Skip to main content

CWE-79

Cross-site Scripting (XSS)

36067 CVEs Avg CVSS 5.7 MITRE
412
CRITICAL
3465
HIGH
30381
MEDIUM
1734
LOW
11755
POC
28
KEV

Monthly

CVE-2026-13042 HIGH This Week

Stored cross-site scripting in the RPB Chessboard WordPress plugin (all versions through 8.1.2) lets unauthenticated attackers plant persistent JavaScript through comment content that executes in the browser of anyone who later views the affected page. The novel aspect, per Wordfence, is that WordPress's normal save-time kses sanitization is bypassed because the payload uses only kses-allowed tags/attributes (an <a> element with title and href) and the dangerous attribute-breaking markup is assembled entirely at render time by the plugin's own comment_text filter. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-interaction entry point makes it a practical drive-by injection risk.

WordPress XSS Rpb Chessboard
NVD
CVSS 3.1
7.2
CVE-2026-15306 MEDIUM This Month

Reflected Cross-Site Scripting in the Product Feed Manager For WooCommerce WordPress plugin (all versions through 7.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unescaped 's' search parameter, which executes in a victim's browser upon interaction with a crafted link. The vulnerability is rooted in insufficient sanitization and output escaping within the plugin's admin-facing PHP classes, as confirmed by Wordfence with direct source code references to class-rex-product-feed-actions.php and class-rex-product-feed.php. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog.

WordPress XSS Product Feed Manager For Woocommerce Sell On 200 Online Marketplaces
NVD
CVSS 3.1
6.1
CVE-2026-15652 MEDIUM This Month

Stored Cross-Site Scripting in the Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin (all versions ≤ 3.1.6) enables authenticated attackers holding contributor-level WordPress roles to inject persistent JavaScript payloads via the unsanitized 'align' block attribute. The injected script executes in the browser of any user - including administrators - who views the affected page, making session hijacking and privilege escalation realistic follow-on impacts. No public exploit code or CISA KEV listing has been identified at time of analysis, but Wordfence source code references pinpoint the exact vulnerable lines, substantially lowering the barrier to exploitation.

WordPress XSS Easy Accordion Ai Powered Faq Accordion Blocks Product Faq
NVD VulDB
CVSS 3.1
6.4
CVE-2026-14987 MEDIUM This Month

Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the Wordfence disclosure includes direct source code references confirming the unsanitized evaluation path.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD VulDB
CVSS 3.1
6.4
CVE-2026-13005 MEDIUM This Month

Stored Cross-Site Scripting in the MxChat AI Chatbot & Content Generation WordPress plugin (versions up to and including 3.2.10) enables authenticated administrators to persist malicious scripts through admin settings panels. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, narrowing the realistic attack surface significantly. No public exploit code or active exploitation (CISA KEV) has been identified; CVSS 4.4 Medium reflects the restricted conditions and high privilege requirement.

WordPress XSS Mxchat Ai Chatbot Content Generation For Wordpress
NVD VulDB
CVSS 3.1
4.4
CVE-2026-54498 Ruby HIGH POC PATCH GHSA This Week

Stored/reflected XSS in the ViewComponent Rails gem (versions >= 4.0.0, < 4.12.0) arises because HTML-unsafe strings returned from a component's around_render hook bypass the automatic escaping applied to normal #call output, letting attacker-controlled data reach the browser as raw HTML. The flaw is amplified in collection rendering, where Collection#render_in joins per-item output and blindly marks it html_safe, laundering unsafe content into a trusted SafeBuffer. Publicly available exploit code exists (a detailed PoC in the GitHub advisory), but there is no public exploit identified as actively used in the wild; a vendor patch is available in v4.12.0.

CSRF XSS
NVD GitHub
CVSS 3.1
8.7
CVE-2026-54458 PHP CRITICAL Act Now

Stored DOM cross-site scripting in WWBN AVideo's YPTSocket plugin (all versions prior to 29.0) lets any unauthenticated remote attacker run arbitrary JavaScript in the browser session of any administrator viewing the YPTSocket online-users debug panel. Because the malicious WebSocket metadata is broadcast to every connected client and rendered without escaping, a single anonymous WebSocket connection can be escalated into full administrative account takeover via the admin's own session and CSRF token. No public exploit identified at time of analysis; the flaw carries a CVSS 9.6 (Critical) rating driven by the scope change into the privileged admin origin.

