Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1382 | 1 Lordlinus | 1 Contact Us | 2026-01-09 | N/A | 6.1 MEDIUM |
|
The Contact Us By Lord Linus WordPress plugin through 2.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
|
|||||
| CVE-2024-9458 | 1 Reservit | 1 Reservit Hotel | 2026-01-09 | N/A | 4.8 MEDIUM |
|
The Reservit Hotel WordPress plugin before 3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-13669 | 1 Margiov | 1 Calendapp | 2026-01-09 | N/A | 6.1 MEDIUM |
|
The CalendApp WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2024-13352 | 1 Alwayscurious | 1 Legull | 2026-01-09 | N/A | 7.1 HIGH |
|
The Legull WordPress plugin through 1.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2024-13219 | 1 Waelhassan | 1 Privacy Policy Genius | 2026-01-09 | N/A | 6.1 MEDIUM |
|
The Privacy Policy Genius WordPress plugin through 2.0.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2024-10710 | 1 Antongorodezkiy | 1 Yadisk Files | 2026-01-09 | N/A | 3.5 LOW |
|
The YaDisk Files WordPress plugin through 1.2.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2023-5971 | 1 Pdfcrowd | 1 Save As Pdf | 2026-01-09 | N/A | 4.8 MEDIUM |
|
The Save as PDF Plugin by Pdfcrowd WordPress plugin before 3.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2025-13071 | 2026-01-09 | N/A | 7.1 HIGH | ||
|
The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2024-11846 | 1 Goodlayers | 1 Travel Tour | 2026-01-09 | N/A | 6.1 MEDIUM |
|
The does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-47356 | 1 Catchthemes | 1 Create | 2026-01-09 | N/A | 5.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Catch Themes Create allows Stored XSS.This issue affects Create: from n/a through 2.9.1.
|
|||||
| CVE-2025-22644 | 1 Themehunk | 1 Vayu Blocks | 2026-01-09 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce allows Stored XSS.This issue affects Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce: from n/a through 1.2.1.
|
|||||
| CVE-2024-33537 | 1 Themehorse | 1 Wp Portfolio | 2026-01-09 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Horse WP Portfolio allows Stored XSS.This issue affects WP Portfolio: from n/a through 2.4.
|
|||||
| CVE-2026-0586 | 1 Fabian | 1 Online Product Reservation System | 2026-01-09 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was detected in code-projects Online Product Reservation System 1.0. The affected element is an unknown function of the file handgunner-administrator/prod.php. Performing a manipulation of the argument cat results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
|
|||||
| CVE-2024-37472 | 1 Xtendify | 1 Woffice | 2026-01-09 | N/A | 7.1 HIGH |
|
Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice allows Reflected XSS.This issue affects Woffice: from n/a through 5.4.8.
|
|||||
| CVE-2024-37471 | 1 Xtendify | 1 Woffice | 2026-01-09 | N/A | 7.1 HIGH |
|
Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice Core allows Reflected XSS.This issue affects Woffice Core: from n/a through 5.4.8.
|
|||||
| CVE-2024-43184 | 1 Ibm | 1 Jazz Foundation | 2026-01-09 | N/A | 6.1 MEDIUM |
|
IBM Jazz Foundation 7.0.2 through 7.0.2 iFix033, 7.0.3 through 7.0.3 iFix012, and 7.1.0 through 7.1.0 iFix002 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2025-63735 | 1 Ruckuswireless | 1 Ruckus Unleashed | 2026-01-09 | N/A | 6.1 MEDIUM |
|
A reflected Cross site scripting (XSS) vulnerability in Ruckus Unleashed 200.13.6.1.319 via the name parameter to the the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp.
|
|||||
| CVE-2025-64054 | 1 Fanvil | 2 X210, X210 Firmware | 2026-01-09 | N/A | 9.6 CRITICAL |
|
A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint.
|
|||||
| CVE-2023-3193 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-09 | N/A | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.
|
|||||
| CVE-2023-33937 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-09 | N/A | 5.4 MEDIUM |
|
Stored cross-site scripting (XSS) vulnerability in Form widget configuration in Liferay Portal 7.1.0 through 7.3.0, and Liferay DXP 7.1 before fix pack 18, and 7.2 before fix pack 5 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's `name` field.
|
|||||
| CVE-2023-33938 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-09 | N/A | 4.8 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the App Builder module's custom object details page in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before update 14 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's `Name` field.
