Skip to main content

CWE-79

Cross-site Scripting (XSS)

36080 CVEs Avg CVSS 5.7 MITRE
412
CRITICAL
3466
HIGH
30393
MEDIUM
1734
LOW
11759
POC
28
KEV

Monthly

CVE-2026-62826 MEDIUM PATCH This Month

Stored or reflected cross-site scripting in Microsoft SharePoint Server allows an authenticated low-privileged attacker to inject malicious script content that executes in a victim's browser, enabling spoofing attacks over a network. Affected deployments span SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. No public exploit code or active CISA KEV listing has been identified; the CVSS 4.6 Medium rating reflects the dual prerequisites of authentication and victim interaction, which materially constrain real-world exploitability.

Microsoft XSS Microsoft Sharepoint Enterprise Server 2016 Microsoft Sharepoint Server 2019 Microsoft Sharepoint Server Subscription Edition
NVD
CVSS 3.1
4.6
CVE-2026-58643 MEDIUM PATCH This Month

Cross-site scripting in Microsoft Windows Admin Center enables network-based spoofing attacks against users who interact with attacker-controlled content. The CVSS vector (AV:N/PR:N/UI:R/S:C) confirms that an unauthenticated remote attacker can deliver a crafted payload that executes in the victim's browser context once user interaction occurs, enabling session hijacking or administrative action spoofing within the management interface. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor patch is available via the Microsoft Security Response Center.

Microsoft XSS Windows Admin Center
NVD
CVSS 3.1
6.1
CVE-2026-46686 HIGH This Week

Reflected cross-site scripting in Emlog 2.6.13 and earlier lets a remote attacker execute arbitrary JavaScript in an authenticated administrator's backend session by luring the admin to open a crafted link that hits the user-search feature in admin/user.php. The keyword parameter is sanitized with addslashes but never HTML-escaped before it is echoed into a value attribute in admin/views/user.php, so injected markup breaks out of the attribute and runs in the admin's browser. No public exploit identified at time of analysis, and no fixed version currently exists.

PHP XSS Emlog
NVD GitHub
CVSS 4.0
8.5
CVE-2026-63081 MEDIUM POC This Month

Stored cross-site scripting in Perfect Support Ticketing & Document Management System through version 1.7 allows authenticated Agent-level users to inject persistent malicious scripts into ticket Notes fields. Any user who subsequently views the compromised ticket notes - including Superadmin users - executes the attacker's payload in their browser context, enabling session token theft and unauthorized actions performed on the victim's behalf. No public exploit identified at time of analysis for KEV listing, though a publicly available proof-of-concept exists per VulnCheck and the researcher's GitHub repository.

XSS Perfect Support Ticketing Document Management System
NVD GitHub
CVSS 4.0
5.1
CVE-2026-15324 MEDIUM This Month

Stored Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (all versions through 4.4.14) allows authenticated shop managers to persist malicious scripts via the unsanitized 'row_type' parameter, executing in any user's browser upon visiting the compromised My Account page. The CVSS scope change (S:C) confirms cross-user impact - injected scripts run in victim sessions, enabling session hijacking or credential theft beyond the attacker's own context. No public exploit code or CISA KEV listing is confirmed at time of analysis; risk is substantially gated by the shop manager privilege requirement.

WordPress XSS Sysbasics Customize My Account For Woocommerce Live My Account Customizer
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-15021 MEDIUM This Month

Stored Cross-Site Scripting in the wpForo Forum WordPress plugin (all versions through 3.1.1) allows authenticated attackers with subscriber-level access to permanently inject malicious JavaScript via the 'location' profile field. The root failure is WordPress's native sanitize_text_field() function, which strips tags but leaves double quotes unencoded, enabling attribute breakout from an href context into injected event-handler attributes. With a CVSS scope change (S:C), successful exploitation can impact sessions of any user - including administrators - who views a poisoned profile page, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis.

WordPress XSS Wpforo Forum
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13755 MEDIUM This Month

Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. No active exploitation has been confirmed in CISA KEV, and no EPSS data was provided in the intelligence feed.

WordPress XSS Tickera Sell Tickets Manage Events
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-7543 HIGH This Week

Stored cross-site scripting in the Breakdance WordPress page-builder plugin (versions through 2.7.1) lets unauthenticated attackers inject persistent JavaScript through the 'fields' parameter, which then runs in the browser of any user who views the affected page. The flaw carries a CVSS 3.1 score of 7.2, elevated by a scope change (S:C) because the payload executes in visitors' browser sessions rather than the server context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Wordfence discovered and reported it.

WordPress XSS Breakdance
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-15099 MEDIUM This Month

Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized `javascript:` URIs embedded in recipe step link attributes. The `wrap_direction_text()` function interpolates attacker-controlled `href` values directly into anchor tags using `sprintf()` without invoking WordPress's `esc_url()`, enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. No CISA KEV listing or public exploit code has been identified at time of analysis, though Wordfence's source-level disclosure provides sufficient detail for independent reproduction.

