Monthly
Stored or reflected cross-site scripting in Microsoft SharePoint Server allows an authenticated low-privileged attacker to inject malicious script content that executes in a victim's browser, enabling spoofing attacks over a network. Affected deployments span SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. No public exploit code or active CISA KEV listing has been identified; the CVSS 4.6 Medium rating reflects the dual prerequisites of authentication and victim interaction, which materially constrain real-world exploitability.
Cross-site scripting in Microsoft Windows Admin Center enables network-based spoofing attacks against users who interact with attacker-controlled content. The CVSS vector (AV:N/PR:N/UI:R/S:C) confirms that an unauthenticated remote attacker can deliver a crafted payload that executes in the victim's browser context once user interaction occurs, enabling session hijacking or administrative action spoofing within the management interface. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor patch is available via the Microsoft Security Response Center.
Reflected cross-site scripting in Emlog 2.6.13 and earlier lets a remote attacker execute arbitrary JavaScript in an authenticated administrator's backend session by luring the admin to open a crafted link that hits the user-search feature in admin/user.php. The keyword parameter is sanitized with addslashes but never HTML-escaped before it is echoed into a value attribute in admin/views/user.php, so injected markup breaks out of the attribute and runs in the admin's browser. No public exploit identified at time of analysis, and no fixed version currently exists.
Stored cross-site scripting in Perfect Support Ticketing & Document Management System through version 1.7 allows authenticated Agent-level users to inject persistent malicious scripts into ticket Notes fields. Any user who subsequently views the compromised ticket notes - including Superadmin users - executes the attacker's payload in their browser context, enabling session token theft and unauthorized actions performed on the victim's behalf. No public exploit identified at time of analysis for KEV listing, though a publicly available proof-of-concept exists per VulnCheck and the researcher's GitHub repository.
Stored Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (all versions through 4.4.14) allows authenticated shop managers to persist malicious scripts via the unsanitized 'row_type' parameter, executing in any user's browser upon visiting the compromised My Account page. The CVSS scope change (S:C) confirms cross-user impact - injected scripts run in victim sessions, enabling session hijacking or credential theft beyond the attacker's own context. No public exploit code or CISA KEV listing is confirmed at time of analysis; risk is substantially gated by the shop manager privilege requirement.
Stored Cross-Site Scripting in the wpForo Forum WordPress plugin (all versions through 3.1.1) allows authenticated attackers with subscriber-level access to permanently inject malicious JavaScript via the 'location' profile field. The root failure is WordPress's native sanitize_text_field() function, which strips tags but leaves double quotes unencoded, enabling attribute breakout from an href context into injected event-handler attributes. With a CVSS scope change (S:C), successful exploitation can impact sessions of any user - including administrators - who views a poisoned profile page, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. No active exploitation has been confirmed in CISA KEV, and no EPSS data was provided in the intelligence feed.
Stored cross-site scripting in the Breakdance WordPress page-builder plugin (versions through 2.7.1) lets unauthenticated attackers inject persistent JavaScript through the 'fields' parameter, which then runs in the browser of any user who views the affected page. The flaw carries a CVSS 3.1 score of 7.2, elevated by a scope change (S:C) because the payload executes in visitors' browser sessions rather than the server context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Wordfence discovered and reported it.
Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized `javascript:` URIs embedded in recipe step link attributes. The `wrap_direction_text()` function interpolates attacker-controlled `href` values directly into anchor tags using `sprintf()` without invoking WordPress's `esc_url()`, enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. No CISA KEV listing or public exploit code has been identified at time of analysis, though Wordfence's source-level disclosure provides sufficient detail for independent reproduction.
Reflected Cross-Site Scripting in the FunnelKit WordPress plugin before 3.15.0.6 lets unauthenticated attackers inject arbitrary JavaScript into a page-builder AJAX response, which executes in the browser of a logged-in user who opens an attacker-crafted link. The flaw is only reachable when the Divi builder integration is active, and publicly available exploit code exists though there is no public exploit identified as actively exploited at time of analysis. EPSS was not provided and the vulnerability is not on CISA KEV, so widespread exploitation is unconfirmed.
Stored or reflected cross-site scripting in Microsoft SharePoint Server allows an authenticated low-privileged attacker to inject malicious script content that executes in a victim's browser, enabling spoofing attacks over a network. Affected deployments span SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. No public exploit code or active CISA KEV listing has been identified; the CVSS 4.6 Medium rating reflects the dual prerequisites of authentication and victim interaction, which materially constrain real-world exploitability.
Cross-site scripting in Microsoft Windows Admin Center enables network-based spoofing attacks against users who interact with attacker-controlled content. The CVSS vector (AV:N/PR:N/UI:R/S:C) confirms that an unauthenticated remote attacker can deliver a crafted payload that executes in the victim's browser context once user interaction occurs, enabling session hijacking or administrative action spoofing within the management interface. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor patch is available via the Microsoft Security Response Center.
Reflected cross-site scripting in Emlog 2.6.13 and earlier lets a remote attacker execute arbitrary JavaScript in an authenticated administrator's backend session by luring the admin to open a crafted link that hits the user-search feature in admin/user.php. The keyword parameter is sanitized with addslashes but never HTML-escaped before it is echoed into a value attribute in admin/views/user.php, so injected markup breaks out of the attribute and runs in the admin's browser. No public exploit identified at time of analysis, and no fixed version currently exists.
Stored cross-site scripting in Perfect Support Ticketing & Document Management System through version 1.7 allows authenticated Agent-level users to inject persistent malicious scripts into ticket Notes fields. Any user who subsequently views the compromised ticket notes - including Superadmin users - executes the attacker's payload in their browser context, enabling session token theft and unauthorized actions performed on the victim's behalf. No public exploit identified at time of analysis for KEV listing, though a publicly available proof-of-concept exists per VulnCheck and the researcher's GitHub repository.
Stored Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (all versions through 4.4.14) allows authenticated shop managers to persist malicious scripts via the unsanitized 'row_type' parameter, executing in any user's browser upon visiting the compromised My Account page. The CVSS scope change (S:C) confirms cross-user impact - injected scripts run in victim sessions, enabling session hijacking or credential theft beyond the attacker's own context. No public exploit code or CISA KEV listing is confirmed at time of analysis; risk is substantially gated by the shop manager privilege requirement.
Stored Cross-Site Scripting in the wpForo Forum WordPress plugin (all versions through 3.1.1) allows authenticated attackers with subscriber-level access to permanently inject malicious JavaScript via the 'location' profile field. The root failure is WordPress's native sanitize_text_field() function, which strips tags but leaves double quotes unencoded, enabling attribute breakout from an href context into injected event-handler attributes. With a CVSS scope change (S:C), successful exploitation can impact sessions of any user - including administrators - who views a poisoned profile page, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. No active exploitation has been confirmed in CISA KEV, and no EPSS data was provided in the intelligence feed.
Stored cross-site scripting in the Breakdance WordPress page-builder plugin (versions through 2.7.1) lets unauthenticated attackers inject persistent JavaScript through the 'fields' parameter, which then runs in the browser of any user who views the affected page. The flaw carries a CVSS 3.1 score of 7.2, elevated by a scope change (S:C) because the payload executes in visitors' browser sessions rather than the server context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Wordfence discovered and reported it.
Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized `javascript:` URIs embedded in recipe step link attributes. The `wrap_direction_text()` function interpolates attacker-controlled `href` values directly into anchor tags using `sprintf()` without invoking WordPress's `esc_url()`, enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. No CISA KEV listing or public exploit code has been identified at time of analysis, though Wordfence's source-level disclosure provides sufficient detail for independent reproduction.
Reflected Cross-Site Scripting in the FunnelKit WordPress plugin before 3.15.0.6 lets unauthenticated attackers inject arbitrary JavaScript into a page-builder AJAX response, which executes in the browser of a logged-in user who opens an attacker-crafted link. The flaw is only reachable when the Divi builder integration is active, and publicly available exploit code exists though there is no public exploit identified as actively exploited at time of analysis. EPSS was not provided and the vulnerability is not on CISA KEV, so widespread exploitation is unconfirmed.