Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-1684 | 1 Themeisle | 1 Otter Blocks | 2025-01-23 | N/A | 6.4 MEDIUM |
|
The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form file field CSS metabox in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-1409 | 1 Properfraction | 1 Profilepress | 2025-01-23 | N/A | 6.4 MEDIUM |
|
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [reg-select-role] shortcode in all versions up to, and including, 4.15.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pag ...
Show More |
|||||
| CVE-2024-1234 | 1 Exclusiveaddons | 1 Exclusive Addons For Elementor | 2025-01-23 | N/A | 6.4 MEDIUM |
|
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-0614 | 1 Pixelite | 1 Events Manager | 2025-01-23 | N/A | 4.4 MEDIUM |
|
The Events Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.4.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has b ...
Show More |
|||||
| CVE-2024-25597 | 1 Etoilewebdesign | 1 Ultimate Reviews | 2025-01-23 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Etoile Web Design Ultimate Reviews allows Stored XSS.This issue affects Ultimate Reviews: from n/a through 3.2.8.
|
|||||
| CVE-2024-25596 | 1 Doofinder | 1 Doofinder | 2025-01-23 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Doofinder Doofinder for WooCommerce allows Stored XSS.This issue affects Doofinder for WooCommerce: from n/a through 2.1.8.
|
|||||
| CVE-2024-25593 | 1 Basixonline | 1 Nex-forms | 2025-01-23 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms – Ultimate Form Builder allows Stored XSS.This issue affects NEX-Forms – Ultimate Form Builder: from n/a through 8.5.5.
|
|||||
| CVE-2024-25592 | 1 Wpmudev | 1 Broken Link Checker | 2025-01-23 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV Broken Link Checker allows Stored XSS.This issue affects Broken Link Checker: from n/a through 2.2.3.
|
|||||
| CVE-2024-2399 | 1 Leap13 | 1 Premium Addons For Elementor | 2025-01-23 | N/A | 6.4 MEDIUM |
|
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 4.10.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-2841 | 1 Themeisle | 1 Otter Blocks | 2025-01-23 | N/A | 6.4 MEDIUM |
|
The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping on user supplied attributes such as 'id'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injecte ...
Show More |
|||||
| CVE-2024-2256 | 1 Bobbingwide | 1 Oik | 2025-01-23 | N/A | 6.4 MEDIUM |
|
The oik plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes such as bw_contact_button and bw_button shortcodes in all versions up to, and including, 4.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-27986 | 1 Livemeshelementor | 1 Addons For Elementor | 2025-01-23 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh Elementor Addons by Livemesh allows Stored XSS.This issue affects Elementor Addons by Livemesh: from n/a through 8.3.5.
|
|||||
| CVE-2024-2108 | 1 Ninjaforms | 1 Ninja Forms | 2025-01-23 | N/A | 4.6 MEDIUM |
|
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-25101 | 1 Wpmaspik | 1 Maspik | 2025-01-23 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yonifre Maspik – Spam Blacklist allows Stored XSS.This issue affects Maspik – Spam Blacklist: from n/a through 0.10.6.
|
|||||
| CVE-2024-2113 | 1 Ninjaforms | 1 Ninja Forms | 2025-01-23 | N/A | 4.3 MEDIUM |
|
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the nf_download_all_subs AJAX action. This makes it possible for unauthenticated attackers to trigger an export of a form's submission to a publicly accessible location via a forged request granted they can trick a site administrator into performing an actio ...
Show More |
|||||
| CVE-2024-25099 | 1 Paytium | 1 Paytium | 2025-01-23 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David de Boer Paytium: Mollie payment forms & donations allows Stored XSS.This issue affects Paytium: Mollie payment forms & donations: from n/a through 4.4.2.
|
|||||
| CVE-2024-25097 | 1 Themencode | 1 Tnc Pdf Viewer | 2025-01-23 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNcode LLC TNC PDF viewer allows Stored XSS.This issue affects TNC PDF viewer: from n/a through 2.8.0.
|
|||||
| CVE-2023-31544 | 1 Alkacon | 1 Opencms | 2025-01-23 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in alkacon-OpenCMS v11.0.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field under the Upload Image module.