WordPress XSS Wp Delicious Recipe Plugin For Food Bloggers Formerly Delicious Recipes
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12978 HIGH POC PATCH This Week

Reflected Cross-Site Scripting in the FunnelKit WordPress plugin before 3.15.0.6 lets unauthenticated attackers inject arbitrary JavaScript into a page-builder AJAX response, which executes in the browser of a logged-in user who opens an attacker-crafted link. The flaw is only reachable when the Divi builder integration is active, and publicly available exploit code exists though there is no public exploit identified as actively exploited at time of analysis. EPSS was not provided and the vulnerability is not on CISA KEV, so widespread exploitation is unconfirmed.

WordPress XSS Funnelkit
NVD WPScan
CVSS 3.1
7.1
EPSS
0.2%
CVSS 4.6
MEDIUM PATCH This Month

Stored or reflected cross-site scripting in Microsoft SharePoint Server allows an authenticated low-privileged attacker to inject malicious script content that executes in a victim's browser, enabling spoofing attacks over a network. Affected deployments span SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. No public exploit code or active CISA KEV listing has been identified; the CVSS 4.6 Medium rating reflects the dual prerequisites of authentication and victim interaction, which materially constrain real-world exploitability.

Microsoft XSS Microsoft Sharepoint Enterprise Server 2016 +2
NVD
CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Microsoft Windows Admin Center enables network-based spoofing attacks against users who interact with attacker-controlled content. The CVSS vector (AV:N/PR:N/UI:R/S:C) confirms that an unauthenticated remote attacker can deliver a crafted payload that executes in the victim's browser context once user interaction occurs, enabling session hijacking or administrative action spoofing within the management interface. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor patch is available via the Microsoft Security Response Center.

Microsoft XSS Windows Admin Center
NVD
CVSS 8.5
HIGH This Week

Reflected cross-site scripting in Emlog 2.6.13 and earlier lets a remote attacker execute arbitrary JavaScript in an authenticated administrator's backend session by luring the admin to open a crafted link that hits the user-search feature in admin/user.php. The keyword parameter is sanitized with addslashes but never HTML-escaped before it is echoed into a value attribute in admin/views/user.php, so injected markup breaks out of the attribute and runs in the admin's browser. No public exploit identified at time of analysis, and no fixed version currently exists.

PHP XSS Emlog
NVD GitHub
CVSS 5.1
MEDIUM POC This Month

Stored cross-site scripting in Perfect Support Ticketing & Document Management System through version 1.7 allows authenticated Agent-level users to inject persistent malicious scripts into ticket Notes fields. Any user who subsequently views the compromised ticket notes - including Superadmin users - executes the attacker's payload in their browser context, enabling session token theft and unauthorized actions performed on the victim's behalf. No public exploit identified at time of analysis for KEV listing, though a publicly available proof-of-concept exists per VulnCheck and the researcher's GitHub repository.

XSS Perfect Support Ticketing Document Management System
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (all versions through 4.4.14) allows authenticated shop managers to persist malicious scripts via the unsanitized 'row_type' parameter, executing in any user's browser upon visiting the compromised My Account page. The CVSS scope change (S:C) confirms cross-user impact - injected scripts run in victim sessions, enabling session hijacking or credential theft beyond the attacker's own context. No public exploit code or CISA KEV listing is confirmed at time of analysis; risk is substantially gated by the shop manager privilege requirement.

WordPress XSS Sysbasics Customize My Account For Woocommerce Live My Account Customizer
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the wpForo Forum WordPress plugin (all versions through 3.1.1) allows authenticated attackers with subscriber-level access to permanently inject malicious JavaScript via the 'location' profile field. The root failure is WordPress's native sanitize_text_field() function, which strips tags but leaves double quotes unencoded, enabling attribute breakout from an href context into injected event-handler attributes. With a CVSS scope change (S:C), successful exploitation can impact sessions of any user - including administrators - who views a poisoned profile page, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis.

WordPress XSS Wpforo Forum
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. No active exploitation has been confirmed in CISA KEV, and no EPSS data was provided in the intelligence feed.

WordPress XSS Tickera Sell Tickets Manage Events
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Breakdance WordPress page-builder plugin (versions through 2.7.1) lets unauthenticated attackers inject persistent JavaScript through the 'fields' parameter, which then runs in the browser of any user who views the affected page. The flaw carries a CVSS 3.1 score of 7.2, elevated by a scope change (S:C) because the payload executes in visitors' browser sessions rather than the server context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Wordfence discovered and reported it.

WordPress XSS Breakdance
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized `javascript:` URIs embedded in recipe step link attributes. The `wrap_direction_text()` function interpolates attacker-controlled `href` values directly into anchor tags using `sprintf()` without invoking WordPress's `esc_url()`, enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. No CISA KEV listing or public exploit code has been identified at time of analysis, though Wordfence's source-level disclosure provides sufficient detail for independent reproduction.

WordPress XSS Wp Delicious Recipe Plugin For Food Bloggers Formerly Delicious Recipes
NVD
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Reflected Cross-Site Scripting in the FunnelKit WordPress plugin before 3.15.0.6 lets unauthenticated attackers inject arbitrary JavaScript into a page-builder AJAX response, which executes in the browser of a logged-in user who opens an attacker-crafted link. The flaw is only reachable when the Divi builder integration is active, and publicly available exploit code exists though there is no public exploit identified as actively exploited at time of analysis. EPSS was not provided and the vulnerability is not on CISA KEV, so widespread exploitation is unconfirmed.

WordPress XSS Funnelkit
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy