XSS
Monthly
Cross-site scripting in parisneo/lollms prior to version 2.2.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious HTML payloads injected through the unsanitized `content` field in the `AppLollmsMessage.from_dict` deserialization method. The changed scope (CVSS S:C) indicates impact beyond the vulnerable component, enabling session hijacking, account takeover, and potentially wormable attacks. Publicly available exploit code exists (reported via huntr.com bug bounty). EPSS data not provided, but the low attack complexity (AC:L) and network attack vector (AV:N) combined with high confidentiality impact (C:H) and scope change indicate significant exploitation risk for applications exposing this deserialization functionality to untrusted input.
Stored cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.6.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in ChatHeadersMiddleware, requiring user interaction to trigger. The vulnerability has a low CVSS score (3.5) due to requiring authentication and user interaction, but XSS can lead to session hijacking or credential theft. Vendor-released patch version 2.8.0 addresses this issue.
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.2.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in the StaticHeadersMiddleware component of the Public Chat Interface. The vulnerability requires user interaction (UI:R) and has low confidentiality impact but enables persistent code execution in user browsers. Publicly available exploit code exists, and vendor-released patch version 2.8.0 resolves the issue.
Reflected cross-site scripting (XSS) in Rukovoditel CRM 3.6.4's Zadarma telephony API endpoint allows remote attackers to execute arbitrary JavaScript in victim browsers without authentication. The vulnerability stems from direct reflection of the 'zd_echo' GET parameter without sanitization. With CVSS 9.3 (Critical), changed scope (S:C), and no authentication required (PR:N), this enables session hijacking and account takeover via malicious links. No public exploit identified at time of analysis, though proof-of-concept is trivial given the code-level disclosure. EPSS data not available.
Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.
Stored Cross-Site Scripting in BlockArt Blocks plugin for WordPress allows authenticated attackers with Author-level or higher permissions to inject arbitrary JavaScript into page content via the 'clientId' block attribute due to insufficient input sanitization and output escaping. An attacker can craft malicious block content that executes in the browsers of all users viewing the compromised page. The vulnerability affects all versions up to and including 2.2.15, with a fix available in version 2.3.0.
Stored cross-site scripting in GreenShift - Animation and Page Builder Blocks plugin for WordPress up to version 12.8.9 allows authenticated contributors to inject arbitrary JavaScript into pages via improper HTML string manipulation in the gspb_greenShift_block_script_assets() function. The vulnerability exploits a naive str_replace() operation that fails to parse HTML context, enabling attackers to break out of attribute boundaries and inject malicious event handlers like onfocus with JavaScript payloads that execute when users access affected pages. No public exploit code has been identified; however, the low attack complexity and straightforward injection vector make this a practical risk for sites with untrusted contributors.
Unauthenticated stored XSS in Optimole WordPress plugin (≤4.2.2) allows attackers to inject malicious scripts via the srcset descriptor parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Despite HMAC signature validation, authentication tokens are exposed in frontend HTML, enabling exploitation. Injected payloads persist in WordPress options table via transients and execute when victim browsers render affected pages. No public exploit identified at time of analysis.
Reflected Cross-Site Scripting (XSS) in Optimole - Optimize Images in Real Time WordPress plugin versions up to 4.2.3 allows unauthenticated attackers to inject arbitrary JavaScript through malicious URL paths. The vulnerability stems from insufficient output escaping in the get_current_url() function, which are then inserted into JavaScript code via str_replace() without proper JavaScript context escaping in replace_content(). An attacker can craft a malicious link that, when clicked by a WordPress user, executes injected scripts in the context of the user's browser session with CVSS 6.1 (Medium) severity.
Reflected XSS in Chamilo LMS exercise admin panel allows authenticated teachers to be tricked into executing arbitrary JavaScript via malicious paginated URLs, affecting versions prior to 2.0.0-RC.3. An attacker can craft a weaponized link containing unencoded query parameters that bypass the pagination mechanism's improper output encoding, potentially leading to session hijacking, credential theft, or unauthorized administrative actions within the learning management system. No public exploit code or active exploitation has been identified at time of analysis.
Vikunja task title injection in overdue email notifications allows authenticated attackers to embed phishing links and tracking pixels in legitimate SMTP emails by breaking Markdown link syntax with special characters. The vulnerability affects task notification rendering across multiple notification types in Vikunja prior to v2.3.0, where task titles are concatenated directly into Markdown without escaping, survive goldmark rendering and bluemonday sanitization (which intentionally permits <a> and <img> tags), and reach email recipients as trusted-source links within official Vikunja notifications.
Reflected cross-site scripting in Zootemplate Cerato WordPress theme versions through 2.2.18 allows unauthenticated attackers to execute arbitrary JavaScript in victim browsers through crafted malicious links. Successful exploitation requires user interaction (victim must click attacker-controlled URL). Attack enables session hijacking, credential theft, and defacement within changed security context. No public exploit identified at time of analysis.
Reflected cross-site scripting (XSS) in code-projects Vehicle Showroom Management System 1.0 allows remote attackers to inject malicious scripts via the BRANCH_ID parameter in /BranchManagement/ServiceAndSalesReport.php. The vulnerability requires user interaction (UI:P) but no authentication, with publicly available exploit code disclosed. CVSS 5.3 reflects moderate severity with integrity impact limited to confidentiality of user sessions rather than data modification.
Reflected cross-site scripting (XSS) in code-projects Vehicle Showroom Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts via the BRANCH_ID parameter in /BranchManagement/ProfitAndLossReport.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, and while the CVSS score of 5.3 is moderate, the low integrity impact combined with user interaction requirement limits practical risk, though XSS vulnerabilities remain routinely exploitable in real-world scenarios.
Reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject arbitrary JavaScript via the serviceId parameter in /checkcheckout.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, and the low CVSS score of 4.3 reflects the need for user click-through and limited scope (integrity impact only), though the attack vector is network-accessible and requires no special privileges or authentication.
Stored cross-site scripting in parisneo/lollms versions prior to 2.2.0 enables unauthenticated attackers to inject malicious JavaScript through unsanitized social post content in the create_post function. Injected scripts execute in victims' browsers when viewing the Home Feed, enabling account takeover, session hijacking, and wormable propagation across the platform. The CVSS vector indicates network-accessible exploitation requiring user interaction, with scope change allowing cross-domain impact. No public exploit identified at time of analysis, but low attack complexity increases weaponization risk.
Stored cross-site scripting (XSS) in AddFunc Head & Footer Code plugin for WordPress versions up to 2.3 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via custom post meta fields that execute when administrators preview or view posts. The vulnerability exists because the plugin outputs user-supplied code from `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` meta values without sanitization or escaping, and fails to restrict meta key access via WordPress `register_meta()` authentication callbacks despite restricting its own admin interface. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in code-projects Simple IT Discussion Forum 1.0 allows authenticated remote attackers with administrative privileges to inject malicious scripts via the fname parameter in /admin/user.php, affecting user interactions through reflected XSS. The vulnerability has a CVSS score of 2.4 but carries a public exploit, though the low CVSS reflects the requirement for high-privilege authentication and user interaction to trigger the payload.
Reflected Cross-Site Scripting (XSS) in Royal WordPress Backup & Restore Plugin up to version 1.0.16 allows unauthenticated attackers to inject arbitrary JavaScript via the 'wpr_pending_template' parameter. An attacker can craft a malicious link and trick a WordPress administrator into clicking it, causing the injected script to execute in the admin's browser with their privileges. This affects all installations running the vulnerable plugin versions, and no active exploitation has been confirmed, though the low attack complexity and lack of authentication requirements make this a practical threat.
Stored Cross-Site Scripting (XSS) in the Webling WordPress plugin versions up to 3.9.0 allows authenticated attackers with Subscriber-level access to inject malicious scripts into forms and memberlists that execute when administrators view the admin interface. The vulnerability stems from insufficient input sanitization and output escaping in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions, combined with missing capability checks. No public exploit code or active exploitation has been reported at time of analysis.