|
|||||
| CVE-2023-46596 | 1 Algosec | 1 Fireflow | 2025-01-23 | N/A | 5.1 MEDIUM |
|
Improper input validation in Algosec FireFlow VisualFlow workflow editor via Name, Description and Configuration File field in version A32.20, A32.50, A32.60 permits an attacker to initiate an XSS attack by injecting malicious executable scripts into the application's code. Fixed in version A32.20 (b600 and above), A32.50 (b430 and above), A32.60 (b250 and above)
|
|||||
| CVE-2024-10388 | 1 Welaunch | 1 Wordpress Gdpr | 2025-01-23 | N/A | 7.2 HIGH |
|
The WordPress GDPR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gdpr_firstname' and 'gdpr_lastname' parameters in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-50514 | 1 Ninjaforms | 1 Ninja Forms | 2025-01-23 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saturday Drive Ninja Forms allows Stored XSS.This issue affects Ninja Forms: from n/a through 3.8.16.
|
|||||
| CVE-2024-50515 | 1 Ninjaforms | 1 Ninja Forms | 2025-01-23 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saturday Drive Ninja Forms allows Stored XSS.This issue affects Ninja Forms: from n/a through 3.8.16.
|
|||||
| CVE-2024-1997 | 1 Leap13 | 1 Premium Addons | 2025-01-23 | N/A | 6.4 MEDIUM |
|
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_fbchat_app_id' parameter of the Messenger Chat Widget in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-2237 | 1 Leap13 | 1 Premium Addons | 2025-01-23 | N/A | 6.4 MEDIUM |
|
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Global Badge module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-2239 | 1 Leap13 | 1 Premium Addons | 2025-01-23 | N/A | 6.4 MEDIUM |
|
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Premium Magic Scroll module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-1996 | 1 Leap13 | 1 Premium Addons | 2025-01-23 | N/A | 6.4 MEDIUM |
|
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's IHover widget link in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-2000 | 1 Leap13 | 1 Premium Addons | 2025-01-23 | N/A | 6.4 MEDIUM |
|
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'navigation_dots' parameter of the Multi Scroll Widget in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-2238 | 1 Leap13 | 1 Premium Addons | 2025-01-23 | N/A | 6.4 MEDIUM |
|
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Mouse Cursor module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-23960 | 2025-01-23 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in basteln3rk Save & Import Image from URL allows Reflected XSS. This issue affects Save & Import Image from URL: from n/a through 0.7.
|
|||||
| CVE-2025-23894 | 2025-01-23 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tatsuya Fukata, Alexander Ovsov wp-flickr-press allows Reflected XSS. This issue affects wp-flickr-press: from n/a through 2.6.4.
|
|||||
| CVE-2025-23836 | 2025-01-23 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SuryaBhan Custom Coming Soon allows Reflected XSS. This issue affects Custom Coming Soon: from n/a through 2.2.
|
|||||
| CVE-2025-23835 | 2025-01-23 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Legal + allows Reflected XSS. This issue affects Legal +: from n/a through 1.0.
|
|||||
| CVE-2025-23834 | 2025-01-23 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Links/Problem Reporter allows Reflected XSS. This issue affects Links/Problem Reporter: from n/a through 2.6.0.
|
|||||
| CVE-2025-23733 | 2025-01-23 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sayocode SC Simple Zazzle allows Reflected XSS. This issue affects SC Simple Zazzle: from n/a through 1.1.6.
|
|||||
| CVE-2025-23730 | 2025-01-23 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound FLX Dashboard Groups allows Reflected XSS. This issue affects FLX Dashboard Groups: from n/a through 0.0.7.
|
|||||
| CVE-2025-23729 | 2025-01-23 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fures XTRA Settings allows Reflected XSS. This issue affects XTRA Settings: from n/a through 2.1.8.
|
|||||
| CVE-2025-23727 | 2025-01-23 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound AZ Content Finder allows Reflected XSS. This issue affects AZ Content Finder: from n/a through 0.1.
|
|||||
| CVE-2025-23725 | 2025-01-23 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TaskMeister Accessibility Task Manager allows Reflected XSS. This issue affects Accessibility Task Manager: from n/a through 1.2.1.
|
|||||
| CVE-2025-23724 | 2025-01-23 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Oleksandr Ustymenko University Quizzes Online allows Reflected XSS. This issue affects University Quizzes Online: from n/a through 1.4.
|
|||||
| CVE-2025-23723 | 2025-01-23 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Plestar Inc Plestar Directory Listing allows Reflected XSS. This issue affects Plestar Directory Listing: from n/a through 1.0.
|
|||||