Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9111 | 1 Quantumcloud | 1 Wpbot | 2025-11-13 | N/A | 3.5 LOW |
|
The AI ChatBot for WordPress WordPress plugin before 7.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-6711 | 1 Vollstart | 1 Event Tickets With Ticket Scanner | 2025-11-13 | N/A | 3.5 LOW |
|
The Event Tickets with Ticket Scanner WordPress plugin before 2.3.8 does not sanitise and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks
|
|||||
| CVE-2024-4091 | 1 Bdwm | 1 Responsive Gallery Grid | 2025-11-13 | N/A | 3.5 LOW |
|
The Responsive Gallery Grid WordPress plugin before 2.3.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2024-4004 | 1 Bracketspace | 1 Advanced Cron Manager | 2025-11-13 | N/A | 3.5 LOW |
|
The Advanced Cron Manager WordPress plugin before 2.5.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-4002 | 1 Techearty | 1 Carousel\, Slider\, Gallery By Wp Carousel | 2025-11-13 | N/A | 3.5 LOW |
|
The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-3996 | 1 Shapedplugin | 1 Smart Post Show | 2025-11-13 | N/A | 3.5 LOW |
|
The Smart Post Show WordPress plugin before 2.4.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-3901 | 1 Wpengine | 1 Genesis Blocks | 2025-11-13 | N/A | 6.8 MEDIUM |
|
The Genesis Blocks WordPress plugin through 3.1.3 does not properly escape attributes provided to some of its custom blocks, making it possible for users allowed to write posts (like those with the contributor role) to conduct Stored XSS attacks.
|
|||||
| CVE-2024-0852 | 1 Dev4press | 1 Coreactivity | 2025-11-13 | N/A | 8.8 HIGH |
|
The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin
|
|||||
| CVE-2024-6942 | 1 Thinksaas | 1 Thinksaas | 2025-11-13 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, was found in ThinkSAAS 3.7.0. Affected is an unknown function of the file app/system/action/anti.php of the component Admin Panel Security Center. The manipulation of the argument ip/email/phone leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272064.
|
|||||
| CVE-2025-5757 | 1 Carmelo | 1 Traffic Offense Reporting System | 2025-11-13 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in code-projects Traffic Offense Reporting System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /save-reported.php. The manipulation of the argument offence_id/vehicle_no/driver_license/name/address/gender/officer_reporting/offence leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-6575 | 1 Dolusoft | 1 Omaspot | 2025-11-13 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dolusoft Omaspot allows Reflected XSS.This issue affects Omaspot: before 12.09.2025.
|
|||||
| CVE-2024-6941 | 1 Thinksaas | 1 Thinksaas | 2025-11-13 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in ThinkSAAS 3.7.0. This issue affects some unknown processing of the file app/system/action/do.php. The manipulation of the argument site_title/site_subtitle/site_key/site_desc/site_url/site_email/site_icp leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272063.
|
|||||
| CVE-2025-5651 | 1 Carmelo | 1 Traffic Offense Reporting System | 2025-11-13 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in code-projects Traffic Offense Reporting System 1.0. This issue affects some unknown processing of the file saveuser.php. The manipulation of the argument user_id/username/email/name/position leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-5661 | 1 Carmelo | 1 Traffic Offense Reporting System | 2025-11-13 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, was found in code-projects Traffic Offense Reporting System 1.0. This affects an unknown part of the file /save-settings.php of the component Setting Handler. The manipulation of the argument site_name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-5770 | 1 Wso2 | 3 Api Control Plane, Api Manager, Identity Server | 2025-11-13 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks.
Exploitation may result in redirection to malicious websites, UI manipulation, or unauthorized data access from the victim’s browser. However, session-related cookies are protected ...
Show More |
|||||
| CVE-2025-10853 | 1 Wso2 | 9 Api Control Plane, Api Manager, Enterprise Integrator and 6 more | 2025-11-13 | N/A | 5.2 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.
Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates ...
Show More |
|||||
| CVE-2025-61623 | 1 Apache | 1 Ofbiz | 2025-11-13 | N/A | 6.5 MEDIUM |
|
Reflected cross-site scripting vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.03.
Users are recommended to upgrade to version 24.09.03, which fixes the issue.
|
|||||
| CVE-2024-9411 | 1 Ofcms Project | 1 Ofcms | 2025-11-13 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic has been found in OFCMS 1.1.2. This affects the function add of the file /admin/system/dict/add.json?sqlid=system.dict.save. The manipulation of the argument dict_value leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-27084 | 1 Arubanetworks | 1 Arubaos | 2025-11-12 | N/A | 5.4 MEDIUM |
|
A vulnerability in the Captive Portal of an AOS-10 GW and AOS-8 Controller/Mobility Conductor could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack. Successful exploitation could enable the attacker to execute arbitrary script code in the victim's browser within the context of the affected interface.
