Total
36257 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3350 | 1 Tech-banker | 1 Contact Bank | 2025-05-09 | N/A | 4.8 MEDIUM |
| The Contact Bank WordPress plugin through 3.0.30 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-34870 | 1 Apache | 1 Geode | 2025-05-09 | N/A | 5.4 MEDIUM |
| Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. | |||||
| CVE-2024-24160 | 1 Mrcms | 1 Mrcms | 2025-05-09 | N/A | 5.4 MEDIUM |
| MRCMS 3.0 contains a Cross-Site Scripting (XSS) vulnerability via /admin/system/saveinfo.do. | |||||
| CVE-2024-13860 | 1 Buddyboss | 1 Buddyboss Platform | 2025-05-09 | N/A | 6.4 MEDIUM |
| The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bbp_topic_title’ parameter in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41. | |||||
| CVE-2024-13859 | 1 Buddyboss | 1 Buddyboss Platform | 2025-05-09 | N/A | 6.4 MEDIUM |
| The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bp_nouveau_ajax_media_save’ function in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41. | |||||
| CVE-2022-31468 | 1 Open-xchange | 1 Ox App Suite | 2025-05-09 | N/A | 6.1 MEDIUM |
| OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter. | |||||
| CVE-2024-0239 | 1 Ari-soft | 1 Contact Form 7 Connector | 2025-05-09 | N/A | 6.1 MEDIUM |
| The Contact Form 7 Connector WordPress plugin before 1.2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators. | |||||
| CVE-2022-23179 | 1 Themehunk | 1 Contact Form \& Lead Form Elementor Builder | 2025-05-09 | N/A | 4.8 MEDIUM |
| The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2024-3628 | 1 Dwalliance | 1 Easyevent | 2025-05-09 | N/A | 3.8 LOW |
| The EasyEvent WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2022-43018 | 1 Opencats | 1 Opencats | 2025-05-09 | N/A | 6.1 MEDIUM |
| OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter in the Check Email function. | |||||
| CVE-2022-43017 | 1 Opencats | 1 Opencats | 2025-05-09 | N/A | 6.1 MEDIUM |
| OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile component. | |||||
| CVE-2022-43016 | 1 Opencats | 1 Opencats | 2025-05-09 | N/A | 6.1 MEDIUM |
| OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the callback component. | |||||
| CVE-2022-43015 | 1 Opencats | 1 Opencats | 2025-05-09 | N/A | 6.1 MEDIUM |
| OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the entriesPerPage parameter. | |||||
| CVE-2022-38901 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-09 | N/A | 5.4 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file. | |||||
| CVE-2024-2695 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | N/A | 6.4 MEDIUM |
| The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.13 due to insufficient input sanitization and output escaping on user supplied attributes such as 'borderradius' and 'timestamp'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1450 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | N/A | 6.4 MEDIUM |
| The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.10 due to insufficient input sanitization and output escaping on user supplied attributes such as 'align'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-0966 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | N/A | 6.4 MEDIUM |
| The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes like 'info_text'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks the information icon. | |||||
| CVE-2024-29109 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jan-Peter Lambeck & 3UU Shariff Wrapper allows Stored XSS.This issue affects Shariff Wrapper: from n/a through 4.6.10. | |||||
| CVE-2023-6500 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | N/A | 6.4 MEDIUM |
| The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes such as 'secondarycolor' and 'maincolor'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-6067 | 1 Wpeventsmanager | 1 User Profile Avatar | 2025-05-09 | N/A | 5.4 MEDIUM |
| The WP User Profile Avatar WordPress plugin through 1.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||