Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-10368 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WUZHI CMS 4.1.0. The "Extension Module -> System Announcement" feature has Stored XSS via an announcement. | |||||
| CVE-2018-10313 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 3.5 LOW | 5.4 MEDIUM |
| WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D parameter to the /index.php?m=member&f=index&v=profile&set_iframe=1 URI. | |||||
| CVE-2018-17426 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 3.5 LOW | 5.4 MEDIUM |
| WUZHI CMS 4.1.0 has stored XSS via the "Extension module" "SMS in station" field under the index.php?m=core URI. | |||||
| CVE-2018-11549 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in WUZHI CMS 4.1.0 There is a Stored XSS Vulnerability in "Account Settings -> Member Centre -> Chinese information -> Ordinary member" via a QQ number, as demonstrated by a form[qq_10]= substring. | |||||
| CVE-2020-19897 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross Site Scripting (XSS) in wuzhicms v4.1.0 allows remote attackers to execute arbitrary web script or HTML via the imgurl parameter. | |||||
| CVE-2018-18938 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WUZHI CMS 4.1.0. There is stored XSS in index.php?m=core&f=index via an ontoggle attribute to details/open/ within a second input field. | |||||
| CVE-2018-10311 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the tag[pinyin] parameter to the /index.php?m=tags&f=index&v=add URI. | |||||
| CVE-2019-9107 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in WUZHI CMS 4.1.0 via index.php?m=attachment&f=imagecut&v=init&imgurl=[XSS] to coreframe/app/attachment/imagecut.php. | |||||
| CVE-2018-10391 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WUZHI CMS 4.1.0. There is XSS via the email parameter to the index.php?m=member&v=register URI. | |||||
| CVE-2024-1331 | 1 Wpdarko | 1 Team Members | 2025-05-05 | N/A | N/A |
| The Team Members WordPress plugin before 5.3.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-1333 | 1 Wpdarko | 1 Responsive Pricing Table | 2025-05-05 | N/A | N/A |
| The Responsive Pricing Table WordPress plugin before 5.1.11 does not validate and escape some of its Pricing Table options before outputting them back in a page/post where the related shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2024-1658 | 1 Wpdarko | 1 Grid Shortcodes | 2025-05-05 | N/A | N/A |
| The Grid Shortcodes WordPress plugin before 1.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-7085 | 1 Sterlinghamilton | 1 Scalable Vector Graphics \(svg\) | 2025-05-05 | N/A | N/A |
| The Scalable Vector Graphics (SVG) WordPress plugin through 3.4 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | |||||
| CVE-2022-2473 | 1 Wp-useronline Project | 1 Wp-useronline | 2025-05-05 | N/A | 4.8 MEDIUM |
| The WP-UserOnline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘templates[browsingpage][text]' parameter in versions up to, and including, 2.87.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative capabilities and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The only affects multi-site installations and installations where unfiltered_html is disabled. | |||||
| CVE-2022-2515 | 1 Simple Banner Project | 1 Simple Banner | 2025-05-05 | N/A | 5.4 MEDIUM |
| The Simple Banner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `pro_version_activation_code` parameter in versions up to, and including, 2.11.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, including those without administrative capabilities when access is granted to those users, to inject arbitrary web scripts in page that will execute whenever a user role having access to "Simple Banner" accesses the plugin's settings. | |||||
| CVE-2022-35155 | 1 Phpgurukul | 1 Bus Pass Management System | 2025-05-05 | N/A | 6.1 MEDIUM |
| Bus Pass Management System v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the searchdata parameter. | |||||
| CVE-2022-2941 | 1 Wp-useronline Project | 1 Wp-useronline | 2025-05-05 | N/A | 4.8 MEDIUM |
| The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the "Naming Conventions" section do not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user accesses the injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2022-1822 | 1 Zephyr Project Manager Project | 1 Zephyr Project Manager | 2025-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘project’ parameter in versions up to, and including, 3.2.40 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2022-24227 | 1 Boltwire | 1 Boltwire | 2025-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in BoltWire v7.10 and v 8.00 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the name and lastname parameters. | |||||
| CVE-2022-21719 | 1 Glpi-project | 1 Glpi | 2025-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| GLPI is a free asset and IT management software package. All GLPI versions prior to 9.5.7 are vulnerable to reflected cross-site scripting. Version 9.5.7 contains a patch for this issue. There are no known workarounds. | |||||