DOM-based cross-site scripting in OpenStack Skyline console interface allows authenticated administrators to execute arbitrary JavaScript via unsafe document.write usage when viewing instance console logs. Affects Skyline versions before 5.0.1, 6.0.0, and 7.0.0. Attack requires administrator authentication and user interaction (UI:R), limiting real-world impact but enabling session hijacking or credential theft from privileged users.
Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter
Stored cross-site scripting (XSS) in Juniper Networks Junos Space allows unauthenticated remote attackers to inject malicious script tags into the list filter field, which execute with the permissions of any user who views the affected page, including administrators. All versions before 24.1R5 Patch V3 are vulnerable. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in PraisonAI versions prior to 4.5.128 allows remote attackers to inject arbitrary JavaScript into agent output rendered by the Flask API endpoint. The vulnerability exists because the _sanitize_html function depends on the nh3 library, which is not declared as a required dependency in pyproject.toml; when nh3 is absent (default installation), HTML sanitization becomes a no-op. Attackers can exploit this via RAG data poisoning, malicious web scraping results, or prompt injection to execute malicious scripts in the browsers of users viewing API output. No public exploit code or active exploitation has been confirmed.
Cross-site scripting (XSS) in ChurchCRM prior to 7.1.0 allows unauthenticated remote attackers to inject arbitrary JavaScript through the EName and EDesc parameters in EditEventAttendees.php, which is rendered without proper output encoding. Successful exploitation requires user interaction (UI:P) and results in session hijacking, credential theft, or malware distribution to victims' browsers. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting in List Category Posts plugin for WordPress (all versions up to 0.94.0) allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, enabling persistent payload execution whenever affected pages are accessed. CVSS 6.4 reflects moderate confidentiality and integrity impact with network-level access; exploitation requires contributor-level WordPress account.
Stored Cross-Site Scripting in UsersWP WordPress plugin up to version 1.2.60 allows authenticated subscribers and above to inject arbitrary JavaScript into user profile badge widgets via insufficiently sanitized URL fields, executing malicious scripts for all site visitors viewing affected pages. The vulnerability affects the badge widget rendering component due to improper output escaping in the wp-ayecode-ui library integration. No public exploit code or active exploitation has been identified, though the low attack complexity and subscriber-level access requirement make this a realistic threat in multi-user WordPress environments.
Stored cross-site scripting in Ultimate FAQ Accordion plugin for WordPress (all versions up to 2.4.7) allows authenticated Author-level users to inject arbitrary web scripts into FAQ pages. The vulnerability exploits a double-encoding bypass: the plugin calls html_entity_decode() on FAQ content during rendering, converting entity-encoded payloads (e.g., <img src=x onerror=alert()>) back into executable HTML, which then bypasses WordPress output escaping in the faq-answer.php template. The ufaq custom post type is REST API-enabled with default post capabilities, allowing Authors to create and publish malicious FAQs via REST API. No public exploit code has been identified at time of analysis, but the vulnerability has a moderate CVSS 6.4 score reflecting its authenticated requirement and cross-site impact.
Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated administrators to inject malicious scripts via the product_name parameter in /admin/admin_product.php, affecting other users who view the product data. The vulnerability requires high-privilege admin access and user interaction (clicking/viewing), limiting immediate risk, but publicly available exploit code exists and the issue has been disclosed. With a CVSS score of 2.4 and exploitation probability marked as proof-of-concept (E:P), this is a low-severity issue primarily affecting self-hosted instances of the affected software.
Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated attackers with high privileges to inject malicious scripts via the product_name parameter in /admin/admin_football.php, requiring user interaction to execute. The vulnerability has publicly available exploit code and a CVSS score of 2.4, reflecting the requirement for high-privilege authentication and user interaction, though the low EPSS probability and lack of CISA KEV listing suggest limited real-world exploitation despite POC availability.
Cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated remote attackers with administrative privileges to inject malicious scripts via the product_name parameter in /admin/admin_running.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, though it carries a low CVSS score of 2.4 due to restricted attack vector (high privileges required, user interaction needed) and limited impact (integrity only).
Stored Cross-Site Scripting in Experto Dashboard for WooCommerce plugin versions up to 1.0.4 allows authenticated administrators to inject arbitrary JavaScript into plugin settings fields (Navigation Font Size, Font Weight, Heading Font Size, Font Weight, Text Font Size, and Font Weight) due to missing input sanitization and output escaping. The injected scripts execute when any user accesses the settings page, affecting only multi-site WordPress installations or single-site installations with unfiltered_html disabled. No public exploit code identified at time of analysis.
Stored Cross-Site Scripting in OSM - OpenStreetMap WordPress plugin versions up to 6.1.15 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript through insufficiently sanitized 'marker_name' and 'file_color_list' shortcode attributes in [osm_map_v3], executing malicious scripts whenever users access affected pages. CVSS 6.4 reflects moderate severity with cross-site impact; exploitation requires valid WordPress user credentials but no user interaction beyond page access.
Stored cross-site scripting in Download Manager for WordPress up to version 3.3.52 allows authenticated contributors and above to inject arbitrary JavaScript through the 'sid' parameter of the 'wpdm_members' shortcode, which is stored in post metadata and executed when users access the affected page. The vulnerability stems from missing input sanitization in the members() function and absent output escaping (esc_attr()) when the 'sid' value is rendered directly into HTML id attributes. EPSS score indicates moderate-to-high exploitation probability; no active exploitation in CISA KEV has been confirmed at time of analysis.
Cross-site scripting (XSS) vulnerability in code-projects Simple IT Discussion Forum 1.0 allows remote attackers to inject malicious scripts via the Category parameter in /edit-category.php. The vulnerability requires user interaction (reflected XSS) but has a low CVSS base score of 4.3; however, publicly available exploit code exists, increasing practical risk for unpatched installations.
Stored or reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /delmemberinfo.php, compromising user session integrity and enabling credential theft or malware distribution. The vulnerability requires user interaction (CVSS UI:R) but carries a CVSS score of 4.3 (low severity). Publicly available exploit code exists and the attack vector is network-accessible with no authentication required (AV:N, PR:N).
rrweb-snapshot before v2.0.0-alpha.18 contains a reflected cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript or HTML in a victim's browser context through a crafted payload. The vulnerability requires user interaction (clicking a malicious link) and affects client-side snapshot capture functionality. Publicly available exploit code exists according to CISA SSVC assessment, though active exploitation has not been confirmed at time of analysis.
Reflected cross-site scripting in LimeSurvey prior to version 6.15.11+250909 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL containing an unsanitized gid parameter passed to the getInstance() function in QuestionCreate.php. The vulnerability requires user interaction (clicking a crafted link) but affects logged-in users and can lead to session hijacking, credential theft, or malicious actions performed on behalf of the victim. No public exploitation has been confirmed at time of analysis, though proof-of-concept code is publicly available.
Cross-site scripting (XSS) in LimeSurvey 6.15.20+251021 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious Box[title] and box[url] parameters. The vulnerability requires user interaction (clicking a crafted link) but achieves stored or reflected XSS with cross-origin impact, affecting confidentiality and integrity. A public proof-of-concept is available, and an upstream fix has been merged into the LimeSurvey repository.
Stored cross-site scripting in Kiamo before version 8.4 allows authenticated administrative users to inject persistent JavaScript payloads into administrative interfaces due to improper output encoding, resulting in execution within browsers of subsequent users accessing affected pages. The vulnerability requires valid admin credentials and user interaction (clicking a link or viewing a page) to trigger payload execution, making it a targeted attack vector against administrative personnel. EPSS probability is extremely low at 0.02%, and no active exploitation has been confirmed, though the issue affects a web-based application platform.
