Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-9651 | 1 Fluentforms | 1 Contact Form | 2025-05-06 | N/A | N/A |
| The Fluent Forms WordPress plugin before 5.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-6081 | 1 Chartjs Project | 1 Chartjs | 2025-05-06 | N/A | 5.4 MEDIUM |
| The chartjs WordPress plugin through 2023.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2018-19904 | 1 Xsltcms.org Project | 1 Xsltcms.org | 2025-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent XSS exists in XSLT CMS via the create/?action=items.edit&type=Page "body" field. | |||||
| CVE-2022-40288 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 9.0 CRITICAL |
| The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the user profile data fields, which could be leveraged to escalate privileges within and compromise any account that views their user profile. | |||||
| CVE-2022-40289 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 9.0 CRITICAL |
| The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files. | |||||
| CVE-2022-40287 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 9.0 CRITICAL |
| The application was found to be vulnerable to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in messaging functionality, leading to privilege escalation or a compromise of a targeted account. | |||||
| CVE-2022-40290 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 6.1 MEDIUM |
| The application was vulnerable to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in the barcode generation functionality, allowing attackers to generate an unsafe link that could compromise users. | |||||
| CVE-2024-10679 | 1 Expresstech | 1 Quiz And Survey Master | 2025-05-06 | N/A | N/A |
| The Quiz and Survey Master (QSM) WordPress plugin before 9.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-1452 | 1 Favoriteposts | 1 Favorites | 2025-05-06 | N/A | N/A |
| The Favorites WordPress plugin before 2.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-2304 | 1 Favoriteposts | 1 Favorites | 2025-05-06 | N/A | 5.4 MEDIUM |
| The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'user_favorites' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-12682 | 1 Brijeshk89 | 1 Smart Maintenance Mode | 2025-05-06 | N/A | N/A |
| The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2018-19918 | 1 Cuppacms | 1 Cuppacms | 2025-05-06 | 3.5 LOW | 5.4 MEDIUM |
| CuppaCMS has XSS via an SVG document uploaded to the administrator/#/component/table_manager/view/cu_views URI. | |||||
| CVE-2018-19906 | 1 Razorcms | 1 Razorcms | 2025-05-06 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS exists in razorCMS 3.4.8 via the /#/page description parameter. | |||||
| CVE-2023-52430 | 1 Authcrunch | 1 Caddy-security | 2025-05-06 | N/A | 6.1 MEDIUM |
| The caddy-security plugin 1.1.20 for Caddy allows reflected XSS via a GET request to a URL that contains an XSS payload and begins with either a /admin or /settings/mfa/delete/ substring. | |||||
| CVE-2018-19905 | 1 Razorcms | 1 Razorcms | 2025-05-06 | 3.5 LOW | 5.4 MEDIUM |
| HTML injection exists in razorCMS 3.4.8 via the /#/page keywords parameter. | |||||
| CVE-2024-12683 | 1 Brijeshk89 | 1 Smart Maintenance Mode | 2025-05-06 | N/A | N/A |
| The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-44046 | 1 Themify | 1 Woocommerce Product Filter | 2025-05-06 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themify Themify – WooCommerce Product Filter allows Stored XSS.This issue affects Themify – WooCommerce Product Filter: from n/a through 1.5.1. | |||||
| CVE-2025-4388 | 2025-05-06 | N/A | N/A | ||
| A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web. | |||||
| CVE-2018-6341 | 1 Facebook | 1 React | 2025-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2. | |||||
| CVE-2022-40487 | 1 Processwire | 1 Processwire | 2025-05-06 | N/A | 6.1 MEDIUM |
| ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via injection of a crafted payload. | |||||