PHP CSRF XSS Avideo
NVD GitHub VulDB
CVSS 3.1
9.6
CVE-2026-49867 MEDIUM PATCH This Month

Stored cross-site scripting in DataEase's template static resource pipeline allows authenticated users to persist malicious JavaScript inside SVG files served at the application's same origin, executing in victims' browsers upon resource access. Versions prior to 2.10.23 are affected; the root cause is that StaticResourceServer.saveFilesToServe and saveSingleFileToServe decoded attacker-supplied Base64 content and wrote it directly to disk without validating extension, MIME type, decoded bytes, or SVG scriptability. No public exploit code or CISA KEV listing exists at time of analysis, but the stored, same-origin nature of the XSS and the low bar for triggering it (any authenticated user) make this a meaningful risk in shared or multi-tenant DataEase deployments.

XSS Dataease
NVD GitHub
CVSS 4.0
6.3
CVE-2026-62944 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in MantisBT (versions <= 2.28.3) lets an authenticated user inject arbitrary HTML/JavaScript through a crafted image-attachment filename that breaks out of an IMG tag's alt attribute. The payload executes when any user (including higher-privileged reviewers) renders the Word/HTML export view at print_all_bug_page_word.php?type_page=html&export=1, though real-world impact is constrained by MantisBT's Content Security Policy. There is no public exploit identified at time of analysis, and the flaw is fixed in 2.28.4.

PHP XSS
NVD GitHub
CVE-2026-52881 PHP CRITICAL PATCH GHSA Act Now

Reflected cross-site scripting in MantisBT 2.28.3 and earlier lets remote attackers inject HTML into the unauthenticated /admin/install.php installer page through six user-supplied parameters echoed via an unescaped printf format string. Because the application ships a script-src 'self' Content Security Policy that lacks a form-action directive, an attacker cannot run inline JavaScript but can render fake credential-harvesting login forms, perform <meta>-based open redirects, and overlay attacker HTML via CSS injection on the legitimate admin page. There is no public exploit identified at time of analysis, no CISA KEV listing, and no CVSS/EPSS score in the provided data; the issue was reported by watchTowr and fixed in 2.28.4.

Open Redirect PHP XSS
NVD GitHub
CVSS 7.2
HIGH This Week

Stored cross-site scripting in the RPB Chessboard WordPress plugin (all versions through 8.1.2) lets unauthenticated attackers plant persistent JavaScript through comment content that executes in the browser of anyone who later views the affected page. The novel aspect, per Wordfence, is that WordPress's normal save-time kses sanitization is bypassed because the payload uses only kses-allowed tags/attributes (an <a> element with title and href) and the dangerous attribute-breaking markup is assembled entirely at render time by the plugin's own comment_text filter. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-interaction entry point makes it a practical drive-by injection risk.

WordPress XSS Rpb Chessboard
NVD
CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Product Feed Manager For WooCommerce WordPress plugin (all versions through 7.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unescaped 's' search parameter, which executes in a victim's browser upon interaction with a crafted link. The vulnerability is rooted in insufficient sanitization and output escaping within the plugin's admin-facing PHP classes, as confirmed by Wordfence with direct source code references to class-rex-product-feed-actions.php and class-rex-product-feed.php. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog.

WordPress XSS Product Feed Manager For Woocommerce Sell On 200 Online Marketplaces
NVD
CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin (all versions ≤ 3.1.6) enables authenticated attackers holding contributor-level WordPress roles to inject persistent JavaScript payloads via the unsanitized 'align' block attribute. The injected script executes in the browser of any user - including administrators - who views the affected page, making session hijacking and privilege escalation realistic follow-on impacts. No public exploit code or CISA KEV listing has been identified at time of analysis, but Wordfence source code references pinpoint the exact vulnerable lines, substantially lowering the barrier to exploitation.