Stored cross-site scripting (XSS) in GitLab EE customizable analytics dashboards allows authenticated users to execute arbitrary JavaScript in other users' browsers due to improper input sanitization. Affected versions include 18.2-18.8.8, 18.9-18.9.4, and 18.10-18.10.2. An attacker with valid GitLab credentials can craft malicious dashboard configurations that execute when other users view the dashboard, potentially stealing session tokens, modifying visible data, or performing actions on behalf of the victim. No public exploit code or active exploitation in the wild has been confirmed; patches are available.
Reflected cross-site scripting in Sonatype Nexus Repository 3.0.0 through 3.90.2 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a specially crafted URL, requiring user interaction to trigger the attack. With a CVSS 4.0 score of 5.1 and limited technical impact (session integrity only), this vulnerability poses a moderate risk to organizations using affected versions; no public exploit code or active exploitation has been identified.
Stored cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to inject malicious scripts via the ID parameter in /delete.php, which are executed in the context of other users' browsers when they interact with the affected page. The vulnerability requires user interaction (clicking a malicious link) but has a published proof-of-concept and CVSS 5.1 score reflecting moderate impact on data integrity; exploitation is confirmed possible but not currently in CISA KEV.
Hayabusa versions before 3.8.0 contain a stored cross-site scripting (XSS) vulnerability in HTML report generation that allows authenticated attackers to inject arbitrary JavaScript into the Computer field of JSON-exported logs, which executes in a forensic examiner's browser when viewing the generated HTML report. The vulnerability requires user interaction (report viewing) and results in information disclosure or session compromise, affecting forensic analysis workflows that process untrusted or adversary-controlled log data.
Reflected cross-site scripting (XSS) in openstatusHQ openstatus allows unauthenticated remote attackers to inject malicious scripts via the callbackURL parameter in the Onboarding Endpoint component. The vulnerability affects the onboarding client functionality and requires user interaction to exploit. Vendor has released a patched version (commit 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb), and no public exploit code is currently identified.
Stored Cross-Site Scripting in Post Blocks & Tools WordPress plugin versions up to 1.3.0 allows authenticated attackers with author-level access to inject arbitrary JavaScript through the 'sliderStyle' block attribute in the Posts Slider block, which executes in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent payload injection that affects any site administrator or editor visiting a compromised post.
Stored cross-site scripting (XSS) in code-projects Easy Blog Site 1.0 allows authenticated remote attackers to inject malicious scripts via the postTitle parameter in /posts/update.php, potentially compromising user sessions and data integrity. The vulnerability requires user interaction (UI:P) and authentication (PR:L), but carries published exploit code and a moderate CVSS score of 5.1, indicating practical exploitation risk in multi-user blog environments.
Stored Cross-Site Scripting in Extensions for Leaflet Map plugin for WordPress allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'elevation-track' shortcode due to insufficient input sanitization and output escaping, enabling arbitrary script execution whenever users access injected pages. The vulnerability affects all versions up to and including 4.14, with a CVSS score of 6.4 reflecting the moderate but significant impact across multiple users of the same WordPress installation.
Stored cross-site scripting in AIL Framework <6.8 allows authenticated high-privilege attackers to inject malicious JavaScript through the modal item preview function. When processing item content exceeding 800 characters, the application returns attacker-controlled content without explicit text/plain content-type headers, enabling browser interpretation as HTML. Successful exploitation executes arbitrary JavaScript in victim browsers viewing crafted items, compromising confidentiality and integrity across system and user contexts. No public exploit identified at time of analysis.
Stored Cross-Site Scripting in Immich photo management platform versions prior to 2.7.0 enables authenticated attackers to execute arbitrary JavaScript when victims view malicious 360° panorama images with OCR overlay enabled. Attackers upload specially crafted equirectangular images containing malicious text that OCR extracts and the panorama viewer renders unsanitized via innerHTML. Exploitation permits session hijacking through persistent API key creation, exfiltration of private photos, GPS location history theft, and unauthorized access to facial biometric data. No public exploit identified at time of analysis.
Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticated users with low privileges to inject malicious scripts via invalid visit labels. The vulnerability arises because responses are JSON-encoded but lack a proper Content-Type header, causing browsers to interpret the payload as HTML. An attacker can trick a victim into following a crafted link to execute arbitrary JavaScript in the victim's browser context, potentially compromising sensitive neuroimaging research data. Fixed in versions 27.0.3 and 28.0.1.
Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior to 27.0.3 and 28.0.1. Improper input sanitization allows authenticated attackers with low privileges to execute malicious scripts in victim browsers (requiring user interaction) and exfiltrate markdown files from the server. Attack requires network access and social engineering to trick users into following crafted links. No public exploit identified at time of analysis.
Improper HTML sanitization in Zammad ticket article processing prior to versions 7.0.1 and 6.5.4 allows unauthenticated remote attackers to inject malicious data URI schemes that persist in the database, potentially enabling stored cross-site scripting (XSS) attacks. While current Content Security Policy mitigations prevent immediate harm from link clicks, the vulnerability represents a persistent data integrity issue and stored XSS vector that could be exploited if CSP rules are modified or bypassed. No public exploit code has been identified, but the vulnerability affects all instances running unpatched versions.
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with page-editing privileges to inject arbitrary JavaScript into page content that executes in the browsers of all public visitors. The Pages module fails to apply HTML sanitization during content creation and updates, storing unsanitized HTML directly in the database and rendering it without escaping on the frontend, whereas the Blog module correctly implements this protection. An attacker with admin credentials can compromise the integrity and confidentiality of visitor sessions. CVSS 5.5, no public exploit code identified at time of analysis.
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with blacklist privileges to inject arbitrary JavaScript through unsanitized note parameters, which executes in the browsers of other administrators viewing the user management page. The vulnerability requires high-privilege authenticated access and user interaction (admin viewing the affected page), limiting real-world impact despite the network-accessible attack vector.
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators to inject malicious JavaScript via the Google Maps iframe setting (cMap field) using the srcdoc attribute, which bypasses existing sanitization filters. The injected payload executes in the browser context of unauthenticated frontend visitors, enabling session hijacking, credential theft, or malware distribution. This vulnerability requires admin-level access to the settings panel but affects all unauthenticated site visitors who view pages with the malicious iframe.
Stored Cross-Site Scripting in Page Builder: Pagelayer WordPress plugin versions up to 2.0.8 allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript into page content via the Button widget's Custom Attributes field. The vulnerability bypasses an incomplete XSS filter that blocks common event handlers but fails to block all variants, enabling persistent script execution whenever affected pages are viewed. No public exploit code or active exploitation has been confirmed; however, the low attack complexity and broad applicability to WordPress sites using this popular page builder plugin present meaningful risk.
Stored cross-site scripting (XSS) in CoolerControl UI log viewer enables complete service takeover when unauthenticated remote attackers inject malicious JavaScript into log entries, which execute when viewed by administrators or users. Affects coolercontrol-ui versions 2.0.0 through 3.x, patched in version 4.0.0. No public exploit identified at time of analysis, but CVSS score of 7.6 reflects network accessibility without authentication requirements (PR:N) and high integrity impact, making this a realistic attack vector for targeted environments where attackers can influence log content.
Stored Cross-Site Scripting in Beaver Builder Page Builder plugin for WordPress up to version 2.10.1.1 allows authenticated attackers with author-level access or higher to inject arbitrary JavaScript through the 'settings[js]' parameter due to insufficient input sanitization and output escaping. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site integrity and user accounts. No public exploit code or active CISA KEV status reported at analysis time.
