Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-10724 | 1 Phpipam | 1 Phpipam | 2025-05-28 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2, specifically in the Subnet NAT translations section when editing the Destination address. This vulnerability allows an attacker to execute malicious code. The issue is fixed in version 1.7.0. | |||||
| CVE-2024-10719 | 1 Phpipam | 1 Phpipam | 2025-05-28 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in phpipam version 1.5.2, specifically in the circuits options functionality. This vulnerability allows an attacker to inject malicious scripts via the 'option' parameter in the POST request to /phpipam/app/admin/circuits/edit-options-submit.php. The injected script can be executed in the context of the user's browser, leading to potential cookie theft and end-user file disclosure. The issue is fixed in version 1.7.0. | |||||
| CVE-2025-46335 | 1 Opensecurity | 1 Mobile Security Framework | 2025-05-28 | N/A | 5.4 MEDIUM |
| Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A Stored Cross-Site Scripting (XSS) vulnerability has been identified in MobSF versions up to and including 4.3.2. The vulnerability arises from improper sanitization of user-supplied SVG files during the Android APK analysis workflow. Version 4.3.3 fixes the issue. | |||||
| CVE-2024-0427 | 1 Reputeinfosystems | 1 Arforms | 2025-05-28 | N/A | N/A |
| The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.4.1 does not properly escape user-controlled input when it is reflected in some of its AJAX actions. | |||||
| CVE-2024-4669 | 1 Nicheaddons | 1 Events Addon For Elementor | 2025-05-28 | N/A | 5.4 MEDIUM |
| The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Basic Slider, Upcoming Events, and Schedule widgets in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-6487 | 1 Theluckywp | 1 Luckywp Table Of Contents | 2025-05-28 | N/A | 5.4 MEDIUM |
| The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Header Title' field in all versions up to and including 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2024-2953 | 1 Theluckywp | 1 Luckywp Table Of Contents | 2025-05-28 | N/A | 4.8 MEDIUM |
| The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-2119 | 1 Theluckywp | 1 Luckywp Table Of Contents | 2025-05-28 | N/A | 6.1 MEDIUM |
| The LuckyWP Table of Contents plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the attrs parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-1805 | 1 Wpbakery | 1 Page Builder | 2025-05-28 | N/A | 5.4 MEDIUM |
| The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button onclick attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1841 | 1 Wpbakery | 1 Page Builder | 2025-05-28 | N/A | 5.4 MEDIUM |
| The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1842 | 1 Wpbakery | 1 Page Builder | 2025-05-28 | N/A | 5.4 MEDIUM |
| The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Heading tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1840 | 1 Wpbakery | 1 Page Builder | 2025-05-28 | N/A | 5.4 MEDIUM |
| The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Author tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-7084 | 1 Wp-dreams | 1 Ajax Search | 2025-05-28 | N/A | N/A |
| The Ajax Search Lite WordPress plugin before 4.12.1 does not sanitise and escape some parameters, which could allow users with a role as low as Admin+ to perform Cross-Site Scripting attacks. | |||||
| CVE-2024-6481 | 1 Codeamp | 1 Search \& Filter | 2025-05-28 | N/A | N/A |
| The Search & Filter Pro WordPress plugin before 2.5.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-9462 | 1 Ays-pro | 1 Poll Maker | 2025-05-28 | N/A | 4.8 MEDIUM |
| The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Stored Cross-Site Scripting via poll settings in all versions up to, and including, 5.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2024-3600 | 1 Ays-pro | 1 Poll Maker | 2025-05-28 | N/A | 6.1 MEDIUM |
| The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start AJAX action in addition to insufficient escaping and sanitization in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to create quizzes and inject malicious web scripts into them that execute when a user visits the page. | |||||
| CVE-2025-3487 | 1 Wpmudev | 1 Forminator Forms | 2025-05-28 | N/A | 5.4 MEDIUM |
| The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘limit’ parameter in all versions up to, and including, 1.42.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-2162 | 1 Mappresspro | 1 Mappress | 2025-05-28 | N/A | N/A |
| The MapPress Maps for WordPress plugin before 2.94.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-2061 | 1 Fabianros | 1 Online Ticket Reservation System | 2025-05-28 | N/A | 6.1 MEDIUM |
| A vulnerability was found in code-projects Online Ticket Reservation System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /passenger.php. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-0348 | 1 Campcodes | 1 Deped Equipment Inventory System | 2025-05-28 | N/A | 5.4 MEDIUM |
| A vulnerability was found in CampCodes DepEd Equipment Inventory System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /data/add_employee.php. The manipulation of the argument data leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||