Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-42116 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-13 | N/A | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. | |||||
| CVE-2022-42202 | 1 Tp-link | 2 Tl-wr841n, Tl-wr841n Firmware | 2025-05-13 | N/A | 6.1 MEDIUM |
| TP-Link TL-WR841N 8.0 4.17.16 Build 120201 Rel.54750n is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2022-42115 | 1 Liferay | 1 Liferay Portal | 2025-05-13 | N/A | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Object module's edit object details page in Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the object field's `Label` text field. | |||||
| CVE-2024-3710 | 1 Wpchill | 1 Image Photo Gallery Final Tiles Grid | 2025-05-13 | N/A | N/A |
| The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin | |||||
| CVE-2020-36844 | 1 Knowbe4 | 1 Security Awareness Training | 2025-05-13 | N/A | 6.1 MEDIUM |
| The KnowBe4 Security Awareness Training application before 2020-01-10 allows reflected XSS. The response has a SCRIPT element that sets window.location.href to a JavaScript URL. | |||||
| CVE-2024-3751 | 1 Castos | 1 Seriously Simple Podcasting | 2025-05-13 | N/A | N/A |
| The Seriously Simple Podcasting WordPress plugin before 3.3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-3753 | 1 Kibokolabs | 1 Hostel | 2025-05-13 | N/A | N/A |
| The Hostel WordPress plugin before 1.1.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-3919 | 1 Arnesonium | 1 Openpgp Form Encryption | 2025-05-13 | N/A | N/A |
| The OpenPGP Form Encryption for WordPress plugin before 1.5.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-3964 | 1 Wisdmlabs | 1 Product Enquiry For Woocommerce | 2025-05-13 | N/A | N/A |
| The Product Enquiry for WooCommerce WordPress plugin before 3.1.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2025-0483 | 1 Native-php-cms Project | 1 Native-php-cms | 2025-05-13 | N/A | 4.6 MEDIUM |
| A vulnerability has been found in Fanli2012 native-php-cms 1.0 and classified as problematic. This vulnerability affects unknown code of the file /fladmin/jump.php. The manipulation of the argument message/error leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-29772 | 1 Open-emr | 1 Openemr | 2025-05-13 | N/A | 6.1 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. The POST parameter hidden_subcategory is output to the page without being properly processed. This leads to a reflected cross-site scripting (XSS) vul;nerability in CAMOS new.php. This vulnerability is fixed in 7.0.3. | |||||
| CVE-2024-10558 | 1 10web | 1 Form Maker | 2025-05-13 | N/A | N/A |
| The Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-0613 | 1 10web | 1 Photo Gallery | 2025-05-13 | N/A | N/A |
| The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed | |||||
| CVE-2024-2218 | 1 Theluckywp | 1 Luckywp Table Of Contents | 2025-05-13 | N/A | N/A |
| The LuckyWP Table of Contents WordPress plugin through 2.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-4271 | 1 Svgator | 1 Svgator | 2025-05-13 | N/A | N/A |
| The SVGator WordPress plugin through 1.2.6 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. | |||||
| CVE-2024-3236 | 1 Ghozylab | 1 Popup Builder | 2025-05-13 | N/A | N/A |
| The Popup Builder WordPress plugin before 1.1.33 does not sanitise and escape some of its Notification fields, which could allow users such as contributor and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-4305 | 1 Wpxpo | 1 Postx | 2025-05-13 | N/A | N/A |
| The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress plugin before 4.1.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2025-43006 | 2025-05-13 | N/A | 6.1 MEDIUM | ||
| SAP Supplier Relationship Management (Master Data Management Catalogue) allows an unauthenticated attacker to execute malicious scripts in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its confidentiality and integrity. | |||||
| CVE-2025-30009 | 2025-05-13 | N/A | 6.1 MEDIUM | ||
| he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim?s browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim?s browser, with no effect on availability of the application | |||||
| CVE-2025-26662 | 2025-05-13 | N/A | 4.4 MEDIUM | ||
| The Data Services Management Console does not sufficiently encode user-controlled inputs, allowing an attacker to inject malicious script. When a targeted victim, who is already logged in, clicks on the compromised link, the injected script gets executed within the scope of victim?s browser. This potentially leads to an impact on confidentiality and integrity. Availability is not impacted. | |||||