Stored cross-site scripting in Robo Gallery for WordPress up to version 5.1.3 allows authenticated Author-level users to inject arbitrary JavaScript via the Loading Label gallery setting. The vulnerability exploits a custom marker pattern (`|***...***|`) in the `fixJsFunction()` method that converts JSON-wrapped strings into raw JavaScript code; input validation with `sanitize_text_field()` fails to strip the markers, enabling script injection that executes whenever the gallery shortcode is rendered. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in PrivateContent Free WordPress plugin versions up to 1.2.0 allows authenticated contributors and above to inject arbitrary JavaScript through the 'align' shortcode attribute in [pc-login-form], which executes when any user visits an affected page. The vulnerability stems from the 'align' parameter being concatenated directly into an HTML class attribute without proper escaping (esc_attr), enabling persistent XSS attacks. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in WP Visitor Statistics plugin versions up to 8.4 allows authenticated contributors and higher-privileged users to inject arbitrary JavaScript through the 'wsm_showDayStatsGraph' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user accessing the affected page, potentially compromising site visitors and enabling account takeover or malware distribution. No public exploit code or active exploitation has been confirmed at this time.
Stored cross-site scripting (XSS) in the pdfl.io WordPress plugin allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'text' attribute of the 'pdflio' shortcode, which is executed in the browsers of all site visitors due to missing output escaping. All versions up to and including 1.0.5 are affected, and the vulnerability requires Contributor-level WordPress access but no user interaction beyond page access. No public exploit code or active exploitation has been confirmed; the attack relies on insufficient input sanitization in the output_shortcode() function.
Improper neutralization of HTML script tags in tagDiv Composer plugin versions up to 5.4.3 allows unauthenticated remote attackers to inject arbitrary code through shortcode execution, resulting in stored cross-site scripting (XSS). The vulnerability exploits insufficient input sanitization in the plugin's composer functionality, enabling attackers to inject malicious scripts that execute in the context of affected web pages. While EPSS scoring indicates low real-world exploitation probability (0.03%, 8th percentile), the CISA SSVC framework notes the attack is automatable and results in partial technical impact; no public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in UiCore Elements WordPress plugin versions 1.3.14 and earlier allows authenticated users to inject malicious scripts into web pages, which execute in the browsers of other users viewing affected content. The vulnerability stems from improper input neutralization during page generation, affecting any WordPress installation using the plugin. No active exploitation has been confirmed, and the EPSS score of 0.03% indicates very low real-world exploitation probability despite the CVSS 6.5 score.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.8.1.
DOM-based cross-site scripting (XSS) in Wealcoder Animation Addons for Elementor through version 2.6.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the click of a link. The vulnerability stems from improper input neutralization during web page generation and affects all versions of the plugin up to and including 2.6.1. With an EPSS score of 0.03% and no confirmed active exploitation, this represents a lower-priority vulnerability despite the authenticated attack requirement.
DOM-Based cross-site scripting (XSS) in Elfsight WhatsApp Chat CC WordPress plugin versions up to 1.2.0 allows authenticated attackers with limited privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R per CVSS vector) and affects the plugin's DOM manipulation during web page generation. Real-world exploitation risk is low: EPSS score of 0.03% (8th percentile) reflects minimal demonstrated exploitation likelihood, no public proof-of-concept has been identified, and CISA SSVC assessment indicates exploitation is not yet observed and attack automation is infeasible.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1.
Stored cross-site scripting (XSS) in tagDiv Composer WordPress plugin versions up to 5.4.3 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS exploitation probability is very low at 0.03% (8th percentile), and CISA SSVC assessment indicates no known exploitation, non-automatable attacks, and partial technical impact, suggesting this is a lower-priority vulnerability despite the CVSS 6.5 rating.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chief Gnome Garden Gnome Package garden-gnome-package allows DOM-Based XSS.This issue affects Garden Gnome Package: from n/a through <= 2.4.1.
DOM-based cross-site scripting in MK Google Directions WordPress plugin versions up to 3.1.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper sanitization of user-supplied input during web page generation, enabling attackers to steal session cookies, perform actions on behalf of authenticated users, or deface plugin interface elements. With an EPSS score of 0.03% (8th percentile), real-world exploitation probability is minimal despite the medium CVSS score of 6.5.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a through <= 1.7.0.
DOM-Based XSS in Hello Bar Popup Builder WordPress plugin versions up to 1.5.1 allows authenticated attackers with low privileges to inject arbitrary scripts that execute in users' browsers with the affected site's context. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS score of 0.03% (8th percentile) and CISA SSVC assessment of non-automatable exploitation with partial technical impact indicate this is a low real-world priority despite moderate CVSS score, though authenticated access and user interaction requirements limit immediate threat surface.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac SEO Friendly Images seo-image allows DOM-Based XSS.This issue affects SEO Friendly Images: from n/a through <= 3.0.5.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani WP Simple HTML Sitemap wp-simple-html-sitemap allows DOM-Based XSS.This issue affects WP Simple HTML Sitemap: from n/a through <= 3.8.
Stored cross-site scripting (XSS) in bozdoz Leaflet Map WordPress plugin versions up to 3.4.4 allows authenticated attackers with low privileges to inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, or website defacement. The vulnerability has a low EPSS score (0.03%, 8th percentile) suggesting minimal real-world exploitation likelihood despite moderate CVSS severity, and no public exploit code or active exploitation has been confirmed.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0.
Improper neutralization of script-related HTML tags in the kutethemes Uminex WordPress theme version 1.0.9 and earlier enables unauthenticated remote attackers to inject arbitrary code via cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating minimal real-world exploitation probability despite a CVSS base score of 5.3; no public exploit code or active exploitation has been identified.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.
Improper neutralization of script-related HTML tags in kutethemes TechOne WordPress theme versions up to 3.0.3 enables unauthenticated attackers to inject malicious code through basic cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an exceptionally low EPSS score (0.03%, percentile 8%) despite the moderate CVSS rating, suggesting minimal real-world exploitation likelihood. No public exploit code or confirmed active exploitation has been identified at the time of analysis.
Stored XSS in Shahjada Download Manager WordPress plugin versions up to 3.3.53 allows authenticated administrators with high privileges to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (UI:R) and high administrative privileges (PR:H), limiting real-world attack surface; EPSS exploitation probability is exceptionally low at 0.03% (8th percentile), indicating minimal practical risk despite the stored nature of the vulnerability.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through <= 3.6.0.
DOM-based cross-site scripting (XSS) in Ronald Huereca Custom Query Blocks WordPress plugin version 5.5.0 and earlier allows authenticated users to inject malicious scripts via the post-type-archive-mapping functionality. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability across site boundaries (S:C). With EPSS at 0.03% and no confirmed active exploitation, this is a low-probability risk despite the medium CVSS score, indicating exploitation requires specific preconditions unlikely to occur in typical deployments.
Stored cross-site scripting (XSS) in Themefic Hydra Booking WordPress plugin through version 1.1.38 allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise user sessions or steal sensitive data from booking-related functionality. EPSS probability of exploitation is very low at 0.03% (8th percentile), and no public exploit code or active exploitation has been confirmed.
DOM-Based Cross-Site Scripting (XSS) in A WP Life Blog Filter WordPress plugin versions 1.7.6 and earlier allows authenticated attackers with low privileges to inject malicious scripts that execute in victims' browsers when they interact with crafted web pages. The vulnerability stems from improper neutralization of user input during page generation and requires user interaction to trigger. No public exploit code or active exploitation has been identified at the time of analysis, with an EPSS score of 0.03% indicating low exploitation probability.
DOM-based cross-site scripting (XSS) in Advanced Coupons for WooCommerce Coupons plugin (versions up to 4.7.1.1) allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the same privileges as the site context, affecting confidentiality, integrity, and availability of the WordPress installation. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating low real-world exploitation probability despite the moderate CVSS 6.5 rating.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat themesflat-addons-for-elementor themesflat-addons-for-elementor allows Stored XSS.This issue affects themesflat-addons-for-elementor: from n/a through <= 2.3.2.
Cross-site scripting in parisneo/lollms prior to version 2.2.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious HTML payloads injected through the unsanitized `content` field in the `AppLollmsMessage.from_dict` deserialization method. The changed scope (CVSS S:C) indicates impact beyond the vulnerable component, enabling session hijacking, account takeover, and potentially wormable attacks. Publicly available exploit code exists (reported via huntr.com bug bounty). EPSS data not provided, but the low attack complexity (AC:L) and network attack vector (AV:N) combined with high confidentiality impact (C:H) and scope change indicate significant exploitation risk for applications exposing this deserialization functionality to untrusted input.
Stored cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.6.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in ChatHeadersMiddleware, requiring user interaction to trigger. The vulnerability has a low CVSS score (3.5) due to requiring authentication and user interaction, but XSS can lead to session hijacking or credential theft. Vendor-released patch version 2.8.0 addresses this issue.
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.2.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in the StaticHeadersMiddleware component of the Public Chat Interface. The vulnerability requires user interaction (UI:R) and has low confidentiality impact but enables persistent code execution in user browsers. Publicly available exploit code exists, and vendor-released patch version 2.8.0 resolves the issue.
Reflected cross-site scripting (XSS) in Rukovoditel CRM 3.6.4's Zadarma telephony API endpoint allows remote attackers to execute arbitrary JavaScript in victim browsers without authentication. The vulnerability stems from direct reflection of the 'zd_echo' GET parameter without sanitization. With CVSS 9.3 (Critical), changed scope (S:C), and no authentication required (PR:N), this enables session hijacking and account takeover via malicious links. No public exploit identified at time of analysis, though proof-of-concept is trivial given the code-level disclosure. EPSS data not available.
Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.
Stored Cross-Site Scripting in BlockArt Blocks plugin for WordPress allows authenticated attackers with Author-level or higher permissions to inject arbitrary JavaScript into page content via the 'clientId' block attribute due to insufficient input sanitization and output escaping. An attacker can craft malicious block content that executes in the browsers of all users viewing the compromised page. The vulnerability affects all versions up to and including 2.2.15, with a fix available in version 2.3.0.
Stored cross-site scripting in GreenShift - Animation and Page Builder Blocks plugin for WordPress up to version 12.8.9 allows authenticated contributors to inject arbitrary JavaScript into pages via improper HTML string manipulation in the gspb_greenShift_block_script_assets() function. The vulnerability exploits a naive str_replace() operation that fails to parse HTML context, enabling attackers to break out of attribute boundaries and inject malicious event handlers like onfocus with JavaScript payloads that execute when users access affected pages. No public exploit code has been identified; however, the low attack complexity and straightforward injection vector make this a practical risk for sites with untrusted contributors.
Unauthenticated stored XSS in Optimole WordPress plugin (≤4.2.2) allows attackers to inject malicious scripts via the srcset descriptor parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Despite HMAC signature validation, authentication tokens are exposed in frontend HTML, enabling exploitation. Injected payloads persist in WordPress options table via transients and execute when victim browsers render affected pages. No public exploit identified at time of analysis.
Reflected Cross-Site Scripting (XSS) in Optimole - Optimize Images in Real Time WordPress plugin versions up to 4.2.3 allows unauthenticated attackers to inject arbitrary JavaScript through malicious URL paths. The vulnerability stems from insufficient output escaping in the get_current_url() function, which are then inserted into JavaScript code via str_replace() without proper JavaScript context escaping in replace_content(). An attacker can craft a malicious link that, when clicked by a WordPress user, executes injected scripts in the context of the user's browser session with CVSS 6.1 (Medium) severity.
Reflected XSS in Chamilo LMS exercise admin panel allows authenticated teachers to be tricked into executing arbitrary JavaScript via malicious paginated URLs, affecting versions prior to 2.0.0-RC.3. An attacker can craft a weaponized link containing unencoded query parameters that bypass the pagination mechanism's improper output encoding, potentially leading to session hijacking, credential theft, or unauthorized administrative actions within the learning management system. No public exploit code or active exploitation has been identified at time of analysis.
Vikunja task title injection in overdue email notifications allows authenticated attackers to embed phishing links and tracking pixels in legitimate SMTP emails by breaking Markdown link syntax with special characters. The vulnerability affects task notification rendering across multiple notification types in Vikunja prior to v2.3.0, where task titles are concatenated directly into Markdown without escaping, survive goldmark rendering and bluemonday sanitization (which intentionally permits <a> and <img> tags), and reach email recipients as trusted-source links within official Vikunja notifications.
Reflected cross-site scripting in Zootemplate Cerato WordPress theme versions through 2.2.18 allows unauthenticated attackers to execute arbitrary JavaScript in victim browsers through crafted malicious links. Successful exploitation requires user interaction (victim must click attacker-controlled URL). Attack enables session hijacking, credential theft, and defacement within changed security context. No public exploit identified at time of analysis.
Reflected cross-site scripting (XSS) in code-projects Vehicle Showroom Management System 1.0 allows remote attackers to inject malicious scripts via the BRANCH_ID parameter in /BranchManagement/ServiceAndSalesReport.php. The vulnerability requires user interaction (UI:P) but no authentication, with publicly available exploit code disclosed. CVSS 5.3 reflects moderate severity with integrity impact limited to confidentiality of user sessions rather than data modification.
Reflected cross-site scripting (XSS) in code-projects Vehicle Showroom Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts via the BRANCH_ID parameter in /BranchManagement/ProfitAndLossReport.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, and while the CVSS score of 5.3 is moderate, the low integrity impact combined with user interaction requirement limits practical risk, though XSS vulnerabilities remain routinely exploitable in real-world scenarios.
Reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject arbitrary JavaScript via the serviceId parameter in /checkcheckout.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, and the low CVSS score of 4.3 reflects the need for user click-through and limited scope (integrity impact only), though the attack vector is network-accessible and requires no special privileges or authentication.
Stored cross-site scripting in parisneo/lollms versions prior to 2.2.0 enables unauthenticated attackers to inject malicious JavaScript through unsanitized social post content in the create_post function. Injected scripts execute in victims' browsers when viewing the Home Feed, enabling account takeover, session hijacking, and wormable propagation across the platform. The CVSS vector indicates network-accessible exploitation requiring user interaction, with scope change allowing cross-domain impact. No public exploit identified at time of analysis, but low attack complexity increases weaponization risk.
Stored cross-site scripting (XSS) in AddFunc Head & Footer Code plugin for WordPress versions up to 2.3 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via custom post meta fields that execute when administrators preview or view posts. The vulnerability exists because the plugin outputs user-supplied code from `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` meta values without sanitization or escaping, and fails to restrict meta key access via WordPress `register_meta()` authentication callbacks despite restricting its own admin interface. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in code-projects Simple IT Discussion Forum 1.0 allows authenticated remote attackers with administrative privileges to inject malicious scripts via the fname parameter in /admin/user.php, affecting user interactions through reflected XSS. The vulnerability has a CVSS score of 2.4 but carries a public exploit, though the low CVSS reflects the requirement for high-privilege authentication and user interaction to trigger the payload.
Reflected Cross-Site Scripting (XSS) in Royal WordPress Backup & Restore Plugin up to version 1.0.16 allows unauthenticated attackers to inject arbitrary JavaScript via the 'wpr_pending_template' parameter. An attacker can craft a malicious link and trick a WordPress administrator into clicking it, causing the injected script to execute in the admin's browser with their privileges. This affects all installations running the vulnerable plugin versions, and no active exploitation has been confirmed, though the low attack complexity and lack of authentication requirements make this a practical threat.
Stored Cross-Site Scripting (XSS) in the Webling WordPress plugin versions up to 3.9.0 allows authenticated attackers with Subscriber-level access to inject malicious scripts into forms and memberlists that execute when administrators view the admin interface. The vulnerability stems from insufficient input sanitization and output escaping in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions, combined with missing capability checks. No public exploit code or active exploitation has been reported at time of analysis.
DOM-based cross-site scripting in OpenStack Skyline console interface allows authenticated administrators to execute arbitrary JavaScript via unsafe document.write usage when viewing instance console logs. Affects Skyline versions before 5.0.1, 6.0.0, and 7.0.0. Attack requires administrator authentication and user interaction (UI:R), limiting real-world impact but enabling session hijacking or credential theft from privileged users.
Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter
Stored cross-site scripting (XSS) in Juniper Networks Junos Space allows unauthenticated remote attackers to inject malicious script tags into the list filter field, which execute with the permissions of any user who views the affected page, including administrators. All versions before 24.1R5 Patch V3 are vulnerable. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in PraisonAI versions prior to 4.5.128 allows remote attackers to inject arbitrary JavaScript into agent output rendered by the Flask API endpoint. The vulnerability exists because the _sanitize_html function depends on the nh3 library, which is not declared as a required dependency in pyproject.toml; when nh3 is absent (default installation), HTML sanitization becomes a no-op. Attackers can exploit this via RAG data poisoning, malicious web scraping results, or prompt injection to execute malicious scripts in the browsers of users viewing API output. No public exploit code or active exploitation has been confirmed.
Cross-site scripting (XSS) in ChurchCRM prior to 7.1.0 allows unauthenticated remote attackers to inject arbitrary JavaScript through the EName and EDesc parameters in EditEventAttendees.php, which is rendered without proper output encoding. Successful exploitation requires user interaction (UI:P) and results in session hijacking, credential theft, or malware distribution to victims' browsers. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting in List Category Posts plugin for WordPress (all versions up to 0.94.0) allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, enabling persistent payload execution whenever affected pages are accessed. CVSS 6.4 reflects moderate confidentiality and integrity impact with network-level access; exploitation requires contributor-level WordPress account.
Stored Cross-Site Scripting in UsersWP WordPress plugin up to version 1.2.60 allows authenticated subscribers and above to inject arbitrary JavaScript into user profile badge widgets via insufficiently sanitized URL fields, executing malicious scripts for all site visitors viewing affected pages. The vulnerability affects the badge widget rendering component due to improper output escaping in the wp-ayecode-ui library integration. No public exploit code or active exploitation has been identified, though the low attack complexity and subscriber-level access requirement make this a realistic threat in multi-user WordPress environments.
Stored cross-site scripting in Ultimate FAQ Accordion plugin for WordPress (all versions up to 2.4.7) allows authenticated Author-level users to inject arbitrary web scripts into FAQ pages. The vulnerability exploits a double-encoding bypass: the plugin calls html_entity_decode() on FAQ content during rendering, converting entity-encoded payloads (e.g., <img src=x onerror=alert()>) back into executable HTML, which then bypasses WordPress output escaping in the faq-answer.php template. The ufaq custom post type is REST API-enabled with default post capabilities, allowing Authors to create and publish malicious FAQs via REST API. No public exploit code has been identified at time of analysis, but the vulnerability has a moderate CVSS 6.4 score reflecting its authenticated requirement and cross-site impact.
Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated administrators to inject malicious scripts via the product_name parameter in /admin/admin_product.php, affecting other users who view the product data. The vulnerability requires high-privilege admin access and user interaction (clicking/viewing), limiting immediate risk, but publicly available exploit code exists and the issue has been disclosed. With a CVSS score of 2.4 and exploitation probability marked as proof-of-concept (E:P), this is a low-severity issue primarily affecting self-hosted instances of the affected software.
Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated attackers with high privileges to inject malicious scripts via the product_name parameter in /admin/admin_football.php, requiring user interaction to execute. The vulnerability has publicly available exploit code and a CVSS score of 2.4, reflecting the requirement for high-privilege authentication and user interaction, though the low EPSS probability and lack of CISA KEV listing suggest limited real-world exploitation despite POC availability.
Cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated remote attackers with administrative privileges to inject malicious scripts via the product_name parameter in /admin/admin_running.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, though it carries a low CVSS score of 2.4 due to restricted attack vector (high privileges required, user interaction needed) and limited impact (integrity only).
Stored Cross-Site Scripting in Experto Dashboard for WooCommerce plugin versions up to 1.0.4 allows authenticated administrators to inject arbitrary JavaScript into plugin settings fields (Navigation Font Size, Font Weight, Heading Font Size, Font Weight, Text Font Size, and Font Weight) due to missing input sanitization and output escaping. The injected scripts execute when any user accesses the settings page, affecting only multi-site WordPress installations or single-site installations with unfiltered_html disabled. No public exploit code identified at time of analysis.
Stored Cross-Site Scripting in OSM - OpenStreetMap WordPress plugin versions up to 6.1.15 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript through insufficiently sanitized 'marker_name' and 'file_color_list' shortcode attributes in [osm_map_v3], executing malicious scripts whenever users access affected pages. CVSS 6.4 reflects moderate severity with cross-site impact; exploitation requires valid WordPress user credentials but no user interaction beyond page access.
Stored cross-site scripting in Download Manager for WordPress up to version 3.3.52 allows authenticated contributors and above to inject arbitrary JavaScript through the 'sid' parameter of the 'wpdm_members' shortcode, which is stored in post metadata and executed when users access the affected page. The vulnerability stems from missing input sanitization in the members() function and absent output escaping (esc_attr()) when the 'sid' value is rendered directly into HTML id attributes. EPSS score indicates moderate-to-high exploitation probability; no active exploitation in CISA KEV has been confirmed at time of analysis.
Cross-site scripting (XSS) vulnerability in code-projects Simple IT Discussion Forum 1.0 allows remote attackers to inject malicious scripts via the Category parameter in /edit-category.php. The vulnerability requires user interaction (reflected XSS) but has a low CVSS base score of 4.3; however, publicly available exploit code exists, increasing practical risk for unpatched installations.
Stored or reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /delmemberinfo.php, compromising user session integrity and enabling credential theft or malware distribution. The vulnerability requires user interaction (CVSS UI:R) but carries a CVSS score of 4.3 (low severity). Publicly available exploit code exists and the attack vector is network-accessible with no authentication required (AV:N, PR:N).
rrweb-snapshot before v2.0.0-alpha.18 contains a reflected cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript or HTML in a victim's browser context through a crafted payload. The vulnerability requires user interaction (clicking a malicious link) and affects client-side snapshot capture functionality. Publicly available exploit code exists according to CISA SSVC assessment, though active exploitation has not been confirmed at time of analysis.
Reflected cross-site scripting in LimeSurvey prior to version 6.15.11+250909 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL containing an unsanitized gid parameter passed to the getInstance() function in QuestionCreate.php. The vulnerability requires user interaction (clicking a crafted link) but affects logged-in users and can lead to session hijacking, credential theft, or malicious actions performed on behalf of the victim. No public exploitation has been confirmed at time of analysis, though proof-of-concept code is publicly available.
Cross-site scripting (XSS) in LimeSurvey 6.15.20+251021 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious Box[title] and box[url] parameters. The vulnerability requires user interaction (clicking a crafted link) but achieves stored or reflected XSS with cross-origin impact, affecting confidentiality and integrity. A public proof-of-concept is available, and an upstream fix has been merged into the LimeSurvey repository.
Stored cross-site scripting in Kiamo before version 8.4 allows authenticated administrative users to inject persistent JavaScript payloads into administrative interfaces due to improper output encoding, resulting in execution within browsers of subsequent users accessing affected pages. The vulnerability requires valid admin credentials and user interaction (clicking a link or viewing a page) to trigger payload execution, making it a targeted attack vector against administrative personnel. EPSS probability is extremely low at 0.02%, and no active exploitation has been confirmed, though the issue affects a web-based application platform.
