Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26131 | 1 Algernon Project | 1 Algernon | 2025-01-09 | N/A | 5.4 MEDIUM |
|
All versions of the package github.com/xyproto/algernon/engine; all versions of the package github.com/xyproto/algernon/themes are vulnerable to Cross-site Scripting (XSS) via the themes.NoPage(filename, theme) function due to improper user input sanitization. Exploiting this vulnerability is possible when a file/resource is not found.
|
|||||
| CVE-2024-10308 | 1 Jegtheme | 1 Jeg Elementor Kit | 2025-01-09 | N/A | 6.4 MEDIUM |
|
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's JKit - Countdown widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-26842 | 1 Churchcrm | 1 Churchcrm | 2025-01-09 | N/A | 5.4 MEDIUM |
|
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php.
|
|||||
| CVE-2023-23954 | 1 Broadcom | 2 Advanced Secure Gateway, Content Analysis | 2025-01-09 | N/A | 5.4 MEDIUM |
|
Advanced Secure Gateway and Content Analysis, prior to 7.3.13.1 / 3.1.6.0, may be susceptible to a Stored Cross-Site Scripting vulnerability.
|
|||||
| CVE-2024-49038 | 1 Microsoft | 1 Copilot Studio | 2025-01-09 | N/A | 9.3 CRITICAL |
|
Improper neutralization of input during web page generation ('Cross-site Scripting') in Copilot Studio by an unauthorized attacker leads to elevation of privilege over a network.
|
|||||
| CVE-2023-2023 | 1 Kunalnagar | 1 Custom 404 Pro | 2025-01-09 | N/A | 6.1 MEDIUM |
|
The Custom 404 Pro WordPress plugin before 3.7.3 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.
|
|||||
| CVE-2023-33764 | 1 Simpleredak | 1 Simpleredak | 2025-01-09 | N/A | 5.4 MEDIUM |
|
eMedia Consulting simpleRedak up to v2.47.23.05 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component #/de/casting/show/detail/<ID>.
|
|||||
| CVE-2023-30758 | 1 Pleasanter | 1 Pleasanter | 2025-01-09 | N/A | 5.4 MEDIUM |
|
Cross-site scripting vulnerability in Pleasanter 1.3.38.1 and earlier allows a remote authenticated attacker to inject an arbitrary script.
|
|||||
| CVE-2023-23913 | 2025-01-09 | N/A | 6.3 MEDIUM | ||
|
There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.
|
|||||
| CVE-2024-4452 | 1 Wpmet | 1 Elementskit | 2025-01-09 | N/A | 6.4 MEDIUM |
|
The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-1463 | 1 Thimpress | 1 Learnpress | 2025-01-09 | N/A | 4.4 MEDIUM |
|
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Course, Lesson, and Quiz title and content in all versions up to, and including, 4.2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with LP Instructor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-28106 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-01-09 | N/A | 4.3 MEDIUM |
|
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. By manipulating the news parameter in a POST request, an attacker can inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers. This vulnerability is fixed in 3.2.6.
|
|||||
| CVE-2024-2181 | 1 Wpzoom | 1 Beaver Builder Addons | 2025-01-09 | N/A | 6.4 MEDIUM |
|
The Beaver Builder Addons by WPZOOM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-2183 | 1 Wpzoom | 1 Beaver Builder Addons | 2025-01-09 | N/A | 6.4 MEDIUM |
|
The Beaver Builder Addons by WPZOOM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Heading widget in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-30424 is likely a duplicate of this issue.
|
|||||
| CVE-2024-27300 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-01-09 | N/A | 5.5 MEDIUM |
|
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The `email` field in phpMyFAQ's user control panel page is vulnerable to stored XSS attacks due to the inadequacy of PHP's `FILTER_VALIDATE_EMAIL` function, which only validates the email format, not its content. This vulnerability enables an attacker to execute arbitrary client-side JavaScript within the context of another user's phpMyFAQ session. This vulnerability is fixed in 3.2.6.
|
|||||
| CVE-2024-2187 | 1 Wpzoom | 1 Beaver Builder Addons | 2025-01-09 | N/A | 6.4 MEDIUM |
|
The Beaver Builder Addons by WPZOOM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonials widget in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-28175 | 1 Argoproj | 1 Argo Cd | 2025-01-09 | N/A | 9.0 CRITICAL |
|
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the s ...
