Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-48489 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 4.8 MEDIUM |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to insufficient data validation and sanitization during data reception. This issue has been patched in version 1.8.180. | |||||
| CVE-2025-48875 | 1 Freescout | 1 Freescout | 2025-06-04 | N/A | 5.4 MEDIUM |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181. | |||||
| CVE-2024-4419 | 1 Pjaudiomv | 1 Fetch Jft | 2025-06-04 | N/A | 4.0 MEDIUM |
| The Fetch JFT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2025-4943 | 1 La-studioweb | 1 Element Kit For Elementor | 2025-06-04 | N/A | 5.4 MEDIUM |
| The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-lakit-element-link’ parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-5236 | 1 Ninjateam | 1 Chat For Telegram | 2025-06-04 | N/A | 5.4 MEDIUM |
| The NinjaTeam Chat for Telegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘username’ parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-5235 | 1 Opensheetmusicdisplay | 1 Opensheetmusicdisplay | 2025-06-04 | N/A | 5.4 MEDIUM |
| The OpenSheetMusicDisplay plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1103 | 1 Codeastro | 1 Real Estate Management System | 2025-06-04 | N/A | 5.4 MEDIUM |
| A vulnerability was found in CodeAstro Real Estate Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file profile.php of the component Feedback Form. The manipulation of the argument Your Feedback with the input <img src=x onerror=alert(document.cookie)> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252458 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-10076 | 1 Automattic | 2 Jetpack, Jetpack Boost | 2025-06-04 | N/A | N/A |
| The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and above users to perform Stored XSS attacks | |||||
| CVE-2024-13238 | 1 Typogrify Project | 1 Typogrify | 2025-06-04 | N/A | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Typogrify allows Cross-Site Scripting (XSS).This issue affects Typogrify: from 0.0.0 before 1.3.0. | |||||
| CVE-2024-13237 | 1 File Entity Project | 1 File Entity | 2025-06-04 | N/A | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal File Entity (fieldable files) allows Cross-Site Scripting (XSS).This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.38. | |||||
| CVE-2024-8851 | 1 Codepeople | 1 Polls Cp | 2025-06-04 | N/A | N/A |
| The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multi site setup). | |||||
| CVE-2024-8854 | 1 Codepeople | 1 Polls Cp | 2025-06-04 | N/A | N/A |
| The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multi site setup). | |||||
| CVE-2023-5932 | 1 Travelpayouts | 1 Travelpayouts | 2025-06-04 | N/A | N/A |
| The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2025-3742 | 1 Dfactory | 1 Responsive Lightbox | 2025-06-04 | N/A | N/A |
| The Responsive Lightbox & Gallery WordPress plugin before 2.5.1 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2023-5529 | 1 Pagevisitcounter | 1 Advanced Page Visit Counter | 2025-06-04 | N/A | N/A |
| The Advanced Page Visit Counter WordPress plugin before 8.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-2696 | 1 Swiftideas | 1 Swift Framework | 2025-06-04 | N/A | N/A |
| The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-2870 | 1 Swiftideas | 1 Swift Framework | 2025-06-04 | N/A | N/A |
| The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-23941 | 1 Group-office | 1 Group Office | 2025-06-04 | N/A | 5.4 MEDIUM |
| Cross-site scripting vulnerability exists in Group Office prior to v6.6.182, prior to v6.7.64 and prior to v6.8.31, which may allow a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product. | |||||
| CVE-2024-23172 | 1 Mediawiki | 1 Mediawiki | 2025-06-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCheckUserLog. | |||||
| CVE-2024-23031 | 1 Eyoucms | 1 Eyoucms | 2025-06-04 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in is_water parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL. | |||||