Skip to main content
CVE-2025-67964 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.This issue affects Homey Core: from n/a through <= 2.4.3. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67960 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS.This issue affects WorkScout-Core: from n/a through <= 1.7.06. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67959 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout workscout allows Reflected XSS.This issue affects WorkScout: from n/a through <= 4.1.07. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67952 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS.This issue affects Grand Tour: from n/a through < 5.6.2. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67949 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS.This issue affects Hostiko: from n/a through < 94.3.6. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67947 HIGH This Week

scriptsbundle AdForest Elementor adforest-elementor is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67943 HIGH This Week

wphocus My auctions allegro my-auctions-allegro-free-edition is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67923 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.7.7. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67620 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS.This issue affects Anon: from n/a through <= 2.2.10. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67614 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS.This issue affects TheNa: from n/a through <= 1.5.5. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69317 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS.This issue affects CarSpot: from n/a through < 2.4.6. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69316 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 TableOn posts-table-filterable allows Reflected XSS.This issue affects TableOn: from n/a through <= 1.0.4.2. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69098 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWave Hide My WP hide_my_wp allows Reflected XSS.This issue affects Hide My WP: from n/a through <= 6.2.12. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53240 HIGH This Week

adamlabs WordPress Photo Gallery photo-gallery-portfolio is affected by cross-site scripting (xss) (CVSS 6.1).

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52762 HIGH This Week

flexostudio flexo-posts-manager flexo-posts-manager is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52746 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ayecode Restaurante restaurante allows Reflected XSS.This issue affects Restaurante: from n/a through <= 3.0.7. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-50006 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes xSmart xsmart allows Reflected XSS.This issue affects xSmart: from n/a through <= 1.2.9.4. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49249 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS.This issue affects Drone: from n/a through <= 1.40. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49066 HIGH This Week

LambertGroup Accordion Slider PRO accordion_slider_pro is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49046 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup xPromoter top_bar_promoter allows Reflected XSS.This issue affects xPromoter: from n/a through <= 1.3.4. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49045 HIGH This Week

highwarden Super Interactive Maps super-interactive-maps is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49043 HIGH This Week

LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel is affected by cross-site scripting (xss) (CVSS 6.1).

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48094 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS.This issue affects Magic Slider: from n/a through <= 2.2. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-47666 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows Reflected XSS.This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-32123 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS.This issue affects HTML5 Video Player with Playlist & Multiple Skins: from n/a through <= 5.3.5. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-27005 HIGH This Week

LambertGroup HTML5 Video Player lbg-vp2-html5-bottom is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69321 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Spa grandspa allows Reflected XSS.This issue affects Grand Spa: from n/a through <= 3.5.5. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22355 HIGH This Week

gregmolnar Simple XML Sitemap simple-xml-sitemap is affected by cross-site request forgery (csrf) (CVSS 7.1).

CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-27379 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content. [CVSS 6.8 MEDIUM]

XSS On Prem Enterprise Server
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-23893 MEDIUM PATCH This Month

Privilege escalation in openCryptoki 2.3.2+ allows token-group members to exploit insecure symlink handling in group-writable token directories, enabling file operations on arbitrary filesystem targets when the library runs with elevated privileges. An attacker with token-group membership can plant symlinks to redirect administrative operations, potentially leading to privilege escalation or unauthorized data access. A patch is available.

Linux Privilege Escalation Opencryptoki Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-71176 MEDIUM POC PATCH This Month

pytest versions up to 9.0.2 contains a vulnerability that allows attackers to cause a denial of service or possibly gain privileges (CVSS 6.8).

Denial Of Service Red Hat Suse
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-1326 LOW POC Monitor

Command injection in Totolik NR1800X firmware allows authenticated remote attackers to execute arbitrary commands through the Hostname parameter in the setWanCfg POST handler. Public exploit code exists for this vulnerability, creating elevated risk despite no patch availability. Affected devices can be compromised to gain full system control with network access and valid credentials.