|
|||||
| CVE-2025-26395 | 1 Solarwinds | 1 Observability Self-hosted | 2025-11-12 | N/A | 7.1 HIGH |
|
SolarWinds Observability Self-Hosted
was susceptible to a cross-site scripting (XSS) vulnerability due to an unsanitized field in the URL. The attack requires authentication using an administrator-level account and user interaction is required.
|
|||||
| CVE-2025-30511 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 8.8 HIGH |
|
An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant.
|
|||||
| CVE-2025-61417 | 1 Tastyigniter | 1 Tastyigniter | 2025-11-12 | N/A | 8.8 HIGH |
|
Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicious SVG file containing JavaScript code. When an administrator previews the file, the code executes in their browser context, allowing the attacker to perform unauthorized actions such as modifying the admin account credentials.
|
|||||
| CVE-2025-54806 | 1 Weseek | 1 Growi | 2025-11-12 | N/A | 6.1 MEDIUM |
|
GROWI v4.2.7 and earlier contains a cross-site scripting vulnerability in the page alert function. If a user accesses a crafted URL while logged in to the affected product, an arbitrary script may be executed on the user's web browser.
|
|||||
| CVE-2025-12486 | 2025-11-12 | N/A | 8.8 HIGH | ||
|
Heimdall Data Database Proxy Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Heimdall Data Database Proxy. Minimal user interaction is required to exploit this vulnerability.
The specific flaw exists within the handling of the database event logs. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of arbitrary script. An attacker ca ...
Show More |
|||||
| CVE-2025-12520 | 2025-11-12 | N/A | 4.0 MEDIUM | ||
|
The WP Airbnb Review Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2 due to insufficient URL validation that allows users to pull in a malicious HTML file. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installat ...
Show More |
|||||
| CVE-2025-54167 | 2025-11-12 | N/A | N/A | ||
|
A cross-site scripting (XSS) vulnerability has been reported to affect Notification Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
We have already fixed the vulnerability in the following versions:
Notification Center 2.1.0.3443 and later
Notification Center 1.9.2.3163 and later
Notification Center 3.0.0.3466 and later
|
|||||
| CVE-2025-11860 | 2025-11-12 | N/A | 6.4 MEDIUM | ||
|
The Twitter Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ottwitter_feed' shortcode in all versions up to, and including, 1.3.1. This is due to the plugin not properly sanitizing user input and output of the 'width' and 'height' parameters. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-11829 | 2025-11-12 | N/A | 6.4 MEDIUM | ||
|
The Five9 Live Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'toolbar' attribute of the [five9-chat] shortcode in all versions up to, and including, 1.1.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-12125 | 2025-11-12 | N/A | 4.4 MEDIUM | ||
|
The HTML Forms – Simple WordPress Forms Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations w ...
Show More |
|||||
| CVE-2025-12837 | 2025-11-12 | N/A | 6.4 MEDIUM | ||
|
The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user-supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-11805 | 2025-11-12 | N/A | 6.4 MEDIUM | ||
|
The Skip to Timestamp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skipto' shortcode in all versions up to, and including, 1.4.4. This is due to insufficient input sanitization and output escaping on the 'time' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-64501 | 2025-11-12 | N/A | 7.6 HIGH | ||
|
ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the `prosemirror_to_html` gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Applications that use `prosemirror_to_html` to convert ProseMirror documents to HTML, user-generated ProseMirror content, and end u ...
Show More |
|||||
| CVE-2025-11873 | 2025-11-12 | N/A | 6.4 MEDIUM | ||
|
The WP BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-11856 | 2025-11-12 | N/A | 6.4 MEDIUM | ||
|
The Eventbee Ticketing Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eventbeeticketwidget' shortcode in all versions up to, and including, 1.0. This is due to the plugin not properly sanitizing user input and output of several parameters. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-11822 | 2025-11-12 | N/A | 6.4 MEDIUM | ||
|
The WP Bootstrap Tabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bootstrap_tab' shortcode in all versions up to, and including, 1.0.4. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-11863 | 2025-11-12 | N/A | 6.4 MEDIUM | ||
|
The My Geo Posts Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mygeo_city' shortcode in all versions up to, and including, 1.2. This is due to the plugin not properly sanitizing user input or escaping output of the 'default' shortcode attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-11129 | 2025-11-12 | N/A | 6.4 MEDIUM | ||
|
The Include Fussball.de Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api' and 'type' parameters in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-11828 | 2025-11-12 | N/A | 6.4 MEDIUM | ||
|
The Magazine Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headerHtmlTag' attribute in the bnm-blocks/featured-posts-1 block in all versions up to, and including, 1.2.3. This is due to insufficient input sanitization and output escaping when using user-supplied values as HTML tag names. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user acces ...
Show More |
|||||
| CVE-2025-12643 | 2025-11-12 | N/A | 6.4 MEDIUM | ||
|
The Saphali LiqPay for donate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saphali_liqpay' shortcode in all versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-12193 | 2025-11-12 | N/A | 6.1 MEDIUM | ||
|
The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mp' parameter in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||