XSS

10057 CVEs technique

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2018-25132 MEDIUM POC This Month

MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget. [CVSS 6.1 MEDIUM]

XSS
NVD GitHub Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2018-25116 MEDIUM POC This Month

custom text input field for thread redirects. Attackers can inject malicious SVG scripts is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD GitHub Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-24632 MEDIUM This Month

DOM-based cross-site scripting (XSS) in the Delay Redirects browser extension through version 1.0.0 enables attackers to inject malicious scripts that execute in users' browsers. An attacker can exploit this vulnerability to steal sensitive data, session cookies, or perform actions on behalf of affected users. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24630 MEDIUM This Month

Design Stylish Cost Calculator stylish-cost-calculator is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24629 MEDIUM This Month

Stored cross-site scripting in Ability Inc's Web Accessibility with Max Access toolbar (versions through 2.1.0) enables authenticated users with high privileges to inject malicious scripts that execute in other users' browsers. An attacker with administrative access could manipulate the toolbar to store XSS payloads that compromise confidentiality, integrity, and availability of the affected web application. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24626 MEDIUM This Month

Stored cross-site scripting in LogicHunt Logo Slider WordPress plugin versions up to 4.9.0 enables authenticated attackers with high privileges to inject malicious scripts that execute in other users' browsers. An attacker could leverage this to steal session tokens, deface content, or perform actions on behalf of affected users. No patch is currently available.

Golang XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24623 MEDIUM This Month

Reflected cross-site scripting (XSS) in Neoforum version 1.0 and earlier allows authenticated attackers to inject malicious scripts that execute in users' browsers when they interact with crafted links, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction and authenticated access, limiting its immediate impact but still posing a risk in multi-user forum environments. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24621 MEDIUM This Month

Vladimir Statsenko Terms descriptions terms-descriptions is affected by cross-site scripting (xss) (CVSS 4.8).

XSS
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-24620 MEDIUM This Month

PluginOps Landing Page Builder page-builder-add is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24617 MEDIUM This Month

Stored XSS in Easy Modal WordPress plugin through version 2.1.0 enables authenticated attackers to inject malicious scripts that execute in the browsers of other users. An attacker with login credentials can store arbitrary JavaScript through improper input validation, affecting all visitors who view the compromised content. No patch is currently available to remediate this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24614 MEDIUM This Month

Devsbrain Flex QR Code Generator flex-qr-code-generator is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24601 MEDIUM This Month

Stored XSS in Penci Pay Writer versions up to 1.5 allows authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising sensitive data or session information. The vulnerability stems from insufficient input validation during web page generation and requires user interaction to trigger. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24600 MEDIUM This Month

Stored cross-site scripting in PenciDesign Penci Review through version 3.5 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising user sessions and data. The vulnerability requires user interaction to trigger and affects the web application's page generation functionality. No patch is currently available.

XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24594 MEDIUM This Month

livemesh Livemesh Addons for WPBakery Page Builder addons-for-visual-composer is affected by cross-site scripting (xss) (CVSS 4.8).

XSS
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-24591 MEDIUM This Month

yasir129 Turn Yoast SEO FAQ Block to Accordion faq-schema-block-to-accordion is affected by cross-site scripting (xss) (CVSS 5.4).

XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24584 MEDIUM This Month

Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24576 MEDIUM This Month

COP UX Flat through version 5.4.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages, affecting all users who view the compromised content. An attacker with user-level access can craft malicious input that persists in the application and executes in victims' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24564 MEDIUM This Month

Improper HTML tag sanitization in Israpil Textmetrics webtexttool versions up to 3.6.3 enables stored XSS attacks that allow authenticated users with high privileges to inject malicious scripts and compromise data confidentiality and integrity. An attacker with administrative access could inject code through web forms that executes in other users' browsers, potentially leading to session hijacking or credential theft. No patch is currently available for affected industrial deployments.