Stored cross-site scripting (XSS) in GitLab EE customizable analytics dashboards allows authenticated users to execute arbitrary JavaScript in other users' browsers due to improper input sanitization. Affected versions include 18.2-18.8.8, 18.9-18.9.4, and 18.10-18.10.2. An attacker with valid GitLab credentials can craft malicious dashboard configurations that execute when other users view the dashboard, potentially stealing session tokens, modifying visible data, or performing actions on behalf of the victim. No public exploit code or active exploitation in the wild has been confirmed; patches are available.
Reflected cross-site scripting in Sonatype Nexus Repository 3.0.0 through 3.90.2 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a specially crafted URL, requiring user interaction to trigger the attack. With a CVSS 4.0 score of 5.1 and limited technical impact (session integrity only), this vulnerability poses a moderate risk to organizations using affected versions; no public exploit code or active exploitation has been identified.
Stored cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to inject malicious scripts via the ID parameter in /delete.php, which are executed in the context of other users' browsers when they interact with the affected page. The vulnerability requires user interaction (clicking a malicious link) but has a published proof-of-concept and CVSS 5.1 score reflecting moderate impact on data integrity; exploitation is confirmed possible but not currently in CISA KEV.
Hayabusa versions before 3.8.0 contain a stored cross-site scripting (XSS) vulnerability in HTML report generation that allows authenticated attackers to inject arbitrary JavaScript into the Computer field of JSON-exported logs, which executes in a forensic examiner's browser when viewing the generated HTML report. The vulnerability requires user interaction (report viewing) and results in information disclosure or session compromise, affecting forensic analysis workflows that process untrusted or adversary-controlled log data.
Reflected cross-site scripting (XSS) in openstatusHQ openstatus allows unauthenticated remote attackers to inject malicious scripts via the callbackURL parameter in the Onboarding Endpoint component. The vulnerability affects the onboarding client functionality and requires user interaction to exploit. Vendor has released a patched version (commit 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb), and no public exploit code is currently identified.
Stored Cross-Site Scripting in Post Blocks & Tools WordPress plugin versions up to 1.3.0 allows authenticated attackers with author-level access to inject arbitrary JavaScript through the 'sliderStyle' block attribute in the Posts Slider block, which executes in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent payload injection that affects any site administrator or editor visiting a compromised post.
Stored cross-site scripting (XSS) in code-projects Easy Blog Site 1.0 allows authenticated remote attackers to inject malicious scripts via the postTitle parameter in /posts/update.php, potentially compromising user sessions and data integrity. The vulnerability requires user interaction (UI:P) and authentication (PR:L), but carries published exploit code and a moderate CVSS score of 5.1, indicating practical exploitation risk in multi-user blog environments.
Stored Cross-Site Scripting in Extensions for Leaflet Map plugin for WordPress allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'elevation-track' shortcode due to insufficient input sanitization and output escaping, enabling arbitrary script execution whenever users access injected pages. The vulnerability affects all versions up to and including 4.14, with a CVSS score of 6.4 reflecting the moderate but significant impact across multiple users of the same WordPress installation.
Stored cross-site scripting in AIL Framework <6.8 allows authenticated high-privilege attackers to inject malicious JavaScript through the modal item preview function. When processing item content exceeding 800 characters, the application returns attacker-controlled content without explicit text/plain content-type headers, enabling browser interpretation as HTML. Successful exploitation executes arbitrary JavaScript in victim browsers viewing crafted items, compromising confidentiality and integrity across system and user contexts. No public exploit identified at time of analysis.
Stored Cross-Site Scripting in Immich photo management platform versions prior to 2.7.0 enables authenticated attackers to execute arbitrary JavaScript when victims view malicious 360° panorama images with OCR overlay enabled. Attackers upload specially crafted equirectangular images containing malicious text that OCR extracts and the panorama viewer renders unsanitized via innerHTML. Exploitation permits session hijacking through persistent API key creation, exfiltration of private photos, GPS location history theft, and unauthorized access to facial biometric data. No public exploit identified at time of analysis.
Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticated users with low privileges to inject malicious scripts via invalid visit labels. The vulnerability arises because responses are JSON-encoded but lack a proper Content-Type header, causing browsers to interpret the payload as HTML. An attacker can trick a victim into following a crafted link to execute arbitrary JavaScript in the victim's browser context, potentially compromising sensitive neuroimaging research data. Fixed in versions 27.0.3 and 28.0.1.
Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior to 27.0.3 and 28.0.1. Improper input sanitization allows authenticated attackers with low privileges to execute malicious scripts in victim browsers (requiring user interaction) and exfiltrate markdown files from the server. Attack requires network access and social engineering to trick users into following crafted links. No public exploit identified at time of analysis.
Improper HTML sanitization in Zammad ticket article processing prior to versions 7.0.1 and 6.5.4 allows unauthenticated remote attackers to inject malicious data URI schemes that persist in the database, potentially enabling stored cross-site scripting (XSS) attacks. While current Content Security Policy mitigations prevent immediate harm from link clicks, the vulnerability represents a persistent data integrity issue and stored XSS vector that could be exploited if CSP rules are modified or bypassed. No public exploit code has been identified, but the vulnerability affects all instances running unpatched versions.
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with page-editing privileges to inject arbitrary JavaScript into page content that executes in the browsers of all public visitors. The Pages module fails to apply HTML sanitization during content creation and updates, storing unsanitized HTML directly in the database and rendering it without escaping on the frontend, whereas the Blog module correctly implements this protection. An attacker with admin credentials can compromise the integrity and confidentiality of visitor sessions. CVSS 5.5, no public exploit code identified at time of analysis.
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with blacklist privileges to inject arbitrary JavaScript through unsanitized note parameters, which executes in the browsers of other administrators viewing the user management page. The vulnerability requires high-privilege authenticated access and user interaction (admin viewing the affected page), limiting real-world impact despite the network-accessible attack vector.
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators to inject malicious JavaScript via the Google Maps iframe setting (cMap field) using the srcdoc attribute, which bypasses existing sanitization filters. The injected payload executes in the browser context of unauthenticated frontend visitors, enabling session hijacking, credential theft, or malware distribution. This vulnerability requires admin-level access to the settings panel but affects all unauthenticated site visitors who view pages with the malicious iframe.
Stored Cross-Site Scripting in Page Builder: Pagelayer WordPress plugin versions up to 2.0.8 allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript into page content via the Button widget's Custom Attributes field. The vulnerability bypasses an incomplete XSS filter that blocks common event handlers but fails to block all variants, enabling persistent script execution whenever affected pages are viewed. No public exploit code or active exploitation has been confirmed; however, the low attack complexity and broad applicability to WordPress sites using this popular page builder plugin present meaningful risk.
Stored cross-site scripting (XSS) in CoolerControl UI log viewer enables complete service takeover when unauthenticated remote attackers inject malicious JavaScript into log entries, which execute when viewed by administrators or users. Affects coolercontrol-ui versions 2.0.0 through 3.x, patched in version 4.0.0. No public exploit identified at time of analysis, but CVSS score of 7.6 reflects network accessibility without authentication requirements (PR:N) and high integrity impact, making this a realistic attack vector for targeted environments where attackers can influence log content.
Stored Cross-Site Scripting in Beaver Builder Page Builder plugin for WordPress up to version 2.10.1.1 allows authenticated attackers with author-level access or higher to inject arbitrary JavaScript through the 'settings[js]' parameter due to insufficient input sanitization and output escaping. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site integrity and user accounts. No public exploit code or active CISA KEV status reported at analysis time.
Stored cross-site scripting in Robo Gallery for WordPress up to version 5.1.3 allows authenticated Author-level users to inject arbitrary JavaScript via the Loading Label gallery setting. The vulnerability exploits a custom marker pattern (`|***...***|`) in the `fixJsFunction()` method that converts JSON-wrapped strings into raw JavaScript code; input validation with `sanitize_text_field()` fails to strip the markers, enabling script injection that executes whenever the gallery shortcode is rendered. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in PrivateContent Free WordPress plugin versions up to 1.2.0 allows authenticated contributors and above to inject arbitrary JavaScript through the 'align' shortcode attribute in [pc-login-form], which executes when any user visits an affected page. The vulnerability stems from the 'align' parameter being concatenated directly into an HTML class attribute without proper escaping (esc_attr), enabling persistent XSS attacks. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in WP Visitor Statistics plugin versions up to 8.4 allows authenticated contributors and higher-privileged users to inject arbitrary JavaScript through the 'wsm_showDayStatsGraph' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user accessing the affected page, potentially compromising site visitors and enabling account takeover or malware distribution. No public exploit code or active exploitation has been confirmed at this time.
Stored cross-site scripting (XSS) in the pdfl.io WordPress plugin allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'text' attribute of the 'pdflio' shortcode, which is executed in the browsers of all site visitors due to missing output escaping. All versions up to and including 1.0.5 are affected, and the vulnerability requires Contributor-level WordPress access but no user interaction beyond page access. No public exploit code or active exploitation has been confirmed; the attack relies on insufficient input sanitization in the output_shortcode() function.
Improper neutralization of HTML script tags in tagDiv Composer plugin versions up to 5.4.3 allows unauthenticated remote attackers to inject arbitrary code through shortcode execution, resulting in stored cross-site scripting (XSS). The vulnerability exploits insufficient input sanitization in the plugin's composer functionality, enabling attackers to inject malicious scripts that execute in the context of affected web pages. While EPSS scoring indicates low real-world exploitation probability (0.03%, 8th percentile), the CISA SSVC framework notes the attack is automatable and results in partial technical impact; no public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in UiCore Elements WordPress plugin versions 1.3.14 and earlier allows authenticated users to inject malicious scripts into web pages, which execute in the browsers of other users viewing affected content. The vulnerability stems from improper input neutralization during page generation, affecting any WordPress installation using the plugin. No active exploitation has been confirmed, and the EPSS score of 0.03% indicates very low real-world exploitation probability despite the CVSS 6.5 score.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.8.1.
DOM-based cross-site scripting (XSS) in Wealcoder Animation Addons for Elementor through version 2.6.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the click of a link. The vulnerability stems from improper input neutralization during web page generation and affects all versions of the plugin up to and including 2.6.1. With an EPSS score of 0.03% and no confirmed active exploitation, this represents a lower-priority vulnerability despite the authenticated attack requirement.
DOM-Based cross-site scripting (XSS) in Elfsight WhatsApp Chat CC WordPress plugin versions up to 1.2.0 allows authenticated attackers with limited privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R per CVSS vector) and affects the plugin's DOM manipulation during web page generation. Real-world exploitation risk is low: EPSS score of 0.03% (8th percentile) reflects minimal demonstrated exploitation likelihood, no public proof-of-concept has been identified, and CISA SSVC assessment indicates exploitation is not yet observed and attack automation is infeasible.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1.
Stored cross-site scripting (XSS) in tagDiv Composer WordPress plugin versions up to 5.4.3 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS exploitation probability is very low at 0.03% (8th percentile), and CISA SSVC assessment indicates no known exploitation, non-automatable attacks, and partial technical impact, suggesting this is a lower-priority vulnerability despite the CVSS 6.5 rating.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chief Gnome Garden Gnome Package garden-gnome-package allows DOM-Based XSS.This issue affects Garden Gnome Package: from n/a through <= 2.4.1.
DOM-based cross-site scripting in MK Google Directions WordPress plugin versions up to 3.1.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper sanitization of user-supplied input during web page generation, enabling attackers to steal session cookies, perform actions on behalf of authenticated users, or deface plugin interface elements. With an EPSS score of 0.03% (8th percentile), real-world exploitation probability is minimal despite the medium CVSS score of 6.5.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a through <= 1.7.0.
DOM-Based XSS in Hello Bar Popup Builder WordPress plugin versions up to 1.5.1 allows authenticated attackers with low privileges to inject arbitrary scripts that execute in users' browsers with the affected site's context. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS score of 0.03% (8th percentile) and CISA SSVC assessment of non-automatable exploitation with partial technical impact indicate this is a low real-world priority despite moderate CVSS score, though authenticated access and user interaction requirements limit immediate threat surface.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac SEO Friendly Images seo-image allows DOM-Based XSS.This issue affects SEO Friendly Images: from n/a through <= 3.0.5.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani WP Simple HTML Sitemap wp-simple-html-sitemap allows DOM-Based XSS.This issue affects WP Simple HTML Sitemap: from n/a through <= 3.8.
Stored cross-site scripting (XSS) in bozdoz Leaflet Map WordPress plugin versions up to 3.4.4 allows authenticated attackers with low privileges to inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, or website defacement. The vulnerability has a low EPSS score (0.03%, 8th percentile) suggesting minimal real-world exploitation likelihood despite moderate CVSS severity, and no public exploit code or active exploitation has been confirmed.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0.
Improper neutralization of script-related HTML tags in the kutethemes Uminex WordPress theme version 1.0.9 and earlier enables unauthenticated remote attackers to inject arbitrary code via cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating minimal real-world exploitation probability despite a CVSS base score of 5.3; no public exploit code or active exploitation has been identified.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.
Improper neutralization of script-related HTML tags in kutethemes TechOne WordPress theme versions up to 3.0.3 enables unauthenticated attackers to inject malicious code through basic cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an exceptionally low EPSS score (0.03%, percentile 8%) despite the moderate CVSS rating, suggesting minimal real-world exploitation likelihood. No public exploit code or confirmed active exploitation has been identified at the time of analysis.
Stored XSS in Shahjada Download Manager WordPress plugin versions up to 3.3.53 allows authenticated administrators with high privileges to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (UI:R) and high administrative privileges (PR:H), limiting real-world attack surface; EPSS exploitation probability is exceptionally low at 0.03% (8th percentile), indicating minimal practical risk despite the stored nature of the vulnerability.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through <= 3.6.0.
DOM-based cross-site scripting (XSS) in Ronald Huereca Custom Query Blocks WordPress plugin version 5.5.0 and earlier allows authenticated users to inject malicious scripts via the post-type-archive-mapping functionality. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability across site boundaries (S:C). With EPSS at 0.03% and no confirmed active exploitation, this is a low-probability risk despite the medium CVSS score, indicating exploitation requires specific preconditions unlikely to occur in typical deployments.
Stored cross-site scripting (XSS) in Themefic Hydra Booking WordPress plugin through version 1.1.38 allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise user sessions or steal sensitive data from booking-related functionality. EPSS probability of exploitation is very low at 0.03% (8th percentile), and no public exploit code or active exploitation has been confirmed.
DOM-Based Cross-Site Scripting (XSS) in A WP Life Blog Filter WordPress plugin versions 1.7.6 and earlier allows authenticated attackers with low privileges to inject malicious scripts that execute in victims' browsers when they interact with crafted web pages. The vulnerability stems from improper neutralization of user input during page generation and requires user interaction to trigger. No public exploit code or active exploitation has been identified at the time of analysis, with an EPSS score of 0.03% indicating low exploitation probability.
DOM-based cross-site scripting (XSS) in Advanced Coupons for WooCommerce Coupons plugin (versions up to 4.7.1.1) allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the same privileges as the site context, affecting confidentiality, integrity, and availability of the WordPress installation. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating low real-world exploitation probability despite the moderate CVSS 6.5 rating.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat themesflat-addons-for-elementor themesflat-addons-for-elementor allows Stored XSS.This issue affects themesflat-addons-for-elementor: from n/a through <= 2.3.2.