Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-11223 | 1 Wpforms | 1 Wpforms | 2025-05-08 | N/A | N/A |
| The WPForms WordPress plugin before 1.9.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-10678 | 1 Dotcamp | 1 Ultimate Blocks | 2025-05-08 | N/A | N/A |
| The Ultimate Blocks WordPress plugin before 3.2.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-6134 | 1 Tipsandtricks-hq | 1 Wp Estore | 2025-05-08 | N/A | N/A |
| The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-6133 | 1 Tipsandtricks-hq | 1 Wp Estore | 2025-05-08 | N/A | N/A |
| The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-12566 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-05-08 | N/A | N/A |
| The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-12568 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-05-08 | N/A | N/A |
| The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Workflow settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-12567 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-05-08 | N/A | N/A |
| The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-11636 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-05-08 | N/A | N/A |
| The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Text Block options, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-43425 | 1 Jenkins | 1 Custom Checkbox Parameter | 2025-05-08 | N/A | 5.4 MEDIUM |
| Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-2627 | 1 Tagdiv | 1 Newspaper | 2025-05-08 | N/A | 6.1 MEDIUM |
| The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2022-43420 | 1 Jenkins | 1 Contrast Continuous Application Security | 2025-05-08 | N/A | 5.4 MEDIUM |
| Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast service API responses. | |||||
| CVE-2024-0905 | 1 Radykal | 1 Fancy Product Designer | 2025-05-08 | N/A | N/A |
| The Fancy Product Designer WordPress plugin before 6.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against unauthenticated and admin-level users | |||||
| CVE-2024-3261 | 1 Wpchill | 1 Strong Testimonials | 2025-05-08 | N/A | N/A |
| The Strong Testimonials WordPress plugin before 3.1.12 does not validate and escape some of its Testimonial fields before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The attack requires a specific view to be performed | |||||
| CVE-2024-2972 | 1 Premio | 1 Floating Chat Widget | 2025-05-08 | N/A | N/A |
| The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2025-2371 | 1 Phpgurukul | 1 Human Metapneumovirus Testing Management System | 2025-05-08 | N/A | 5.4 MEDIUM |
| A vulnerability was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /registered-user-testing.php of the component Registered Mobile Number Search. The manipulation of the argument regmobilenumber leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2375 | 1 Phpgurukul | 1 Human Metapneumovirus Testing Management System | 2025-05-08 | N/A | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. Affected is an unknown function of the file /profile.php of the component Admin Profile Page. The manipulation of the argument email leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-2310 | 1 Ljapps | 1 Wp Google Review Slider | 2025-05-08 | N/A | N/A |
| The WP Google Review Slider WordPress plugin before 13.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-2908 | 1 Callnowbutton | 1 Call Now Button | 2025-05-08 | N/A | N/A |
| The Call Now Button WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2021-33231 | 1 Easyvista | 1 Service Manager | 2025-05-08 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in New equipment page in EasyVista Service Manager 2018.1.181.1 allows remote attackers to run arbitrary code via the notes field. | |||||
| CVE-2018-8032 | 3 Apache, Debian, Oracle | 38 Axis, Debian Linux, Agile Engineering Data Management and 35 more | 2025-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services. | |||||