|
|||||
| CVE-2025-55341 | 1 Quipux | 1 Quipux | 2026-01-08 | N/A | 6.5 MEDIUM |
|
Cross Site Scripting vulnerability in Quipux 4.0.1 through e1774ac allows anexos/anexos_nuevo.php asocImgRad.
|
|||||
| CVE-2025-60880 | 1 Webkul | 1 Bagisto | 2026-01-08 | N/A | 8.3 HIGH |
|
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.
|
|||||
| CVE-2026-21451 | 1 Webkul | 1 Bagisto | 2026-01-08 | N/A | 8.4 HIGH |
|
Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity ...
Show More |
|||||
| CVE-2019-25284 | 2026-01-08 | N/A | 6.1 MEDIUM | ||
|
V-SOL GPON/EPON OLT Platform v2.03 contains multiple reflected cross-site scripting vulnerabilities due to improper input sanitization in various script parameters. Attackers can exploit these vulnerabilities by injecting malicious HTML and script code to execute arbitrary scripts in a victim's browser session.
|
|||||
| CVE-2019-25280 | 2026-01-08 | N/A | 6.1 MEDIUM | ||
|
Yahei-PHP Prober 0.4.7 contains a remote HTML injection vulnerability that allows attackers to execute arbitrary HTML code through the 'speed' GET parameter. Attackers can inject malicious HTML code in the 'speed' parameter of prober.php to trigger cross-site scripting in user browser sessions.
|
|||||
| CVE-2019-25270 | 2026-01-08 | N/A | 6.1 MEDIUM | ||
|
SOCA Access Control System 180612 contains a cross-site scripting vulnerability in the 'senddata' POST parameter of logged_page.php that allows attackers to inject malicious scripts. Attackers can exploit this weakness by sending crafted POST requests to execute arbitrary HTML and script code in a victim's browser session.
|
|||||
| CVE-2024-30201 | 1 Xylusthemes | 1 Wp Smart Import | 2026-01-08 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xylus Themes WordPress Importer allows Reflected XSS.This issue affects WordPress Importer: from n/a through 1.0.4.
|
|||||
| CVE-2024-29796 | 1 Hot-themes | 1 Hot Random Image | 2026-01-08 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hot Themes Hot Random Image allows Stored XSS.This issue affects Hot Random Image: from n/a through 1.8.1.
|
|||||
| CVE-2024-29882 | 1 Ossrs | 1 Simple Realtime Server | 2026-01-08 | N/A | 7.2 HIGH |
|
SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
|
|||||
| CVE-2023-45706 | 1 Hcltech | 1 Bigfix Platform | 2026-01-08 | N/A | 2.0 LOW |
|
An administrative user of WebReports may perform a Cross Site Scripting (XSS) and/or Man in the Middle (MITM) exploit through SAML configuration.
|
|||||
| CVE-2023-49186 | 2026-01-08 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6.
|
|||||
| CVE-2025-66376 | 2026-01-08 | N/A | 7.2 HIGH | ||
|
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
|
|||||
| CVE-2025-15022 | 2026-01-08 | N/A | N/A | ||
|
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.
In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.
In Vaadin 23 and newer, the Action class is only used by the Spreadsheet componen ...
Show More |
|||||
| CVE-2023-51513 | 2026-01-08 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2.
|
|||||
| CVE-2025-14830 | 2026-01-08 | N/A | 4.9 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in JFrog Artifactory (Workers) allows Cross-Site Scripting (XSS).This issue affects Artifactory (Workers): from >=7.94.0 through <7.117.10.
|
|||||
| CVE-2025-69084 | 2026-01-08 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3 themes Photo Gallery allows Reflected XSS.This issue affects Photo Gallery: from n/a through 2.7.7.26.
|
|||||
| CVE-2024-31088 | 2026-01-08 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPShop.Ru AdsPlace'r – Ad Manager, Inserter, AdSense Ads allows DOM-Based XSS.This issue affects AdsPlace'r – Ad Manager, Inserter, AdSense Ads: from n/a through 1.1.5.
|
|||||
| CVE-2025-14120 | 2026-01-08 | N/A | 6.4 MEDIUM | ||
|
The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
|
|||||
| CVE-2025-13746 | 2026-01-08 | N/A | 6.4 MEDIUM | ||
|
The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User's Display Name in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||