Total
36254 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13223 | 1 Samwilson | 1 Tabulate | 2025-05-12 | N/A | 6.1 MEDIUM |
| The Tabulate WordPress plugin through 2.10.3 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-13224 | 1 Dtelepathy | 1 Slidedeck 1 Lite Content Slider | 2025-05-12 | N/A | 6.1 MEDIUM |
| The SlideDeck 1 Lite Content Slider WordPress plugin through 1.4.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-13112 | 1 Phd38 | 1 Wp Mediatagger | 2025-05-11 | N/A | 6.1 MEDIUM |
| The WP MediaTagger WordPress plugin through 4.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-13101 | 1 Phd38 | 1 Wp Mediatagger | 2025-05-11 | N/A | 5.4 MEDIUM |
| The WP MediaTagger WordPress plugin through 4.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-12708 | 1 Ombu | 1 Bulk Me Now\! | 2025-05-11 | N/A | 7.1 HIGH |
| The Bulk Me Now! WordPress plugin through 2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-12638 | 1 Ombu | 1 Bulk Me Now\! | 2025-05-11 | N/A | 7.1 HIGH |
| The Bulk Me Now! WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-10309 | 1 Data443 | 1 Tracking Code Manager | 2025-05-11 | N/A | 5.9 MEDIUM |
| The Tracking Code Manager WordPress plugin before 2.4.0 does not sanitise and escape some of its metabox settings when outputing them in the page, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. | |||||
| CVE-2024-12749 | 1 Raiserweb | 1 Competition Form | 2025-05-11 | N/A | 7.1 HIGH |
| The Competition Form WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-12807 | 1 Artlosk | 1 Social Share Buttons | 2025-05-11 | N/A | 4.8 MEDIUM |
| The Social Share Buttons for WordPress plugin through 2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-42114 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-10 | N/A | 5.4 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2022-42113 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-10 | N/A | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in Document Library module in Liferay Portal 7.4.3.30 through 7.4.3.36, and Liferay DXP 7.4 update 30 through update 36 allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter. | |||||
| CVE-2024-11922 | 1 Fortra | 1 Goanywhere Managed File Transfer | 2025-05-10 | N/A | 6.3 MEDIUM |
| Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email. | |||||
| CVE-2022-25849 | 1 Hyperdown Project | 1 Hyperdown | 2025-05-09 | N/A | 5.4 MEDIUM |
| The package joyqi/hyper-down from 0.0.0 are vulnerable to Cross-site Scripting (XSS) because the module of parse markdown does not filter the href attribute very well. | |||||
| CVE-2025-46338 | 1 Audiobookshelf | 1 Audiobookshelf | 2025-05-09 | N/A | 6.1 MEDIUM |
| Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.21.0, an improper input handling vulnerability in the `/api/upload` endpoint allows an attacker to perform a reflected cross-site scripting (XSS) attack by submitting malicious payloads in the `libraryId` field. The unsanitized input is reflected in the server’s error message, enabling arbitrary JavaScript execution in a victim's browser. This issue has been patched in version 2.21.0. | |||||
| CVE-2025-46343 | 1 N8n | 1 N8n | 2025-05-09 | N/A | 5.0 MEDIUM |
| n8n is a workflow automation platform. Prior to version 1.90.0, n8n is vulnerable to stored cross-site scripting (XSS) through the attachments view endpoint. n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there is no restriction on the MIME type of uploaded files, and the MIME type could be controlled via a GET parameter. This allows the server to respond with any MIME type, potentially enabling malicious content to be interpreted and executed by the browser. An authenticated attacker with member-level permissions could exploit this by uploading a crafted HTML file containing malicious JavaScript. When another user visits the binary data endpoint with the MIME type set to text/html, the script executes in the context of the user’s session. This script could send a request to change the user’s email address in their account settings, effectively enabling account takeover. This issue has been patched in version 1.90.0. | |||||
| CVE-2023-52059 | 1 Gestsup | 1 Gestsup | 2025-05-09 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Gestsup v3.2.46 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description text field. | |||||
| CVE-2022-3391 | 1 Retain | 1 Retain Live Chat | 2025-05-09 | N/A | 4.8 MEDIUM |
| The Retain Live Chat WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-3350 | 1 Tech-banker | 1 Contact Bank | 2025-05-09 | N/A | 4.8 MEDIUM |
| The Contact Bank WordPress plugin through 3.0.30 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-34870 | 1 Apache | 1 Geode | 2025-05-09 | N/A | 5.4 MEDIUM |
| Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. | |||||
| CVE-2024-24160 | 1 Mrcms | 1 Mrcms | 2025-05-09 | N/A | 5.4 MEDIUM |
| MRCMS 3.0 contains a Cross-Site Scripting (XSS) vulnerability via /admin/system/saveinfo.do. | |||||