Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6725 | 1 Strategy11 | 1 Formidable Forms | 2025-02-05 | N/A | 4.9 MEDIUM |
|
The Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘html’ parameter in all versions up to, and including, 6.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with form editing permissions and Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user acc ...
Show More |
|||||
| CVE-2023-27090 | 1 Teacms Project | 1 Teacms | 2025-02-05 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting vulnerability found in TeaCMS storage allows attacker to cause a leak of sensitive information via the article title parameter.
|
|||||
| CVE-2022-48150 | 1 Shopware | 1 Shopware | 2025-02-05 | N/A | 6.1 MEDIUM |
|
Shopware v5.5.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the recovery/install/ URI.
|
|||||
| CVE-2024-32584 | 1 Standalonetech | 1 Terawallet | 2025-02-05 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StandaloneTech TeraWallet – For WooCommerce allows Stored XSS.This issue affects TeraWallet – For WooCommerce: from n/a through 1.5.0.
|
|||||
| CVE-2024-45454 | 1 Unlimited-elements | 1 Unlimited Elements For Elementor | 2025-02-05 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) allows Reflected XSS.This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through 1.5.121.
|
|||||
| CVE-2024-3559 | 1 Custom Field Suite Project | 1 Custom Field Suite | 2025-02-05 | N/A | 6.4 MEDIUM |
|
The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the 'cfs[post_content]' parameter versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-47332 | 1 Wowdevs | 1 Sky Addons For Elementor | 2025-02-05 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wowDevs Sky Addons for Elementor allows Stored XSS.This issue affects Sky Addons for Elementor: from n/a through 2.5.11.
|
|||||
| CVE-2024-12597 | 1 Hasthemes | 1 Ht Mega | 2025-02-05 | N/A | 6.4 MEDIUM |
|
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_css' and 'inner_css' parameters in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-52471 | 1 Idioweb | 1 Extensions For Elementor | 2025-02-05 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in petesheppard84 Extensions for Elementor allows Reflected XSS.This issue affects Extensions for Elementor: from n/a through 2.0.37.
|
|||||
| CVE-2024-8442 | 1 Bdthemes | 1 Prime Slider | 2025-02-05 | N/A | 6.4 MEDIUM |
|
The Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Blog widget in all versions up to, and including, 3.15.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesse ...
Show More |
|||||
| CVE-2024-50433 | 1 Wowdevs | 1 Sky Addons For Elementor | 2025-02-05 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wowDevs Sky Addons for Elementor allows Stored XSS.This issue affects Sky Addons for Elementor: from n/a through 2.5.15.
|
|||||
| CVE-2024-11204 | 1 Ultimatemember | 1 Forumwp | 2025-02-05 | N/A | 6.1 MEDIUM |
|
The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-10879 | 1 Ultimatemember | 1 Forumwp | 2025-02-05 | N/A | 6.1 MEDIUM |
|
The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-4370 | 1 Wpzoom | 1 Wpzoom Elementor Addons | 2025-02-05 | N/A | 6.4 MEDIUM |
|
The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget Image Box in all versions up to, and including, 1.1.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-5646 | 1 Futuriowp | 1 Futurio Extra | 2025-02-05 | N/A | 6.4 MEDIUM |
|
The Futurio Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘header_size’ attribute within the Advanced Text Block widget in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-53786 | 1 Codeless | 1 Cowidgets Elementor Addons | 2025-02-05 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codeless Cowidgets – Elementor Addons allows Stored XSS.This issue affects Cowidgets – Elementor Addons: from n/a through 1.2.0.
|
|||||
| CVE-2024-3731 | 1 Cusrev | 1 Customer Reviews For Woocommerce | 2025-02-05 | N/A | 6.1 MEDIUM |
|
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 5.47.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2025-22752 | 1 Gsheetconnector | 1 Gsheetconnector For Forminator Forms | 2025-02-05 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GSheetConnector GSheetConnector for Forminator Forms allows Reflected XSS.This issue affects GSheetConnector for Forminator Forms: from n/a through 1.0.11.
|
|||||
| CVE-2024-13583 | 1 Come2theweb | 1 Simple Gallery With Filter | 2025-02-05 | N/A | 6.4 MEDIUM |
|
The Simple Gallery with Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'c2tw_sgwf' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-13354 | 1 Cyberchimps | 1 Responsive Addons | 2025-02-05 | N/A | 6.4 MEDIUM |
|
The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML tags in several widgets in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-13542 | 1 Agenceseo | 1 Wp Google Street View | 2025-02-05 | N/A | 6.4 MEDIUM |
|
The WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpgsv' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected p ...
