-26010 | 1 Amauri | 1 Wpmobile.app | 2025-02-25 | N/A | 5.9 MEDIUM |
|
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPMobile.App plugin <= 11.18 versions.
|
|||||
| CVE-2024-35694 | 1 Amauri | 1 Wpmobile.app | 2025-02-25 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPMobile.App allows Reflected XSS.This issue affects WPMobile.App: from n/a through 11.41.
|
|||||
| CVE-2023-28932 | 1 Amauri | 1 Wpmobile.app | 2025-02-25 | N/A | 5.9 MEDIUM |
|
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPMobile.App WPMobile.App — Android and iOS Mobile Application plugin <= 11.20 versions.
|
|||||
| CVE-2023-22702 | 1 Amauri | 1 Wpmobile.app | 2025-02-25 | N/A | 6.5 MEDIUM |
|
Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in WPMobile.App WPMobile.App — Android and iOS Mobile Application plugin <= 11.13 versions.
|
|||||
| CVE-2024-13155 | 1 Unlimited-elements | 1 Unlimited Elements For Elementor | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Transparent Split Hero widget in all versions up to, and including, 1.5.140 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: Since the widge ...
Show More |
|||||
| CVE-2024-13445 | 1 Elementor | 1 Website Builder | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the border, margin and gap parameters in all versions up to, and including, 3.27.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-0916 | 1 Yaycommerce | 1 Yaysmtp | 2025-02-25 | N/A | 7.2 HIGH |
|
The YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 2.4.9 to 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: The vulnerability has been initially patched in version 2.4.8 and was reintroduced ...
Show More |
|||||
| CVE-2023-28678 | 1 Jenkins | 1 Cppcheck | 2025-02-25 | N/A | 5.4 MEDIUM |
|
Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.
|
|||||
| CVE-2023-28669 | 1 Jenkins | 1 Jacoco | 2025-02-25 | N/A | 5.4 MEDIUM |
|
Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.
|
|||||
| CVE-2025-24680 | 1 Wpexperts | 1 Wp Multi Store Locator | 2025-02-25 | N/A | 7.1 HIGH |
|
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in WpMultiStoreLocator WP Multi Store Locator allows Reflected XSS. This issue affects WP Multi Store Locator: from n/a through 2.4.7.
|
|||||
| CVE-2024-9601 | 1 Themeum | 1 Qubely | 2025-02-25 | N/A | 6.5 MEDIUM |
|
The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ and 'UniqueID' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-23857 | 1 Smartdatasoft | 1 Essential Wp Real Estate | 2025-02-25 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Essential WP Real Estate allows Reflected XSS. This issue affects Essential WP Real Estate: from n/a through 1.1.3.
|
|||||
| CVE-2024-13644 | 1 Detheme | 1 Dethemekit For Elementor | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's De Gallery widget in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-0506 | 1 Eaglevisionit | 1 Rise Blocks | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the titleTag parameter in all versions up to, and including, 3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-28665 | 1 Technocrackers | 1 Bulk Price Update For Woocommerce | 2025-02-25 | N/A | 5.4 MEDIUM |
|
The Woo Bulk Price Update WordPress plugin, in versions < 2.2.2, is affected by a reflected cross-site scripting vulnerability in the 'page' parameter to the techno_get_products action, which can only be triggered by an authenticated user.
|
|||||
| CVE-2025-22697 | 1 Cyberchimps | 1 Responsive Blocks | 2025-02-25 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Blocks allows Reflected XSS. This issue affects Responsive Blocks: from n/a through 1.9.9.
|
|||||
| CVE-2024-6432 | 1 Vanderwijk | 1 Content Blocks | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter within the plugin's shortcode Content Block in all versions up to, and including, 3.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-13456 | 1 Najeebmedia | 1 Easy Quiz Maker | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The Easy Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wqt-question' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-11746 | 1 Gsplugins | 1 Woocommerce Brands | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The Discover the Best Woocommerce Product Brands Plugin for WordPress – Woocommerce Brands Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'product_brand' shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever ...
Show More |
|||||
| CVE-2025-1328 | 1 Mrlegend1235 | 1 Typed Js | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The Typed JS: A typewriter style animation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘typespeed’ parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||