Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13379 | 1 Covertnine | 1 C9 Admin Dashboard | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The C9 Admin Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
|
|||||
| CVE-2024-13388 | 1 Tcoderbd | 1 Tcbd Tooltip | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The TCBD Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tcbdtooltip_text' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-52612 | 1 Solarwinds | 1 Solarwinds Platform | 2025-02-25 | N/A | 6.8 MEDIUM |
|
SolarWinds Platform is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. This vulnerability requires authentication by a high- privileged account to be exploitable.
|
|||||
| CVE-2024-13672 | 1 Minicoursegenerator | 1 Mini Course Generator | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The Mini Course Generator | Embed mini-courses and interactive content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mcg' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-13751 | 1 Webdevocean | 1 3d Photo Gallery | 2025-02-25 | N/A | 6.4 MEDIUM |
|
The 3D Photo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'des[]' parameter in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-22815 | 1 Bplugins | 1 Button Block | 2025-02-25 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins LLC Button Block allows Stored XSS.This issue affects Button Block: from n/a through 1.1.6.
|
|||||
| CVE-2025-23110 | 1 Vanderbilt | 1 Redcap | 2025-02-25 | N/A | 6.1 MEDIUM |
|
An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the email-subject. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim clicks on the email-subject value, it triggers the XSS payload.
|
|||||
| CVE-2025-23111 | 1 Vanderbilt | 1 Redcap | 2025-02-25 | N/A | 4.7 MEDIUM |
|
An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent.
|
|||||
| CVE-2025-21627 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.
|
|||||
| CVE-2025-23112 | 1 Vanderbilt | 1 Redcap | 2025-02-25 | N/A | 6.1 MEDIUM |
|
An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload.
|
|||||
| CVE-2024-29130 | 1 Wpplugin | 1 Paypal \& Stripe Add-on | 2025-02-25 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on allows Reflected XSS.This issue affects Contact Form 7 – PayPal & Stripe Add-on: from n/a through 2.0.
|
|||||
| CVE-2024-29134 | 1 Themefic | 1 Tourfic | 2025-02-25 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Tourfic allows Stored XSS.This issue affects Tourfic: from n/a through 2.11.8.
|
|||||
| CVE-2025-26993 | 2025-02-25 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vito Peleg Atarim allows Reflected XSS. This issue affects Atarim: from n/a through 4.1.0.
|
|||||
| CVE-2025-26991 | 2025-02-25 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ollybach WPPizza allows Reflected XSS. This issue affects WPPizza: from n/a through 3.19.4.
|
|||||
| CVE-2025-26981 | 2025-02-25 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in accessiBe Web Accessibility By accessiBe allows Reflected XSS. This issue affects Web Accessibility By accessiBe: from n/a through 2.5.
|
|||||
| CVE-2025-26980 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wired Impact Wired Impact Volunteer Management allows Stored XSS. This issue affects Wired Impact Volunteer Management: from n/a through 2.5.
|
|||||
| CVE-2025-26962 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhozyLab Easy Contact Form Lite allows Stored XSS. This issue affects Easy Contact Form Lite : from n/a through 1.1.25.
|
|||||
| CVE-2025-26952 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Business Card Block allows Stored XSS. This issue affects Business Card Block: from n/a through 1.0.5.
|
|||||
| CVE-2025-26949 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Team Section Block allows Stored XSS. This issue affects Team Section Block: from n/a through 1.0.9.
|
|||||
| CVE-2025-26947 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Services Section block allows Stored XSS. This issue affects Services Section block: from n/a through 1.3.4.
|
|||||
| CVE-2025-26945 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Info Cards – Gutenberg block for creating Beautiful Cards allows Stored XSS. This issue affects Info Cards – Gutenberg block for creating Beautiful Cards: from n/a through 1.0.5.
|
|||||
| CVE-2025-26939 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Counters Block allows Stored XSS. This issue affects Counters Block: from n/a through 1.1.2.
|
|||||
| CVE-2025-26938 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Countdown Timer allows Stored XSS. This issue affects Countdown Timer: from n/a through 1.2.6.
|
|||||
| CVE-2025-26937 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Icon List Block allows Stored XSS. This issue affects Icon List Block: from n/a through 1.1.3.
|
|||||
| CVE-2025-26913 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webandprint AR For WordPress allows DOM-Based XSS. This issue affects AR For WordPress: from n/a through 7.7.
|
|||||
| CVE-2025-26912 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Easy Elementor Addons allows Stored XSS. This issue affects Easy Elementor Addons: from n/a through 2.1.6.
|
|||||
| CVE-2025-26907 | 2025-02-25 | N/A | 7.5 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Estatik Mortgage Calculator Estatik allows Stored XSS. This issue affects Mortgage Calculator Estatik: from n/a through 2.0.12.
|
|||||
| CVE-2025-26904 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gal_op WP Responsive Auto Fit Text allows DOM-Based XSS. This issue affects WP Responsive Auto Fit Text: from n/a through 0.2.
|
|||||
| CVE-2025-26897 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Baden List Related Attachments allows DOM-Based XSS. This issue affects List Related Attachments: from n/a through 2.1.6.
|
|||||
| CVE-2025-26896 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vpiwigo PiwigoPress allows Stored XSS. This issue affects PiwigoPress: from n/a through 2.33.
|
|||||
| CVE-2025-26893 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kiran Potphode Easy Charts allows DOM-Based XSS. This issue affects Easy Charts: from n/a through 1.2.3.
|
|||||
| CVE-2025-26891 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VW THEMES Ibtana allows Stored XSS. This issue affects Ibtana: from n/a through 1.2.4.9.
|
|||||
| CVE-2025-26887 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup allows Stored XSS. This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through 5.21.35.
|
|||||
| CVE-2025-26882 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhozyLab Popup Builder allows Stored XSS. This issue affects Popup Builder: from n/a through 1.1.33.
|
|||||
| CVE-2025-26881 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Sticky Content allows Stored XSS. This issue affects Sticky Content: from n/a through 1.0.1.
|
|||||
| CVE-2025-26878 | 2025-02-25 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in patternsinthecloud Autoship Cloud for WooCommerce Subscription Products allows DOM-Based XSS. This issue affects Autoship Cloud for WooCommerce Subscription Products: from n/a through 2.8.0.1.
|
|||||
| CVE-2025-26868 | 2025-02-25 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fastflow Fast Flow allows Reflected XSS. This issue affects Fast Flow: from n/a through 1.2.16.
|
|||||
| CVE-2025-26751 | 2025-02-25 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fahad Mahmood Alphabetic Pagination allows Reflected XSS. This issue affects Alphabetic Pagination: from n/a through 3.2.1.
|
|||||
| CVE-2024-29138 | 1 Dev.institute | 1 Restrict User Access | 2025-02-25 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DEV Institute Restrict User Access – Membership Plugin with Force allows Reflected XSS.This issue affects Restrict User Access – Membership Plugin with Force: from n/a through 2.5.
|
|||||
| CVE-2024-13749 | 1 Era404 | 1 Stafflist | 2025-02-25 | N/A | 6.1 MEDIUM |
|
The StaffList plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing or incorrect nonce validation on the 'stafflist' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||