Show More |
|||||
| CVE-2024-2492 | 1 Ideabox | 1 Powerpack Addons For Elementor | 2025-01-09 | N/A | 6.4 MEDIUM |
|
The PowerPack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Twitter Tweet widget in all versions up to, and including, 2.7.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-28108 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-01-09 | N/A | 4.7 MEDIUM |
|
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the `contentLink` parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. _Also, requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly added FAQ._ This vulnerability is fixed in 3.2.6.
|
|||||
| CVE-2024-29179 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-01-09 | N/A | 4.8 MEDIUM |
|
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. An attacker with admin privileges can upload an attachment containing JS code without extension and the application will render it as HTML which allows for XSS attacks.
|
|||||
| CVE-2025-22827 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joomag. WP Joomag allows DOM-Based XSS.This issue affects WP Joomag: from n/a through 2.5.2.
|
|||||
| CVE-2025-22826 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpecommerce, wp.insider Sell Digital Downloads allows Stored XSS.This issue affects Sell Digital Downloads: from n/a through 2.2.7.
|
|||||
| CVE-2025-22824 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lucia Intelisano Live Flight Radar allows Stored XSS.This issue affects Live Flight Radar: from n/a through 1.0.
|
|||||
| CVE-2025-22823 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Twerdy Genesis Style Shortcodes allows DOM-Based XSS.This issue affects Genesis Style Shortcodes: from n/a through 1.0.
|
|||||
| CVE-2025-22822 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bishawjit Das wp custom countdown allows Stored XSS.This issue affects wp custom countdown: from n/a through 2.8.
|
|||||
| CVE-2025-22821 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vfthemes StorePress allows DOM-Based XSS.This issue affects StorePress: from n/a through 1.0.12.
|
|||||
| CVE-2025-22820 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Walmsley VR Views allows Stored XSS.This issue affects VR Views: from n/a through 1.5.1.
|
|||||
| CVE-2025-22819 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 4wpbari Qr Code and Barcode Scanner Reader allows Stored XSS.This issue affects Qr Code and Barcode Scanner Reader: from n/a through 1.0.0.
|
|||||
| CVE-2025-22818 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in S3Bubble S3Player – WooCommerce & Elementor Integration allows Stored XSS.This issue affects S3Player – WooCommerce & Elementor Integration: from n/a through 4.2.1.
|
|||||
| CVE-2025-22817 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Venutius BP Profile Shortcodes Extra allows Stored XSS.This issue affects BP Profile Shortcodes Extra: from n/a through 2.6.0.
|
|||||
| CVE-2025-22813 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ChatBot for WordPress - WPBot Conversational Forms for ChatBot allows Stored XSS.This issue affects Conversational Forms for ChatBot: from n/a through 1.4.2.
|
|||||
| CVE-2025-22812 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FlickDevs News Ticker Widget for Elementor allows Stored XSS.This issue affects News Ticker Widget for Elementor: from n/a through 1.3.2.
|
|||||
| CVE-2025-22811 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Modeltheme MT Addons for Elementor allows Stored XSS.This issue affects MT Addons for Elementor: from n/a through 1.0.6.
|
|||||
| CVE-2025-22810 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CBB Team Content Blocks Builder allows Stored XSS.This issue affects Content Blocks Builder: from n/a through 2.7.6.
|
|||||
| CVE-2025-22809 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gravity Master PDF Catalog Woocommerce allows DOM-Based XSS.This issue affects PDF Catalog Woocommerce: from n/a through 2.0.
|
|||||
| CVE-2025-22808 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Surbma Surbma | Premium WP allows DOM-Based XSS.This issue affects Surbma | Premium WP: from n/a through 9.0.
|
|||||
| CVE-2025-22807 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robert Peake Responsive Flickr Slideshow allows Stored XSS.This issue affects Responsive Flickr Slideshow: from n/a through 2.6.0.
|
|||||
| CVE-2025-22805 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemePoints Skill Bar allows Stored XSS.This issue affects Skill Bar: from n/a through 1.2.
|
|||||
| CVE-2025-22804 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Paul Bearne Author Avatars List/Block allows Stored XSS.This issue affects Author Avatars List/Block: from n/a through 2.1.23.
|
|||||
| CVE-2025-22803 | 2025-01-09 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme Advanced Product Information for WooCommerce allows Stored XSS.This issue affects Advanced Product Information for WooCommerce: from n/a through 1.1.4.
|
|||||