Show More |
|||||
| CVE-2024-13572 | 1 Nfusionsolutions | 1 Precious Metals Charts And Widgets | 2025-02-05 | N/A | 6.4 MEDIUM |
|
The Precious Metals Charts and Widgets for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nfusion-widget' shortcode in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-0542 | 1 Blackbirdi | 1 Custom Post Type List Shortcode | 2025-02-04 | N/A | 5.4 MEDIUM |
|
The Custom Post Type List Shortcode WordPress plugin through 1.4.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2023-0514 | 1 Membership Database Project | 1 Membership Database | 2025-02-04 | N/A | 6.1 MEDIUM |
|
The Membership Database WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2023-0280 | 1 Topdigitaltrends | 1 Ultimate Carousel For Elementor | 2025-02-04 | N/A | 5.4 MEDIUM |
|
The Ultimate Carousel For Elementor WordPress plugin through 2.1.7 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2024-1510 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2025-02-04 | N/A | 6.4 MEDIUM |
|
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's su_tooltip shortcode in all versions up to, and including, 7.0.2 due to insufficient input sanitization and output escaping on user supplied attributes and user supplied tags. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected pa ...
Show More |
|||||
| CVE-2024-1081 | 1 3dflipbook | 1 3d Flipbook | 2025-02-04 | N/A | 6.4 MEDIUM |
|
The 3D FlipBook – PDF Flipbook WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bookmark feature in all versions up to, and including, 1.15.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-29113 | 1 Metagauss | 1 Registrationmagic | 2025-02-04 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic allows Reflected XSS.This issue affects RegistrationMagic: from n/a through 5.2.5.9.
|
|||||
| CVE-2025-0350 | 1 Elegantthemes | 1 Carousel Maker For Divi | 2025-02-04 | N/A | 6.4 MEDIUM |
|
The Divi Carousel Maker – Image, Logo, Testimonial, Post Carousel & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Carousel and Logo Carousel in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an ...
Show More |
|||||
| CVE-2023-0948 | 1 Artisanworkshop | 1 Japanized For Woocommerce | 2025-02-04 | N/A | 6.1 MEDIUM |
|
The Japanized For WooCommerce WordPress plugin before 2.5.8 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting
|
|||||
| CVE-2024-13441 | 1 Ylefebvre | 1 Bilingual Linker | 2025-02-04 | N/A | 6.4 MEDIUM |
|
The Bilingual Linker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bl_otherlang_link_1 parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-13458 | 1 Notice | 1 Notice Faq | 2025-02-04 | N/A | 6.4 MEDIUM |
|
The WordPress SEO Friendly Accordion FAQ with AI assisted content generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'noticefaq' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an inject ...
Show More |
|||||
| CVE-2024-13467 | 1 Mr-kalathiya | 1 Wp Contect Form7 Email Spam Blocker | 2025-02-04 | N/A | 6.1 MEDIUM |
|
The WP Contact Form7 Email Spam Blocker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-12334 | 1 Codexpert | 1 Wc Affiliate | 2025-02-04 | N/A | 6.1 MEDIUM |
|
The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-13548 | 1 Wppug | 1 Power Ups For Elementor | 2025-02-04 | N/A | 6.4 MEDIUM |
|
The Power Ups for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-30788 | 1 Monicahq | 1 Monica | 2025-02-04 | N/A | 5.4 MEDIUM |
|
MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people/add` endpoint and nickName, description, lastName, middleName and firstName parameter.
|
|||||
| CVE-2024-13470 | 1 Ninjaforms | 1 Ninja Forms | 2025-02-04 | N/A | 6.4 MEDIUM |
|
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 3.8.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-13586 | 1 Dineshrawat | 1 Masy Gallery | 2025-02-04 | N/A | 6.4 MEDIUM |
|
The Masy Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'justified-gallery' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-13599 | 1 Thimpress | 1 Learnpress | 2025-02-04 | N/A | 6.4 MEDIUM |
|
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.7.5 due to insufficient input sanitization and output escaping of a lesson name. This makes it possible for authenticated attackers, with LP Instructor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-10847 | 1 Sellerthemes | 1 Storely | 2025-02-04 | N/A | 6.4 MEDIUM |
|
The Storely theme for WordPress is vulnerable to Stored Cross-Site Scripting via a malicious display name in all versions up to, and including, 16.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||