XSS
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24558 MEDIUM This Month

Stored XSS in ABG Rich Pins version 1.1 and earlier permits authenticated users to inject malicious scripts that execute in other users' browsers when viewing affected pages. An attacker with plugin access could deface content or steal session data from site visitors. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24555 MEDIUM This Month

Stored cross-site scripting in ArtPlacer Widget versions 2.23.1 and earlier enables attackers to inject malicious scripts that execute in users' browsers when viewing affected web pages. An unauthenticated attacker can exploit improper input validation during web page generation to compromise user sessions and steal sensitive data. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-24550 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Kaira Blockons versions up to 1.2.15 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session tokens or performing actions on their behalf. The vulnerability requires user interaction to trigger and has limited scope, but impacts both confidentiality and integrity. No patch is currently available.

XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24528 MEDIUM This Month

DOM-based cross-site scripting in pixelgrade Nova Blocks through version 2.1.9 enables authenticated attackers to inject malicious scripts that execute in users' browsers with limited privileges. An attacker with valid credentials can craft requests to manipulate the page generation process, potentially compromising confidentiality, integrity, and availability across different security contexts. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24526 MEDIUM This Month

The Email Inquiry & Cart Options for WooCommerce plugin through version 3.4.3 contains a DOM-based cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting improper input neutralization. An attacker with user-level access can craft requests that execute arbitrary JavaScript in victims' browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0914 MEDIUM This Month

Stored cross-site scripting in the WP DSGVO Tools WordPress plugin through version 3.1.36 allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via the 'lw_content_block' shortcode due to improper input sanitization. When visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-2204 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tapandsign Technologies Software Inc. Tap&Sign allows Cross-Site Scripting (XSS).This issue affects Tap&Sign: through 23012026. [CVSS 4.7 MEDIUM]

XSS
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2025-14745 MEDIUM This Month

The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14069 MEDIUM This Month

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15522 MEDIUM This Month

The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0788 MEDIUM This Month

8180 Ip Audio Alerter Firmware versions up to 5.5 is affected by cross-site scripting (xss) (CVSS 6.1).

Golang XSS 8180 Ip Audio Alerter Firmware
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-21264 CRITICAL Act Now

Microsoft Account has a cross-site scripting vulnerability allowing unauthenticated attackers to execute scripts in the context of Microsoft Account pages.

Microsoft XSS Account
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-9289 MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator.

XSS Oc200 Firmware Oc400 Firmware Oc300 Firmware Oc220 Firmware +1
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-24389 MEDIUM This Month

WP Chill Gallery PhotoBlocks photoblocks-grid-gallery is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24383 MEDIUM This Month

DOM-based cross-site scripting in bPlugins B Slider through version 2.0.6 enables authenticated attackers to inject malicious scripts that execute in users' browsers with network access. An attacker with user privileges can exploit improper input neutralization during web page generation to steal session tokens, perform unauthorized actions, or redirect victims to malicious sites. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24361 MEDIUM This Month

ThimPress LearnPress Course Review plugin through version 4.1.9 is vulnerable to stored cross-site scripting (XSS) that allows authenticated users with insufficient input validation to inject malicious scripts into course reviews. An attacker with user privileges can exploit this to execute arbitrary JavaScript in other users' browsers, potentially stealing session tokens or performing unauthorized actions on their behalf. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24355 MEDIUM This Month

favethemes Houzez Theme - Functionality houzez-theme-functionality is affected by cross-site scripting (xss) (CVSS 5.4).

XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24354 MEDIUM This Month

DOM-based cross-site scripting in PenciDesign Penci Shortcodes & Performance plugin versions 6.1 and earlier allows authenticated attackers to inject malicious scripts that execute in users' browsers. An attacker with user-level privileges can exploit improper input neutralization during page generation to steal session cookies, perform unauthorized actions, or deface content for affected users. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23976 HIGH This Week

WP Chill Modula Image Gallery modula-best-grid-gallery is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22463 MEDIUM This Month

Stored XSS in Micro.company Form to Chat App versions up to 1.2.5 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data and stealing sensitive information. The vulnerability stems from insufficient input sanitization during form processing and requires user interaction to trigger. No patch is currently available for this medium-severity flaw.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22388 MEDIUM This Month

Stored XSS in Owl Carousel WP through version 2.2.2 allows authenticated users with high privileges to inject malicious scripts that persist in web pages and execute in visitors' browsers. An attacker with administrative access could exploit improper input sanitization to compromise site visitor sessions or steal sensitive data. A patch is not currently available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-22353 MEDIUM This Month

Stored XSS in teachPress through version 9.0.12 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data and performing unauthorized actions within the application. The vulnerability requires user interaction to trigger and can affect multiple users across the application scope. No security patch is currently available for affected installations.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22349 MEDIUM This Month

The Menu In Post plugin for Linux through version 1.4.1 contains a DOM-based cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker with user-level access can exploit this to steal session tokens, deface content, or perform actions on behalf of victims. No patch is currently available for this vulnerability.

Linux XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22347 MEDIUM This Month

subhansanjaya Carousel Horizontal Posts Content Slider carousel-horizontal-posts-content-slider is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0535 HIGH PATCH This Week

Stored XSS in Autodesk Fusion allows attackers to inject malicious HTML into component descriptions that executes when users click the payload, enabling local file theft or arbitrary code execution on affected systems. The vulnerability requires user interaction and local access but carries high impact due to the ability to compromise the desktop application's security context. A patch is available for remediation.

XSS Fusion
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-0534 HIGH PATCH This Week

Stored XSS in Autodesk Fusion allows attackers to inject malicious HTML into part attributes that executes when users interact with crafted files, potentially enabling local file access or arbitrary code execution. This desktop application vulnerability requires user interaction but can compromise system integrity through malicious file sharing. A patch is available.

XSS Fusion
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-0533 HIGH PATCH This Week

Stored XSS in Autodesk Fusion's design name field allows attackers to inject malicious HTML that executes when users view the delete confirmation dialog, potentially enabling arbitrary code execution or local file access on affected systems. An attacker must first craft a malicious design name that gets stored in the application, then socially engineer a user to interact with the deletion prompt to trigger the payload. A patch is available to address this vulnerability.

XSS Fusion
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69321 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Spa grandspa allows Reflected XSS.This issue affects Grand Spa: from n/a through <= 3.5.5. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69320 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Magazine grandmagazine allows Reflected XSS.This issue affects Grand Magazine: from n/a through <= 3.5.7. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69318 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hossni Mubarak JobWP jobwp allows Stored XSS.This issue affects JobWP: from n/a through <= 2.4.5. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69317 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS.This issue affects CarSpot: from n/a through < 2.4.6. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-69316 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 TableOn posts-table-filterable allows Reflected XSS.This issue affects TableOn: from n/a through <= 1.0.4.2. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-69102 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS.This issue affects WP Test Email: from n/a through <= 1.1.7. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69098 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWave Hide My WP hide_my_wp allows Reflected XSS.This issue affects Hide My WP: from n/a through <= 6.2.12. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-69056 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Hotel Listing hotel-listing allows Reflected XSS.This issue affects Hotel Listing: from n/a through <= 1.4.0. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69054 HIGH This Week

highwarden Super Logos Showcase superlogoshowcase-wp is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69053 HIGH This Week

LambertGroup Universal Video Player universal-video-player is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69051 HIGH This Week

CridioStudio ListingPro Reviews listingpro-reviews is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69048 HIGH This Week

LambertGroup Universal Video Player universal-video-player is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69003 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes KenthaRadio qt-kentharadio allows Reflected XSS.This issue affects KenthaRadio: from n/a through <= 2.2.0. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68906 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Video jnews-video allows Reflected XSS.This issue affects JNews - Video: from n/a through <= 11.0.2. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68904 HIGH This Week

jegtheme JNews - Frontend Submit jnews-frontend-submit is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68900 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold enfold allows DOM-Based XSS.This issue affects Enfold: from n/a through <= 7.1.3. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68898 MEDIUM This Month

cjjparadoxmax Synergy Project Manager synergy-project-manager is affected by cross-site scripting (xss) (CVSS 5.8).

XSS
NVD
CVSS 3.1
5.8
EPSS
0.0%
CVE-2025-68894 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shoutoutglobal ShoutOut shoutout allows Reflected XSS.This issue affects ShoutOut: from n/a through <= 4.0.2. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68884 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS.This issue affects WP Simple Redirect: from n/a through <= 1.1. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68883 HIGH This Week

extremeidea bidorbuy Store Integrator bidorbuystoreintegrator is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68871 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noCreativity Dooodl dooodl allows Reflected XSS.This issue affects Dooodl: from n/a through <= 2.3.0. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68866 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in woofer696 Dinatur dinatur allows Stored XSS.This issue affects Dinatur: from n/a through <= 1.18. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68864 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.14.50. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68859 HIGH This Week

agmorpheus Syntax Highlighter Compress syntax-highlighter-compress is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68858 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Casey Bisson wpCAS wpcas allows Reflected XSS.This issue affects wpCAS: from n/a through <= 1.07. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68849 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frank Corso Quote Master quote-master allows Reflected XSS.This issue affects Quote Master: from n/a through <= 7.1.1. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68839 HIGH This Week

Remi Corson Easy Theme Options easy-theme-options is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68838 HIGH This Week

expresstechsoftware MemberPress Discord Addon expresstechsoftwares-memberpress-discord-add-on is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68835 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in matiskiba Ravpage ravpage allows Reflected XSS.This issue affects Ravpage: from n/a through <= 2.33. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68538 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68520 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods DotLife dotlife allows Reflected XSS.This issue affects DotLife: from n/a through < 4.9.5. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68518 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Hoteller hoteller allows Reflected XSS.This issue affects Hoteller: from n/a through < 6.8.9. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68041 HIGH This Week

codisto Omnichannel for WooCommerce codistoconnect is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68012 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dmytro Shteflyuk CodeColorer codecolorer allows Stored XSS.This issue affects CodeColorer: from n/a through <= 0.10.1. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68011 HIGH This Week

GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68010 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in netgsm Netgsm netgsm allows Reflected XSS.This issue affects Netgsm: from n/a through <= 2.9.63. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68008 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68004 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS.This issue affects My Post Order: from n/a through <= 1.2.1.1. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67964 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.This issue affects Homey Core: from n/a through <= 2.4.3. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67960 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS.This issue affects WorkScout-Core: from n/a through <= 1.7.06. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67959 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout workscout allows Reflected XSS.This issue affects WorkScout: from n/a through <= 4.1.07. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67952 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS.This issue affects Grand Tour: from n/a through < 5.6.2. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67949 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS.This issue affects Hostiko: from n/a through < 94.3.6. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67947 HIGH This Week

scriptsbundle AdForest Elementor adforest-elementor is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67943 HIGH This Week

wphocus My auctions allegro my-auctions-allegro-free-edition is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2018-25132
EPSS 0% CVSS 5.1
MEDIUM POC This Month

MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget. [CVSS 6.1 MEDIUM]

XSS
NVD GitHub Exploit-DB
CVE-2018-25116
EPSS 0% CVSS 5.1
MEDIUM POC This Month

custom text input field for thread redirects. Attackers can inject malicious SVG scripts is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD GitHub Exploit-DB
CVE-2026-24632
EPSS 0% CVSS 5.9
MEDIUM This Month

DOM-based cross-site scripting (XSS) in the Delay Redirects browser extension through version 1.0.0 enables attackers to inject malicious scripts that execute in users' browsers. An attacker can exploit this vulnerability to steal sensitive data, session cookies, or perform actions on behalf of affected users. No patch is currently available for this vulnerability.

XSS
NVD
CVE-2026-24630
EPSS 0% CVSS 6.5
MEDIUM This Month

Design Stylish Cost Calculator stylish-cost-calculator is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVE-2026-24629
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored cross-site scripting in Ability Inc's Web Accessibility with Max Access toolbar (versions through 2.1.0) enables authenticated users with high privileges to inject malicious scripts that execute in other users' browsers. An attacker with administrative access could manipulate the toolbar to store XSS payloads that compromise confidentiality, integrity, and availability of the affected web application. No patch is currently available for this vulnerability.

XSS
NVD
CVE-2026-24626
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored cross-site scripting in LogicHunt Logo Slider WordPress plugin versions up to 4.9.0 enables authenticated attackers with high privileges to inject malicious scripts that execute in other users' browsers. An attacker could leverage this to steal session tokens, deface content, or perform actions on behalf of affected users. No patch is currently available.

Golang XSS
NVD
CVE-2026-24623
EPSS 0% CVSS 6.5
MEDIUM This Month

Reflected cross-site scripting (XSS) in Neoforum version 1.0 and earlier allows authenticated attackers to inject malicious scripts that execute in users' browsers when they interact with crafted links, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction and authenticated access, limiting its immediate impact but still posing a risk in multi-user forum environments. No patch is currently available.

XSS
NVD
CVE-2026-24621
EPSS 0% CVSS 4.8
MEDIUM This Month

Vladimir Statsenko Terms descriptions terms-descriptions is affected by cross-site scripting (xss) (CVSS 4.8).

XSS
NVD
CVE-2026-24620
EPSS 0% CVSS 5.9
MEDIUM This Month

PluginOps Landing Page Builder page-builder-add is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVE-2026-24617
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored XSS in Easy Modal WordPress plugin through version 2.1.0 enables authenticated attackers to inject malicious scripts that execute in the browsers of other users. An attacker with login credentials can store arbitrary JavaScript through improper input validation, affecting all visitors who view the compromised content. No patch is currently available to remediate this vulnerability.

XSS
NVD
CVE-2026-24614
EPSS 0% CVSS 5.9
MEDIUM This Month

Devsbrain Flex QR Code Generator flex-qr-code-generator is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVE-2026-24601
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in Penci Pay Writer versions up to 1.5 allows authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising sensitive data or session information. The vulnerability stems from insufficient input validation during web page generation and requires user interaction to trigger. No patch is currently available for this vulnerability.

XSS
NVD
CVE-2026-24600
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in PenciDesign Penci Review through version 3.5 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising user sessions and data. The vulnerability requires user interaction to trigger and affects the web application's page generation functionality. No patch is currently available.

XSS
NVD
CVE-2026-24594
EPSS 0% CVSS 4.8
MEDIUM This Month

livemesh Livemesh Addons for WPBakery Page Builder addons-for-visual-composer is affected by cross-site scripting (xss) (CVSS 4.8).

XSS
NVD
CVE-2026-24591
EPSS 0% CVSS 5.4
MEDIUM This Month

yasir129 Turn Yoast SEO FAQ Block to Accordion faq-schema-block-to-accordion is affected by cross-site scripting (xss) (CVSS 5.4).

XSS
NVD
CVE-2026-24584
EPSS 0% CVSS 5.9
MEDIUM This Month

Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVE-2026-24576
EPSS 0% CVSS 5.4
MEDIUM This Month

COP UX Flat through version 5.4.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages, affecting all users who view the compromised content. An attacker with user-level access can craft malicious input that persists in the application and executes in victims' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. No patch is currently available for this vulnerability.

XSS
NVD
CVE-2026-24564
EPSS 0% CVSS 4.3
MEDIUM This Month

Improper HTML tag sanitization in Israpil Textmetrics webtexttool versions up to 3.6.3 enables stored XSS attacks that allow authenticated users with high privileges to inject malicious scripts and compromise data confidentiality and integrity. An attacker with administrative access could inject code through web forms that executes in other users' browsers, potentially leading to session hijacking or credential theft. No patch is currently available for affected industrial deployments.

XSS
NVD
CVE-2026-24558
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in ABG Rich Pins version 1.1 and earlier permits authenticated users to inject malicious scripts that execute in other users' browsers when viewing affected pages. An attacker with plugin access could deface content or steal session data from site visitors. No patch is currently available for this vulnerability.

XSS
NVD
CVE-2026-24555
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored cross-site scripting in ArtPlacer Widget versions 2.23.1 and earlier enables attackers to inject malicious scripts that execute in users' browsers when viewing affected web pages. An unauthenticated attacker can exploit improper input validation during web page generation to compromise user sessions and steal sensitive data. No patch is currently available for this vulnerability.

XSS
NVD
CVE-2026-24550
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Kaira Blockons versions up to 1.2.15 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session tokens or performing actions on their behalf. The vulnerability requires user interaction to trigger and has limited scope, but impacts both confidentiality and integrity. No patch is currently available.

XSS
NVD
CVE-2026-24528
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-based cross-site scripting in pixelgrade Nova Blocks through version 2.1.9 enables authenticated attackers to inject malicious scripts that execute in users' browsers with limited privileges. An attacker with valid credentials can craft requests to manipulate the page generation process, potentially compromising confidentiality, integrity, and availability across different security contexts. No patch is currently available for this vulnerability.

XSS
NVD
CVE-2026-24526
EPSS 0% CVSS 6.5
MEDIUM This Month

The Email Inquiry & Cart Options for WooCommerce plugin through version 3.4.3 contains a DOM-based cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting improper input neutralization. An attacker with user-level access can craft requests that execute arbitrary JavaScript in victims' browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVE-2026-0914
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the WP DSGVO Tools WordPress plugin through version 3.1.36 allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via the 'lw_content_block' shortcode due to improper input sanitization. When visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVE-2025-2204
EPSS 0% CVSS 4.7
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tapandsign Technologies Software Inc. Tap&Sign allows Cross-Site Scripting (XSS).This issue affects Tap&Sign: through 23012026. [CVSS 4.7 MEDIUM]

XSS
NVD
CVE-2025-14745
EPSS 0% CVSS 6.4
MEDIUM This Month

The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVE-2025-14069
EPSS 0% CVSS 6.4
MEDIUM This Month

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVE-2025-15522
EPSS 0% CVSS 6.4
MEDIUM This Month

The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVE-2026-0788
EPSS 0% CVSS 6.1
MEDIUM This Month

8180 Ip Audio Alerter Firmware versions up to 5.5 is affected by cross-site scripting (xss) (CVSS 6.1).

Golang XSS 8180 Ip Audio Alerter Firmware
NVD
CVE-2026-21264
EPSS 0% CVSS 9.3
CRITICAL Act Now

Microsoft Account has a cross-site scripting vulnerability allowing unauthenticated attackers to execute scripts in the context of Microsoft Account pages.

Microsoft XSS Account
NVD
CVE-2025-9289
EPSS 0% CVSS 4.7
MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator.

XSS Oc200 Firmware Oc400 Firmware +3
NVD VulDB
CVE-2026-24389
EPSS 0% CVSS 6.5
MEDIUM This Month

WP Chill Gallery PhotoBlocks photoblocks-grid-gallery is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVE-2026-24383
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-based cross-site scripting in bPlugins B Slider through version 2.0.6 enables authenticated attackers to inject malicious scripts that execute in users' browsers with network access. An attacker with user privileges can exploit improper input neutralization during web page generation to steal session tokens, perform unauthorized actions, or redirect victims to malicious sites. No patch is currently available for this vulnerability.

XSS
NVD
CVE-2026-24361
EPSS 0% CVSS 6.5
MEDIUM This Month

ThimPress LearnPress Course Review plugin through version 4.1.9 is vulnerable to stored cross-site scripting (XSS) that allows authenticated users with insufficient input validation to inject malicious scripts into course reviews. An attacker with user privileges can exploit this to execute arbitrary JavaScript in other users' browsers, potentially stealing session tokens or performing unauthorized actions on their behalf. No patch is currently available for this vulnerability.

XSS
NVD
CVE-2026-24355
EPSS 0% CVSS 5.4
MEDIUM This Month

favethemes Houzez Theme - Functionality houzez-theme-functionality is affected by cross-site scripting (xss) (CVSS 5.4).

XSS
NVD
CVE-2026-24354
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-based cross-site scripting in PenciDesign Penci Shortcodes & Performance plugin versions 6.1 and earlier allows authenticated attackers to inject malicious scripts that execute in users' browsers. An attacker with user-level privileges can exploit improper input neutralization during page generation to steal session cookies, perform unauthorized actions, or deface content for affected users. No patch is currently available for this vulnerability.

XSS
NVD
CVE-2026-23976
EPSS 0% CVSS 7.1
HIGH This Week

WP Chill Modula Image Gallery modula-best-grid-gallery is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2026-22463
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored XSS in Micro.company Form to Chat App versions up to 1.2.5 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data and stealing sensitive information. The vulnerability stems from insufficient input sanitization during form processing and requires user interaction to trigger. No patch is currently available for this medium-severity flaw.

XSS
NVD
CVE-2026-22388
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored XSS in Owl Carousel WP through version 2.2.2 allows authenticated users with high privileges to inject malicious scripts that persist in web pages and execute in visitors' browsers. An attacker with administrative access could exploit improper input sanitization to compromise site visitor sessions or steal sensitive data. A patch is not currently available.

XSS
NVD
CVE-2026-22353
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored XSS in teachPress through version 9.0.12 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data and performing unauthorized actions within the application. The vulnerability requires user interaction to trigger and can affect multiple users across the application scope. No security patch is currently available for affected installations.

XSS
NVD
CVE-2026-22349
EPSS 0% CVSS 5.4
MEDIUM This Month

The Menu In Post plugin for Linux through version 1.4.1 contains a DOM-based cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker with user-level access can exploit this to steal session tokens, deface content, or perform actions on behalf of victims. No patch is currently available for this vulnerability.

Linux XSS
NVD
CVE-2026-22347
EPSS 0% CVSS 6.5
MEDIUM This Month

subhansanjaya Carousel Horizontal Posts Content Slider carousel-horizontal-posts-content-slider is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVE-2026-0535
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stored XSS in Autodesk Fusion allows attackers to inject malicious HTML into component descriptions that executes when users click the payload, enabling local file theft or arbitrary code execution on affected systems. The vulnerability requires user interaction and local access but carries high impact due to the ability to compromise the desktop application's security context. A patch is available for remediation.

XSS Fusion
NVD
CVE-2026-0534
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stored XSS in Autodesk Fusion allows attackers to inject malicious HTML into part attributes that executes when users interact with crafted files, potentially enabling local file access or arbitrary code execution. This desktop application vulnerability requires user interaction but can compromise system integrity through malicious file sharing. A patch is available.

XSS Fusion
NVD
CVE-2026-0533
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stored XSS in Autodesk Fusion's design name field allows attackers to inject malicious HTML that executes when users view the delete confirmation dialog, potentially enabling arbitrary code execution or local file access on affected systems. An attacker must first craft a malicious design name that gets stored in the application, then socially engineer a user to interact with the deletion prompt to trigger the payload. A patch is available to address this vulnerability.

XSS Fusion
NVD
CVE-2025-69321
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Spa grandspa allows Reflected XSS.This issue affects Grand Spa: from n/a through <= 3.5.5. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-69320
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Magazine grandmagazine allows Reflected XSS.This issue affects Grand Magazine: from n/a through <= 3.5.7. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-69318
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hossni Mubarak JobWP jobwp allows Stored XSS.This issue affects JobWP: from n/a through <= 2.4.5. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-69317
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS.This issue affects CarSpot: from n/a through < 2.4.6. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-69316
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 TableOn posts-table-filterable allows Reflected XSS.This issue affects TableOn: from n/a through <= 1.0.4.2. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-69102
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS.This issue affects WP Test Email: from n/a through <= 1.1.7. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVE-2025-69098
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWave Hide My WP hide_my_wp allows Reflected XSS.This issue affects Hide My WP: from n/a through <= 6.2.12. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-69056
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Hotel Listing hotel-listing allows Reflected XSS.This issue affects Hotel Listing: from n/a through <= 1.4.0. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-69054
EPSS 0% CVSS 7.1
HIGH This Week

highwarden Super Logos Showcase superlogoshowcase-wp is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-69053
EPSS 0% CVSS 7.1
HIGH This Week

LambertGroup Universal Video Player universal-video-player is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-69051
EPSS 0% CVSS 7.1
HIGH This Week

CridioStudio ListingPro Reviews listingpro-reviews is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-69048
EPSS 0% CVSS 7.1
HIGH This Week

LambertGroup Universal Video Player universal-video-player is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-69003
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes KenthaRadio qt-kentharadio allows Reflected XSS.This issue affects KenthaRadio: from n/a through <= 2.2.0. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68906
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Video jnews-video allows Reflected XSS.This issue affects JNews - Video: from n/a through <= 11.0.2. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68904
EPSS 0% CVSS 7.1
HIGH This Week

jegtheme JNews - Frontend Submit jnews-frontend-submit is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-68900
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold enfold allows DOM-Based XSS.This issue affects Enfold: from n/a through <= 7.1.3. [CVSS 6.5 MEDIUM]

XSS
NVD
CVE-2025-68898
EPSS 0% CVSS 5.8
MEDIUM This Month

cjjparadoxmax Synergy Project Manager synergy-project-manager is affected by cross-site scripting (xss) (CVSS 5.8).

XSS
NVD
CVE-2025-68894
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shoutoutglobal ShoutOut shoutout allows Reflected XSS.This issue affects ShoutOut: from n/a through <= 4.0.2. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68884
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS.This issue affects WP Simple Redirect: from n/a through <= 1.1. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVE-2025-68883
EPSS 0% CVSS 7.1
HIGH This Week

extremeidea bidorbuy Store Integrator bidorbuystoreintegrator is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-68871
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noCreativity Dooodl dooodl allows Reflected XSS.This issue affects Dooodl: from n/a through <= 2.3.0. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68866
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in woofer696 Dinatur dinatur allows Stored XSS.This issue affects Dinatur: from n/a through <= 1.18. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68864
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.14.50. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68859
EPSS 0% CVSS 7.1
HIGH This Week

agmorpheus Syntax Highlighter Compress syntax-highlighter-compress is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-68858
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Casey Bisson wpCAS wpcas allows Reflected XSS.This issue affects wpCAS: from n/a through <= 1.07. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68849
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frank Corso Quote Master quote-master allows Reflected XSS.This issue affects Quote Master: from n/a through <= 7.1.1. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68839
EPSS 0% CVSS 7.1
HIGH This Week

Remi Corson Easy Theme Options easy-theme-options is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-68838
EPSS 0% CVSS 7.1
HIGH This Week

expresstechsoftware MemberPress Discord Addon expresstechsoftwares-memberpress-discord-add-on is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-68835
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in matiskiba Ravpage ravpage allows Reflected XSS.This issue affects Ravpage: from n/a through <= 2.33. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68538
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68520
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods DotLife dotlife allows Reflected XSS.This issue affects DotLife: from n/a through < 4.9.5. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68518
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Hoteller hoteller allows Reflected XSS.This issue affects Hoteller: from n/a through < 6.8.9. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68041
EPSS 0% CVSS 7.1
HIGH This Week

codisto Omnichannel for WooCommerce codistoconnect is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVE-2025-68012
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dmytro Shteflyuk CodeColorer codecolorer allows Stored XSS.This issue affects CodeColorer: from n/a through <= 0.10.1. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68011
EPSS 0% CVSS 7.1
HIGH This Week

GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVE-2025-68010
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in netgsm Netgsm netgsm allows Reflected XSS.This issue affects Netgsm: from n/a through <= 2.9.63. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68008
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVE-2025-68004
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS.This issue affects My Post Order: from n/a through <= 1.2.1.1. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67964
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.This issue affects Homey Core: from n/a through <= 2.4.3. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67960
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS.This issue affects WorkScout-Core: from n/a through <= 1.7.06. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67959
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout workscout allows Reflected XSS.This issue affects WorkScout: from n/a through <= 4.1.07. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67952
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS.This issue affects Grand Tour: from n/a through < 5.6.2. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67949
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS.This issue affects Hostiko: from n/a through < 94.3.6. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67947
EPSS 0% CVSS 7.1
HIGH This Week

scriptsbundle AdForest Elementor adforest-elementor is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-67943
EPSS 0% CVSS 7.1
HIGH This Week

wphocus My auctions allegro my-auctions-allegro-free-edition is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
Prev Page 23 of 112 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy