Total
36088 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-48131 | 2025-05-19 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saiful Islam UltraAddons Elementor Lite allows Stored XSS. This issue affects UltraAddons Elementor Lite: from n/a through 2.0.0. | |||||
| CVE-2025-3888 | 2025-05-19 | N/A | 6.4 MEDIUM | ||
| The Jupiter X Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File inclusion in all versions up to, and including, 4.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the page with the included SVG file. | |||||
| CVE-2025-2892 | 2025-05-19 | N/A | 6.4 MEDIUM | ||
| The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post Meta Description and Canonical URL parameters in all versions up to, and including, 4.8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-4610 | 2025-05-19 | N/A | 6.4 MEDIUM | ||
| The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_user_memberships shortcode in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-4669 | 2025-05-19 | N/A | 6.4 MEDIUM | ||
| The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpbc shortcode in all versions up to, and including, 10.11.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-3715 | 2025-05-19 | N/A | 6.4 MEDIUM | ||
| The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-text parameter in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-32999 | 2025-05-19 | N/A | 5.4 MEDIUM | ||
| Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the product. | |||||
| CVE-2025-4805 | 2025-05-19 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS. This vulnerability requires an authenticated administrator session to a locally managed Firebox. This issue affects Fireware OS: from 12.0 through 12.11.1. | |||||
| CVE-2024-1958 | 1 Wpb Show Core Project | 1 Wpb Show Core | 2025-05-19 | N/A | 4.8 MEDIUM |
| The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users | |||||
| CVE-2024-1956 | 1 Wpb Show Core Project | 1 Wpb Show Core | 2025-05-19 | N/A | 6.1 MEDIUM |
| The wpb-show-core WordPress plugin before 2.7 does not sanitise and escape the parameters before outputting it back in the response of an unauthenticated request, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2024-1292 | 1 Wpb Show Core Project | 1 Wpb Show Core | 2025-05-19 | N/A | 4.7 MEDIUM |
| The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-48903 | 1 Tramyardg | 1 Autoexpress | 2025-05-19 | N/A | 6.1 MEDIUM |
| Stored Cross-Site Scripting (XSS) vulnerability in tramyardg autoexpress 1.3.0, allows remote unauthenticated attackers to inject arbitrary web script or HTML within parameter "imgType" via in uploadCarImages.php. | |||||
| CVE-2024-26466 | 1 Web-platform-tests | 1 Web-platform-tests | 2025-05-19 | N/A | 6.1 MEDIUM |
| A DOM based cross-site scripting (XSS) vulnerability in the component /dom/ranges/Range-test-iframe.html of web-platform-tests/wpt before commit 938e843 allows attackers to execute arbitrary Javascript via sending a crafted URL. | |||||
| CVE-2025-4099 | 1 Sizeable | 1 List Children | 2025-05-19 | N/A | 6.4 MEDIUM |
| The List Children plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'list_children' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-57776 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.6 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2024-57774 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2024-57773 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2024-57771 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2024-57772 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2024-12587 | 1 Edmonparker | 1 Contact Form Master | 2025-05-17 | N/A | 6.1 MEDIUM |
| The Contact Form Master WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||