Total
36792 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3788 | 1 Jsite | 1 Jsite | 2025-04-23 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in baseweb JSite 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /a/sys/user/save. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-41447 | 1 Alkacon | 1 Opencms | 2025-04-23 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the author parameter under the Create/Modify article function. | |||||
| CVE-2024-45799 | 1 Rathena | 1 Fluxcp | 2025-04-23 | N/A | 7.3 HIGH |
| FluxCP is a web-based Control Panel for rAthena servers written in PHP. A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. This allows executing arbitrary javascript code on the user's browser just by visiting the shop pages. As a result all logged in to fluxcp users can have their session info stolen. This issue has been addressed in release version 1.3. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-28199 | 1 Phlex | 1 Phlex | 2025-04-23 | N/A | 7.1 HIGH |
| phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`. | |||||
| CVE-2022-4765 | 1 Pwrplugins | 1 Portfolio For Elementor | 2025-04-23 | N/A | 5.4 MEDIUM |
| The Portfolio for Elementor WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | |||||
| CVE-2025-29512 | 1 Nodebb | 1 Nodebb | 2025-04-23 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and potentially render the blacklist IP functionality unusable until content is removed via the database. | |||||
| CVE-2024-1720 | 1 Wpeverest | 1 User Registration \& Membership | 2025-04-23 | N/A | 4.7 MEDIUM |
| The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering to successfully exploit, and the impact would be very limited due to the attacker requiring a user to login as the user with the injected payload for execution. | |||||
| CVE-2025-29513 | 1 Nodebb | 1 Nodebb | 2025-04-23 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in the admin API Access token generator. | |||||
| CVE-2023-5243 | 1 Login Screen Manager Project | 1 Login Screen Manager | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Login Screen Manager WordPress plugin through 3.5.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-5229 | 1 E2pdf | 1 E2pdf | 2025-04-23 | N/A | 4.8 MEDIUM |
| The E2Pdf WordPress plugin before 1.20.20 does not sanitize and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2023-4823 | 1 Prasadkirpekar | 1 Wp Meta And Date Remover | 2025-04-23 | N/A | 5.4 MEDIUM |
| The WP Meta and Date Remover WordPress plugin before 2.2.0 provides an AJAX endpoint for configuring the plugin settings. This endpoint has no capability checks and does not sanitize the user input, which is then later output unescaped. Allowing any authenticated users, such as subscriber change them and perform Stored Cross-Site Scripting. | |||||
| CVE-2023-4390 | 1 Ays-pro | 1 Popup Box | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup). | |||||
| CVE-2023-3245 | 1 Premio | 1 Chaty | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Floating Chat Widget WordPress plugin before 3.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-37519 | 1 Hcltech | 1 Bigfix Platform | 2025-04-23 | N/A | 7.7 HIGH |
| Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. This XSS vulnerability is in the Download Status Report, which is served by the BigFix Server. | |||||
| CVE-2022-43369 | 1 Phpgurukul | 1 Auto\/taxi Stand Management System | 2025-04-23 | N/A | 6.1 MEDIUM |
| AutoTaxi Stand Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component search.php. | |||||
| CVE-2022-37406 | 1 Ricoh | 2 Aficio Sp 4210n, Aficio Sp 4210n Firmware | 2025-04-23 | N/A | 4.8 MEDIUM |
| Cross-site scripting vulnerability in Aficio SP 4210N firmware versions prior to Web Support 1.05 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script. | |||||
| CVE-2020-36656 | 1 Brainstormforce | 1 Spectra | 2025-04-23 | N/A | 5.4 MEDIUM |
| The Spectra WordPress plugin before 1.15.0 does not sanitize user input as it reaches its style HTML attribute, allowing contributors to conduct stored XSS attacks via the plugin's Gutenberg blocks. | |||||
| CVE-2025-3421 | 1 Wpeverest | 1 Everest Forms | 2025-04-23 | N/A | 6.1 MEDIUM |
| The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'form_id' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-4310 | 1 Ofofonobsdev | 1 Hubbank | 2025-04-23 | N/A | 6.3 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session takeover. | |||||
| CVE-2017-18591 | 1 Dev4press | 1 Gd Rating System | 2025-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The gd-rating-system plugin before 2.1 for WordPress has XSS in log.php. | |||||