Total
36252 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5002 | 1 Plugin-planet | 1 User Submitted Posts | 2025-05-13 | N/A | 4.8 MEDIUM |
| The User Submitted Posts WordPress plugin before 20240516 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-5151 | 1 Toolstack | 1 Sully | 2025-05-13 | N/A | 7.1 HIGH |
| The SULly WordPress plugin before 4.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-5442 | 1 Imagely | 1 Nextgen Gallery | 2025-05-13 | N/A | 5.9 MEDIUM |
| The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-5472 | 1 Holoborodko | 1 Wp Quicklatex | 2025-05-13 | N/A | 7.1 HIGH |
| The WP QuickLaTeX WordPress plugin before 3.8.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-5575 | 1 Metaphorcreations | 1 Ditty | 2025-05-13 | N/A | 4.7 MEDIUM |
| The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2024-29812 | 1 Wpdeveloper | 1 Reviewx | 2025-05-13 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ReviewX allows Stored XSS.This issue affects ReviewX: from n/a through 1.6.22. | |||||
| CVE-2024-29811 | 1 Softlabbd | 1 Radio Player | 2025-05-13 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SoftLab Radio Player allows Stored XSS.This issue affects Radio Player: from n/a through 2.0.73. | |||||
| CVE-2024-29807 | 1 Dearhive | 1 Dearflip | 2025-05-13 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DearHive DearFlip allows Stored XSS.This issue affects DearFlip: from n/a through 2.2.26. | |||||
| CVE-2024-29806 | 1 Reservationdiary | 1 Redi Restaurant Reservation | 2025-05-13 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Reservation Diary ReDi Restaurant Reservation allows Reflected XSS.This issue affects ReDi Restaurant Reservation: from n/a through 24.0128. | |||||
| CVE-2024-29805 | 1 Shopup | 1 Shipping With Venipak For Woocommerce | 2025-05-13 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShopUp Shipping with Venipak for WooCommerce allows Reflected XSS.This issue affects Shipping with Venipak for WooCommerce: from n/a through 1.19.5. | |||||
| CVE-2024-5627 | 1 Tournamatch | 1 Tournamatch | 2025-05-13 | N/A | 5.4 MEDIUM |
| The Tournamatch WordPress plugin before 4.6.1 does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Cross-Site Scripting attacks. | |||||
| CVE-2024-5644 | 1 Tournamatch | 1 Tournamatch | 2025-05-13 | N/A | 5.4 MEDIUM |
| The Tournamatch WordPress plugin before 4.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-29804 | 1 Heateor | 1 Fancy Comments | 2025-05-13 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Team Heateor Fancy Comments WordPress allows Stored XSS.This issue affects Fancy Comments WordPress: from n/a through 1.2.14. | |||||
| CVE-2024-6938 | 1 B3log | 1 Siyuan | 2025-05-13 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in SiYuan 3.1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file PDF.js of the component PDF Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-271993 was assigned to this vulnerability. | |||||
| CVE-2025-22142 | 1 Namelessmc | 1 Nameless | 2025-05-13 | N/A | 5.4 MEDIUM |
| NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In affected versions an admin can add the ability to have users fill out an additional field and users can inject javascript code into it that would be activated once a staffer visits the user's profile on staff panel. As a result an attacker can execute javascript code on the staffer's computer. This issue has been addressed in version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-42202 | 1 Tp-link | 2 Tl-wr841n, Tl-wr841n Firmware | 2025-05-13 | N/A | 6.1 MEDIUM |
| TP-Link TL-WR841N 8.0 4.17.16 Build 120201 Rel.54750n is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2022-42116 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-13 | N/A | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. | |||||
| CVE-2022-42115 | 1 Liferay | 1 Liferay Portal | 2025-05-13 | N/A | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Object module's edit object details page in Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the object field's `Label` text field. | |||||
| CVE-2024-3710 | 1 Wpchill | 1 Image Photo Gallery Final Tiles Grid | 2025-05-13 | N/A | 6.8 MEDIUM |
| The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin | |||||
| CVE-2024-26450 | 1 Piwigo | 1 Piwigo | 2025-05-13 | N/A | 5.4 MEDIUM |
| An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing remote JavaScript. This can be used to upload a new PHP file under an administrator and directly call that file from the victim's instance to connect back to a malicious listener. | |||||