Command Injection Nr1800x Firmware
NVD VulDB
CVSS 4.0
2.1
EPSS
2.7%
CVE-2025-68609 MEDIUM This Month

A vulnerability in Palantir's Aries service allowed unauthenticated access to log viewing and management functionality on Apollo instances using default configuration. [CVSS 6.6 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-69055 MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder allows Path Traversal.This issue affects BM Content Builder: from n/a before 3.16.3.3. [CVSS 6.5 MEDIUM]

Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68896 MEDIUM This Month

Missing Authorization vulnerability in vrpr WDV One Page Docs wdv-one-page-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WDV One Page Docs: from n/a through <= 1.2.4. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68558 MEDIUM This Month

Missing Authorization vulnerability in averta Depicter Slider depicter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Depicter Slider: from n/a through <= 4.0.4. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68019 MEDIUM This Month

Missing Authorization vulnerability in cleverplugins SEO Booster seo-booster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEO Booster: from n/a through <= 6.1.8. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67958 MEDIUM This Month

Missing Authorization vulnerability in Taxcloud TaxCloud for WooCommerce simple-sales-tax allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TaxCloud for WooCommerce: from n/a through <= 8.3.8. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-5805 MEDIUM This Month

Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Electron: from n/a through <= 1.8.2. [CVSS 8.8 HIGH]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-54002 MEDIUM This Month

Missing Authorization vulnerability in Jthemes xSmart xsmart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects xSmart: from n/a through <= 1.2.9.4. [CVSS 8.8 HIGH]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24379 MEDIUM This Month

WP Job Portal has an authorization bypass through user-controlled keys allowing attackers to access other users' job applications and employer data.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24389 MEDIUM This Month

WP Chill Gallery PhotoBlocks photoblocks-grid-gallery is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24383 MEDIUM This Month

DOM-based cross-site scripting in bPlugins B Slider through version 2.0.6 enables authenticated attackers to inject malicious scripts that execute in users' browsers with network access. An attacker with user privileges can exploit improper input neutralization during web page generation to steal session tokens, perform unauthorized actions, or redirect victims to malicious sites. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24361 MEDIUM This Month

ThimPress LearnPress Course Review plugin through version 4.1.9 is vulnerable to stored cross-site scripting (XSS) that allows authenticated users with insufficient input validation to inject malicious scripts into course reviews. An attacker with user privileges can exploit this to execute arbitrary JavaScript in other users' browsers, potentially stealing session tokens or performing unauthorized actions on their behalf. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24354 MEDIUM This Month

DOM-based cross-site scripting in PenciDesign Penci Shortcodes & Performance plugin versions 6.1 and earlier allows authenticated attackers to inject malicious scripts that execute in users' browsers. An attacker with user-level privileges can exploit improper input neutralization during page generation to steal session cookies, perform unauthorized actions, or deface content for affected users. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22463 MEDIUM This Month

Stored XSS in Micro.company Form to Chat App versions up to 1.2.5 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data and stealing sensitive information. The vulnerability stems from insufficient input sanitization during form processing and requires user interaction to trigger. No patch is currently available for this medium-severity flaw.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22353 MEDIUM This Month

Stored XSS in teachPress through version 9.0.12 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data and performing unauthorized actions within the application. The vulnerability requires user interaction to trigger and can affect multiple users across the application scope. No security patch is currently available for affected installations.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22347 MEDIUM This Month

subhansanjaya Carousel Horizontal Posts Content Slider carousel-horizontal-posts-content-slider is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68046 MEDIUM This Month

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Retrieve Embedded Sensitive Data.This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1. [CVSS 6.5 MEDIUM]

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68006 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Retrieve Embedded Sensitive Data.This issue affects Booking Ultra Pro: from n/a through <= 1.1.23. [CVSS 6.5 MEDIUM]

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
Prev Page 6 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy