Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0402 | 1 Super-forms | 1 Super Forms | 2025-06-20 | N/A | 6.1 MEDIUM |
| The Super Forms - Drag & Drop Form Builder WordPress plugin before 6.0.4 does not escape the bob_czy_panstwa_sprawa_zostala_rozwiazana parameter before outputting it back in an attribute via the super_language_switcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking CSRF, making the attack easier to perform against any user. | |||||
| CVE-2023-6941 | 1 Keap | 1 Official Opt-in Forms | 2025-06-20 | N/A | 4.8 MEDIUM |
| The Keap Official Opt-in Forms WordPress plugin through 1.0.11 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup). | |||||
| CVE-2023-0479 | 1 Tychesoftwares | 1 Print Invoice \& Delivery Notes For Woocommerce | 2025-06-20 | N/A | 6.1 MEDIUM |
| The Print Invoice & Delivery Notes for WooCommerce WordPress plugin before 4.7.2 is vulnerable to reflected XSS by echoing a GET value in an admin note within the WooCommerce orders page. This means that this vulnerability can be exploited for users with the edit_others_shop_orders capability. WooCommerce must be installed and active. This vulnerability is caused by a urldecode() after cleanup with esc_url_raw(), allowing double encoding. | |||||
| CVE-2023-3647 | 1 Indigitall | 1 Iurny | 2025-06-20 | N/A | 4.8 MEDIUM |
| The IURNY by INDIGITALL WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2021-24559 | 1 Patrickposner | 1 Qyrr | 2025-06-20 | N/A | 5.4 MEDIUM |
| The Qyrr WordPress plugin before 0.7 does not escape the data-uri of the QR Code when outputting it in a src attribute, allowing for Cross-Site Scripting attacks. Furthermore, the data_uri_to_meta AJAX action, available to all authenticated users, only had a CSRF check in place, with the nonce available to users with a role as low as Contributor allowing any user with such role (and above) to set a malicious data-uri in arbitrary QR Code posts, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2024-23171 | 1 Mediawiki | 1 Mediawiki | 2025-06-20 | N/A | 5.4 MEDIUM |
| An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:EventDetails page allows XSS via the x-xss language setting for internationalization (i18n). | |||||
| CVE-2022-3739 | 1 Subina | 1 Wp Best Quiz | 2025-06-20 | N/A | 5.4 MEDIUM |
| The WP Best Quiz WordPress plugin through 1.0 does not sanitize and escape some parameters, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks. | |||||
| CVE-2023-51064 | 1 Qstar | 1 Archive Storage Manager | 2025-06-20 | N/A | 6.1 MEDIUM |
| QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 was discovered to contain a DOM Based reflected XSS vulnerability within the component qnme-ajax?method=tree_table. | |||||
| CVE-2022-3829 | 1 Newnine | 1 Font Awesome 4 Menus | 2025-06-20 | N/A | 4.8 MEDIUM |
| The Font Awesome 4 Menus WordPress plugin through 4.7.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-3440 | 1 Ibm | 1 Security Guardium | 2025-06-20 | N/A | 5.5 MEDIUM |
| IBM Security Guardium 11.5 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2025-1155 | 1 Webkul | 1 Qloapps | 2025-06-20 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in Webkul QloApps 1.6.1. This affects an unknown part of the file /stores of the component Your Location Search. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. It is planned to remove this page in the long term. | |||||
| CVE-2025-1114 | 1 Newbee-mall Project | 1 Newbee-mall | 2025-06-20 | N/A | 5.4 MEDIUM |
| A vulnerability classified as problematic has been found in newbee-mall 1.0. Affected is the function save of the file /admin/categories/save of the component Add Category Page. The manipulation of the argument categoryName leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | |||||
| CVE-2023-51252 | 1 Publiccms | 1 Publiccms | 2025-06-20 | N/A | 5.4 MEDIUM |
| PublicCMS 4.0 is vulnerable to Cross Site Scripting (XSS). Because files can be uploaded and online preview function is provided, pdf files and html files containing malicious code are uploaded, an XSS popup window is realized through online viewing. | |||||
| CVE-2020-26628 | 1 Phpgurukul | 1 Hospital Management System | 2025-06-20 | N/A | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability was discovered in Hospital Management System V4.0 which allows an attacker to execute arbitrary web scripts or HTML code via a malicious payload appended to a username on the 'Edit Profile" page and triggered by another user visiting the profile. | |||||
| CVE-2025-50047 | 2025-06-20 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Sitekit allows Stored XSS. This issue affects Sitekit: from n/a through 1.9. | |||||
| CVE-2025-50019 | 2025-06-20 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sandor Kovacs Simple Sticky Footer allows Stored XSS. This issue affects Simple Sticky Footer : from n/a through 1.3.5. | |||||
| CVE-2025-50041 | 2025-06-20 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Engine Gutenberg Blocks – ACF Blocks Suite allows Stored XSS. This issue affects Gutenberg Blocks – ACF Blocks Suite: from n/a through 2.6.11. | |||||
| CVE-2025-50037 | 2025-06-20 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Buying Buddy Buying Buddy IDX CRM allows DOM-Based XSS. This issue affects Buying Buddy IDX CRM: from n/a through 2.3.0. | |||||
| CVE-2025-49873 | 2025-06-20 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NasaTheme Elessi allows Reflected XSS. This issue affects Elessi: from n/a through 6.3.9. | |||||
| CVE-2025-50015 | 2025-06-20 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rodrigo Bastos Hand Talk allows Stored XSS. This issue affects Hand Talk: from n/a through 6.0. | |||||