WordPress XSS Easy Accordion Ai Powered Faq Accordion Blocks Product Faq
NVD VulDB
CVSS 6.4
MEDIUM This Month

Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the Wordfence disclosure includes direct source code references confirming the unsanitized evaluation path.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD VulDB
CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the MxChat AI Chatbot & Content Generation WordPress plugin (versions up to and including 3.2.10) enables authenticated administrators to persist malicious scripts through admin settings panels. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, narrowing the realistic attack surface significantly. No public exploit code or active exploitation (CISA KEV) has been identified; CVSS 4.4 Medium reflects the restricted conditions and high privilege requirement.

WordPress XSS Mxchat Ai Chatbot Content Generation For Wordpress
NVD VulDB
CVSS 8.7
HIGH POC PATCH This Week

Stored/reflected XSS in the ViewComponent Rails gem (versions >= 4.0.0, < 4.12.0) arises because HTML-unsafe strings returned from a component's around_render hook bypass the automatic escaping applied to normal #call output, letting attacker-controlled data reach the browser as raw HTML. The flaw is amplified in collection rendering, where Collection#render_in joins per-item output and blindly marks it html_safe, laundering unsafe content into a trusted SafeBuffer. Publicly available exploit code exists (a detailed PoC in the GitHub advisory), but there is no public exploit identified as actively used in the wild; a vendor patch is available in v4.12.0.

CSRF XSS
NVD GitHub
CVSS 9.6
CRITICAL Act Now

Stored DOM cross-site scripting in WWBN AVideo's YPTSocket plugin (all versions prior to 29.0) lets any unauthenticated remote attacker run arbitrary JavaScript in the browser session of any administrator viewing the YPTSocket online-users debug panel. Because the malicious WebSocket metadata is broadcast to every connected client and rendered without escaping, a single anonymous WebSocket connection can be escalated into full administrative account takeover via the admin's own session and CSRF token. No public exploit identified at time of analysis; the flaw carries a CVSS 9.6 (Critical) rating driven by the scope change into the privileged admin origin.

PHP CSRF XSS +1
NVD GitHub VulDB
CVSS 6.3
MEDIUM PATCH This Month

Stored cross-site scripting in DataEase's template static resource pipeline allows authenticated users to persist malicious JavaScript inside SVG files served at the application's same origin, executing in victims' browsers upon resource access. Versions prior to 2.10.23 are affected; the root cause is that StaticResourceServer.saveFilesToServe and saveSingleFileToServe decoded attacker-supplied Base64 content and wrote it directly to disk without validating extension, MIME type, decoded bytes, or SVG scriptability. No public exploit code or CISA KEV listing exists at time of analysis, but the stored, same-origin nature of the XSS and the low bar for triggering it (any authenticated user) make this a meaningful risk in shared or multi-tenant DataEase deployments.

XSS Dataease
NVD GitHub
HIGH PATCH This Week

Stored cross-site scripting in MantisBT (versions <= 2.28.3) lets an authenticated user inject arbitrary HTML/JavaScript through a crafted image-attachment filename that breaks out of an IMG tag's alt attribute. The payload executes when any user (including higher-privileged reviewers) renders the Word/HTML export view at print_all_bug_page_word.php?type_page=html&export=1, though real-world impact is constrained by MantisBT's Content Security Policy. There is no public exploit identified at time of analysis, and the flaw is fixed in 2.28.4.

PHP XSS
NVD GitHub
CRITICAL PATCH Act Now

Reflected cross-site scripting in MantisBT 2.28.3 and earlier lets remote attackers inject HTML into the unauthenticated /admin/install.php installer page through six user-supplied parameters echoed via an unescaped printf format string. Because the application ships a script-src 'self' Content Security Policy that lacks a form-action directive, an attacker cannot run inline JavaScript but can render fake credential-harvesting login forms, perform <meta>-based open redirects, and overlay attacker HTML via CSS injection on the legitimate admin page. There is no public exploit identified at time of analysis, no CISA KEV listing, and no CVSS/EPSS score in the provided data; the issue was reported by watchTowr and fixed in 2.28.4.

Open Redirect PHP XSS
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy