Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4455 | 1 Yithemes | 1 Yith Woocommerce Ajax Search | 2025-04-04 | N/A | 6.1 MEDIUM |
| The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘item’ parameter in versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-51994 | 1 Combodo | 1 Itop | 2025-04-04 | N/A | 5.4 MEDIUM |
| Combodo iTop is a web based IT Service Management tool. In affected versions uploading a text file containing some java script in the portal will trigger an Cross-site Scripting (XSS) vulnerability. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2020-11023 | 7 Debian, Drupal, Fedoraproject and 4 more | 60 Debian Linux, Drupal, Fedora and 57 more | 2025-04-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | |||||
| CVE-2022-4480 | 1 Holithemes | 1 Click To Chat | 2025-04-04 | N/A | 5.4 MEDIUM |
| The Click to Chat WordPress plugin before 3.18.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | |||||
| CVE-2024-1134 | 1 Seopress | 1 Seopress | 2025-04-04 | N/A | 5.4 MEDIUM |
| The SEOPress – On-site SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SEO title and description parameters as well as others in all versions up to, and including, 7.5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-23637 | 1 Unistra | 1 Impatient | 2025-04-04 | N/A | 7.6 HIGH |
| IMPatienT before 1.5.2 allows stored XSS via onmouseover in certain text fields within a PATCH /modify_onto request to the ontology builder. This may allow attackers to steal Protected Health Information. | |||||
| CVE-2023-22296 | 1 Ate-mahoroba | 6 Maho-pbx Netdevancer, Maho-pbx Netdevancer Firmware, Maho-pbx Netdevancer Mobilegate and 3 more | 2025-04-04 | N/A | 6.1 MEDIUM |
| Reflected cross-site scripting vulnerability in MAHO-PBX NetDevancer series MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allows a remote unauthenticated attacker to inject an arbitrary script. | |||||
| CVE-2022-45613 | 1 Book Store Management System Project | 1 Book Store Management System | 2025-04-04 | N/A | 5.4 MEDIUM |
| Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the publisher parameter. | |||||
| CVE-2024-1332 | 1 Brainstormforce | 1 Custom Fonts | 2025-04-04 | N/A | 5.4 MEDIUM |
| The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5060 | 1 Kapasias | 1 Lottiefiles | 2025-04-04 | N/A | 5.4 MEDIUM |
| The LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.10.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5220 | 1 Nicdark | 1 Nd Shortcodes | 2025-04-04 | N/A | 5.4 MEDIUM |
| The ND Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's upload feature in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-1548 | 1 Iteachyou | 1 Dreamer Cms | 2025-04-04 | N/A | 4.6 MEDIUM |
| A vulnerability was found in iteachyou Dreamer CMS 4.1.3. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/archives/edit. The manipulation of the argument editorValue/answer/content leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-32136 | 2025-04-04 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in activecampaign ActiveCampaign allows Stored XSS. This issue affects ActiveCampaign: from n/a through 8.1.16. | |||||
| CVE-2025-32190 | 2025-04-04 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smartwpress Musician's Pack for Elementor allows DOM-Based XSS. This issue affects Musician's Pack for Elementor: from n/a through 1.8.4. | |||||
| CVE-2025-32181 | 2025-04-04 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fast Simon Search, Filters & Merchandising for WooCommerce allows Stored XSS. This issue affects Search, Filters & Merchandising for WooCommerce: from n/a through 3.0.57. | |||||
| CVE-2025-32187 | 2025-04-04 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Quý Lê 91 Administrator Z allows DOM-Based XSS. This issue affects Administrator Z: from n/a through 2025.03.04. | |||||
| CVE-2025-32183 | 2025-04-04 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Galaxy Weblinks Video Playlist For YouTube allows Stored XSS. This issue affects Video Playlist For YouTube: from n/a through 6.6. | |||||
| CVE-2025-32129 | 2025-04-04 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Data443 Risk Migitation, Inc. Welcome Bar allows Stored XSS. This issue affects Welcome Bar: from n/a through 2.0.4. | |||||
| CVE-2025-32168 | 2025-04-04 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeYatri Gutenify allows Stored XSS. This issue affects Gutenify: from n/a through 1.4.9. | |||||
| CVE-2022-39195 | 1 Lsoft | 1 Listserv | 2025-04-04 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the LISTSERV 17 web interface allows remote attackers to inject arbitrary JavaScript or HTML via the c parameter. | |||||