XSS
Monthly
The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliding_faq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edd_download_info_link' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Starred Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF variable in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The 1180px Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Viitor Button Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' shortcode attribute in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Snillrik Restaurant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'menu_style' shortcode attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The WP Js List Pages Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 4.4 MEDIUM]
Email Customizer for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
The AI BotKit - AI Chatbot & Live Support for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the `ai_botkit_widget` shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The STM Gallery 1.9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'composicion' parameter in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The PhotoFade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'time' parameter in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. [CVSS 6.4 MEDIUM]
The Stylish Order Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_name' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Recras WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'recrasname' shortcode attribute in all versions up to, and including, 6.4.1. This is due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'plan_icons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
Premmerce WooCommerce Customers Manager (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dasinfomedia WPCHURCH allows Reflected XSS.This issue affects WPCHURCH: from n/a through 2.7.0. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH UiChemy uichemy allows Stored XSS.This issue affects UiChemy: from n/a through <= 4.4.2. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements allows DOM-Based XSS.This issue affects TheGem Theme Elements (for WPBakery): from n/a through <= 5.11.0. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows Stored XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Accordion accordions-wp allows Stored XSS.This issue affects Accordion: from n/a through <= 3.0.3. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Team Showcase team-showcase allows Stored XSS.This issue affects Team Showcase: from n/a through <= 2.9. [CVSS 5.4 MEDIUM]
WPFactory Wishlist for WooCommerce wish-list-for-woocommerce is affected by cross-site scripting (xss) (CVSS 6.5).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins JobBank allows Reflected XSS.This issue affects JobBank: from n/a through 1.2.2. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3 themes Photo Gallery allows Reflected XSS.This issue affects Photo Gallery: from n/a through 2.7.7.26. [CVSS 7.1 HIGH]
Lack of output escaping leads to a XSS vector in the pagebreak plugin. [CVSS 6.1 MEDIUM]
Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPShop.Ru AdsPlace'r - Ad Manager, Inserter, AdSense Ads allows DOM-Based XSS.This issue affects AdsPlace'r - Ad Manager, Inserter, AdSense Ads: from n/a through 1.1.5. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Shazdeh Header Image Slider header-image-slider allows DOM-Based XSS.This issue affects Header Image Slider: from n/a through 0.3. [CVSS 7.1 HIGH]
Sony BRAVIA Digital Signage 1.7.8 contains a remote file inclusion vulnerability that allows attackers to inject arbitrary client-side scripts through the content material URL parameter. [CVSS 6.1 MEDIUM]
The MediaPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mpp-uploader shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Table Field Add-on for ACF and SCF (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. [CVSS 6.4 MEDIUM]
The ForumWP - Forum & Discussion Board plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User's Display Name in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). [CVSS 7.2 HIGH]
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. [CVSS 8.1 HIGH]
PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. [CVSS 4.3 MEDIUM]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. [CVSS 8.0 HIGH]
An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser [CVSS 5.4 MEDIUM]
A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. [CVSS 7.5 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dokan Dokan Pro allows Stored XSS.This issue affects Dokan Pro: from n/a through 3.14.5. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Corourke iPhone Webclip Manager allows Stored XSS.This issue affects iPhone Webclip Manager: from n/a through 0.5. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tumult Inc Tumult Hype Animations allows DOM-Based XSS.This issue affects Tumult Hype Animations: from n/a through 1.9.11. [CVSS 7.1 HIGH]
Zimbra Collaboration Suite (ZCS) 10.x contains a stored XSS vulnerability in the Classic UI that allows attackers to execute arbitrary JavaScript through CSS @import directives in HTML emails. KEV-listed, this vulnerability (CVE-2025-66376) enables session hijacking and account takeover when administrators or users view malicious emails, making it a high-value target for email-based espionage campaigns.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts configuration form modules) allows Stored XSS to users with high privileges. [CVSS 6.8 MEDIUM]
Dynamic Service Management versions up to 25.10.1 is affected by cross-site scripting (xss) (CVSS 6.8).
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows DOM-Based XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.3.3. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6. [CVSS 7.1 HIGH]
A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. [CVSS 3.5 LOW]
A security flaw has been discovered in Xinhu Rainrock RockOA up to 2.7.1. Affected is an unknown function of the file rock_page_gong.php of the component Cover Image Handler. [CVSS 3.5 LOW]
Online Product Reservation System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Administration ACL menu configuration modules) allows Stored XSS to users with high privileges. [CVSS 6.8 MEDIUM]
A vulnerability was found in SourceCodester API Key Manager App 1.0. Affected by this vulnerability is an unknown functionality of the component Import Key Handler. [CVSS 3.5 LOW]
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components.
FlexTable WordPre versions up to 3.19.2 contains a vulnerability that allows attackers to high privilege users such as admin to perform Stored Cross-Site Scripting attack (CVSS 3.5).
A vulnerability was detected in zhanglun lettura up to 0.1.22. This issue affects some unknown processing of the file src/components/ArticleView/ContentRender.tsx of the component RSS Handler. The manipulation results in cross site scripting. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit is now publ...
A weakness has been identified in xnx3 wangmarket up to 4.9. This affects the function variableList of the file /admin/system/variableList.do of the component Backend Variable Search. [CVSS 2.4 LOW]
A security flaw has been discovered in xnx3 wangmarket up to 4.9. Affected by this issue is some unknown functionality of the file /admin/system/variableSave.do of the component System Variables Page. [CVSS 2.4 LOW]
Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user’s session and perform actions in their security context. [CVSS 5.4 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in JFrog Artifactory (Workers) allows Cross-Site Scripting (XSS).This issue affects Artifactory (Workers): from >=7.94.0 through <7.117.10. [CVSS 4.9 MEDIUM]
Stored XSS in Listmonk before version 6.0.0 allows authenticated users with campaign management permissions to inject malicious JavaScript that executes when administrators preview campaigns or templates, enabling privilege escalation attacks such as creating backdoor admin accounts. Public exploit code exists for this vulnerability, and the attack surface expands through the public archive feature where victims need only visit a link to trigger the payload. Version 6.0.0 addresses this flaw, though patches are currently unavailable for earlier versions.
Stored XSS in Bagisto's CMS page editor allows authenticated attackers to bypass input sanitization by crafting malicious HTTP requests, enabling persistent JavaScript injection that executes when administrators view or edit pages. Public exploit code exists for this vulnerability, creating high-risk scenarios including admin account compromise and backend system hijacking. Bagisto versions prior to 2.3.10 are affected, and no patch is currently available for the underlying Laravel platform.
Stored XSS in Emlog 2.5.23 allows authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially leading to administrative account compromise. Public exploit code exists for this vulnerability, and no patched version is currently available. The attack requires user interaction and can affect any Emlog installation running the vulnerable version.
Stored XSS in Emlog 2.5.23's media library function allows authenticated attackers to inject malicious scripts when publishing articles, which execute in other users' browsers with scope crossing enabled. Public exploit code exists for this vulnerability, and no patched version is currently available. Successful exploitation requires user interaction and grants attackers the ability to steal session data or perform actions on behalf of affected users.
Emlog 2.5.23 is vulnerable to CSRF in article creation, which chains with stored XSS to achieve account takeover. An attacker can force an admin to create an article containing malicious JavaScript that steals their session. No patch available.
A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. [CVSS 6.1 MEDIUM]
A cross-site scripting (XSS) vulnerability in mccutchen httpbin v2.17.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. [CVSS 6.1 MEDIUM]
A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. [CVSS 3.5 LOW]
The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. [CVSS 6.1 MEDIUM]
Logo Slider WordPre versions up to 4.9.0 contains a vulnerability that allows attackers to users with the contributor role and above to perform Stored Cross-Site Scripting (CVSS 6.1).
A vulnerability was found in xnx3 wangmarket up to 6.4. This affects an unknown function of the file /siteVar/save.do of the component Add Global Variable Handler. [CVSS 2.4 LOW]
Reflected cross-site scripting (XSS) in osuthorpe Easy Social WordPress plugin version 1.3 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability exists in improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.01%) suggests minimal real-world attack probability despite the theoretical attack surface.
Reflected Cross-site Scripting (XSS) in nebelhorn Blappsta Mobile App Plugin for WordPress affects versions through 0.8.8.8, allowing unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper input neutralization during page generation. With an EPSS score of 0.04% (14th percentile), exploitation likelihood is low, and no public exploit code or active exploitation has been identified at time of analysis.
Reflected cross-site scripting (XSS) in ZD Scribd iPaper WordPress plugin version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation (CWE-79). With an EPSS score of 0.04% indicating low exploitation probability and no public proof-of-concept or active exploitation confirmed, this represents a lower-priority vulnerability despite the XSS classification, though it remains exploitable if a malicious link is crafted and social-engineered to victims.
Reflected cross-site scripting (XSS) in ZhinaTwitterWidget WordPress plugin version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input sanitization during page generation, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers. No public exploit code or active exploitation has been identified at the time of analysis.
Reflected cross-site scripting (XSS) in En Masse WordPress plugin versions 1.0 and earlier allows unauthenticated remote attackers to inject arbitrary JavaScript into web pages viewed by other users. The vulnerability exists due to improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute scripts in the context of affected websites. No active exploitation has been confirmed, and real-world risk is low given the EPSS score of 0.04% (14th percentile), though the plugin's accessibility to any WordPress installation creates potential for attack.
Reflected Cross-Site Scripting (XSS) in Zielke Design Project Gallery WordPress plugin through version 2.5.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at time of analysis, but the low EPSS score (0.04%, 14th percentile) suggests minimal real-world exploitation activity despite the vulnerability's presence in a widely-deployed WordPress plugin.
Reflected cross-site scripting (XSS) in the front-end-post-edit WordPress plugin through version 1.0.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the XSS vector being a common attack method.
Stored cross-site scripting (XSS) in Gora Tech Cooked WordPress plugin versions up to 1.11.3 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers. The vulnerability persists in the plugin's database and is triggered when affected content is viewed, enabling account compromise, session hijacking, or malware distribution to site visitors. This is a low-probability exploitation risk (EPSS 0.04%) but represents a meaningful concern for multi-user WordPress installations where contributor or editor-level accounts are delegated.
Stored cross-site scripting (XSS) in the eleopard Behance Portfolio Manager WordPress plugin versions 1.7.5 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other users visiting affected pages. The vulnerability stems from improper input sanitization during portfolio content generation, enabling attackers with contributor-level access or higher to compromise site visitors. No public exploit code or active exploitation has been reported, though the vulnerability carries a low EPSS score (0.04%, percentile 13%) suggesting limited real-world exploitation likelihood at time of analysis.
The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliding_faq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edd_download_info_link' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Starred Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF variable in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The 1180px Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Viitor Button Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' shortcode attribute in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Snillrik Restaurant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'menu_style' shortcode attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The WP Js List Pages Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 4.4 MEDIUM]
Email Customizer for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
The AI BotKit - AI Chatbot & Live Support for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the `ai_botkit_widget` shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The STM Gallery 1.9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'composicion' parameter in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The PhotoFade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'time' parameter in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. [CVSS 6.4 MEDIUM]
The Stylish Order Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_name' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Recras WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'recrasname' shortcode attribute in all versions up to, and including, 6.4.1. This is due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'plan_icons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
Premmerce WooCommerce Customers Manager (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dasinfomedia WPCHURCH allows Reflected XSS.This issue affects WPCHURCH: from n/a through 2.7.0. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH UiChemy uichemy allows Stored XSS.This issue affects UiChemy: from n/a through <= 4.4.2. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements allows DOM-Based XSS.This issue affects TheGem Theme Elements (for WPBakery): from n/a through <= 5.11.0. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows Stored XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Accordion accordions-wp allows Stored XSS.This issue affects Accordion: from n/a through <= 3.0.3. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Team Showcase team-showcase allows Stored XSS.This issue affects Team Showcase: from n/a through <= 2.9. [CVSS 5.4 MEDIUM]
WPFactory Wishlist for WooCommerce wish-list-for-woocommerce is affected by cross-site scripting (xss) (CVSS 6.5).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins JobBank allows Reflected XSS.This issue affects JobBank: from n/a through 1.2.2. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3 themes Photo Gallery allows Reflected XSS.This issue affects Photo Gallery: from n/a through 2.7.7.26. [CVSS 7.1 HIGH]
Lack of output escaping leads to a XSS vector in the pagebreak plugin. [CVSS 6.1 MEDIUM]
Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags. [CVSS 6.1 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPShop.Ru AdsPlace'r - Ad Manager, Inserter, AdSense Ads allows DOM-Based XSS.This issue affects AdsPlace'r - Ad Manager, Inserter, AdSense Ads: from n/a through 1.1.5. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Shazdeh Header Image Slider header-image-slider allows DOM-Based XSS.This issue affects Header Image Slider: from n/a through 0.3. [CVSS 7.1 HIGH]
Sony BRAVIA Digital Signage 1.7.8 contains a remote file inclusion vulnerability that allows attackers to inject arbitrary client-side scripts through the content material URL parameter. [CVSS 6.1 MEDIUM]
The MediaPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mpp-uploader shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Table Field Add-on for ACF and SCF (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. [CVSS 6.4 MEDIUM]
The ForumWP - Forum & Discussion Board plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User's Display Name in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). [CVSS 7.2 HIGH]
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. [CVSS 8.1 HIGH]
PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. [CVSS 4.3 MEDIUM]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. [CVSS 8.0 HIGH]
An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser [CVSS 5.4 MEDIUM]
A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. [CVSS 7.5 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dokan Dokan Pro allows Stored XSS.This issue affects Dokan Pro: from n/a through 3.14.5. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Corourke iPhone Webclip Manager allows Stored XSS.This issue affects iPhone Webclip Manager: from n/a through 0.5. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tumult Inc Tumult Hype Animations allows DOM-Based XSS.This issue affects Tumult Hype Animations: from n/a through 1.9.11. [CVSS 7.1 HIGH]
Zimbra Collaboration Suite (ZCS) 10.x contains a stored XSS vulnerability in the Classic UI that allows attackers to execute arbitrary JavaScript through CSS @import directives in HTML emails. KEV-listed, this vulnerability (CVE-2025-66376) enables session hijacking and account takeover when administrators or users view malicious emails, making it a high-value target for email-based espionage campaigns.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts configuration form modules) allows Stored XSS to users with high privileges. [CVSS 6.8 MEDIUM]
Dynamic Service Management versions up to 25.10.1 is affected by cross-site scripting (xss) (CVSS 6.8).
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows DOM-Based XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.3.3. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6. [CVSS 7.1 HIGH]
A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. [CVSS 3.5 LOW]
A security flaw has been discovered in Xinhu Rainrock RockOA up to 2.7.1. Affected is an unknown function of the file rock_page_gong.php of the component Cover Image Handler. [CVSS 3.5 LOW]
Online Product Reservation System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Administration ACL menu configuration modules) allows Stored XSS to users with high privileges. [CVSS 6.8 MEDIUM]
A vulnerability was found in SourceCodester API Key Manager App 1.0. Affected by this vulnerability is an unknown functionality of the component Import Key Handler. [CVSS 3.5 LOW]
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components.
FlexTable WordPre versions up to 3.19.2 contains a vulnerability that allows attackers to high privilege users such as admin to perform Stored Cross-Site Scripting attack (CVSS 3.5).
A vulnerability was detected in zhanglun lettura up to 0.1.22. This issue affects some unknown processing of the file src/components/ArticleView/ContentRender.tsx of the component RSS Handler. The manipulation results in cross site scripting. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit is now publ...
A weakness has been identified in xnx3 wangmarket up to 4.9. This affects the function variableList of the file /admin/system/variableList.do of the component Backend Variable Search. [CVSS 2.4 LOW]
A security flaw has been discovered in xnx3 wangmarket up to 4.9. Affected by this issue is some unknown functionality of the file /admin/system/variableSave.do of the component System Variables Page. [CVSS 2.4 LOW]
Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user’s session and perform actions in their security context. [CVSS 5.4 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in JFrog Artifactory (Workers) allows Cross-Site Scripting (XSS).This issue affects Artifactory (Workers): from >=7.94.0 through <7.117.10. [CVSS 4.9 MEDIUM]
Stored XSS in Listmonk before version 6.0.0 allows authenticated users with campaign management permissions to inject malicious JavaScript that executes when administrators preview campaigns or templates, enabling privilege escalation attacks such as creating backdoor admin accounts. Public exploit code exists for this vulnerability, and the attack surface expands through the public archive feature where victims need only visit a link to trigger the payload. Version 6.0.0 addresses this flaw, though patches are currently unavailable for earlier versions.
Stored XSS in Bagisto's CMS page editor allows authenticated attackers to bypass input sanitization by crafting malicious HTTP requests, enabling persistent JavaScript injection that executes when administrators view or edit pages. Public exploit code exists for this vulnerability, creating high-risk scenarios including admin account compromise and backend system hijacking. Bagisto versions prior to 2.3.10 are affected, and no patch is currently available for the underlying Laravel platform.
Stored XSS in Emlog 2.5.23 allows authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially leading to administrative account compromise. Public exploit code exists for this vulnerability, and no patched version is currently available. The attack requires user interaction and can affect any Emlog installation running the vulnerable version.
Stored XSS in Emlog 2.5.23's media library function allows authenticated attackers to inject malicious scripts when publishing articles, which execute in other users' browsers with scope crossing enabled. Public exploit code exists for this vulnerability, and no patched version is currently available. Successful exploitation requires user interaction and grants attackers the ability to steal session data or perform actions on behalf of affected users.
Emlog 2.5.23 is vulnerable to CSRF in article creation, which chains with stored XSS to achieve account takeover. An attacker can force an admin to create an article containing malicious JavaScript that steals their session. No patch available.
A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. [CVSS 6.1 MEDIUM]
A cross-site scripting (XSS) vulnerability in mccutchen httpbin v2.17.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. [CVSS 6.1 MEDIUM]
A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. [CVSS 3.5 LOW]
The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. [CVSS 6.1 MEDIUM]
Logo Slider WordPre versions up to 4.9.0 contains a vulnerability that allows attackers to users with the contributor role and above to perform Stored Cross-Site Scripting (CVSS 6.1).
A vulnerability was found in xnx3 wangmarket up to 6.4. This affects an unknown function of the file /siteVar/save.do of the component Add Global Variable Handler. [CVSS 2.4 LOW]
Reflected cross-site scripting (XSS) in osuthorpe Easy Social WordPress plugin version 1.3 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability exists in improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.01%) suggests minimal real-world attack probability despite the theoretical attack surface.
Reflected Cross-site Scripting (XSS) in nebelhorn Blappsta Mobile App Plugin for WordPress affects versions through 0.8.8.8, allowing unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper input neutralization during page generation. With an EPSS score of 0.04% (14th percentile), exploitation likelihood is low, and no public exploit code or active exploitation has been identified at time of analysis.
Reflected cross-site scripting (XSS) in ZD Scribd iPaper WordPress plugin version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation (CWE-79). With an EPSS score of 0.04% indicating low exploitation probability and no public proof-of-concept or active exploitation confirmed, this represents a lower-priority vulnerability despite the XSS classification, though it remains exploitable if a malicious link is crafted and social-engineered to victims.
Reflected cross-site scripting (XSS) in ZhinaTwitterWidget WordPress plugin version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input sanitization during page generation, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers. No public exploit code or active exploitation has been identified at the time of analysis.
Reflected cross-site scripting (XSS) in En Masse WordPress plugin versions 1.0 and earlier allows unauthenticated remote attackers to inject arbitrary JavaScript into web pages viewed by other users. The vulnerability exists due to improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute scripts in the context of affected websites. No active exploitation has been confirmed, and real-world risk is low given the EPSS score of 0.04% (14th percentile), though the plugin's accessibility to any WordPress installation creates potential for attack.
Reflected Cross-Site Scripting (XSS) in Zielke Design Project Gallery WordPress plugin through version 2.5.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at time of analysis, but the low EPSS score (0.04%, 14th percentile) suggests minimal real-world exploitation activity despite the vulnerability's presence in a widely-deployed WordPress plugin.
Reflected cross-site scripting (XSS) in the front-end-post-edit WordPress plugin through version 1.0.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the XSS vector being a common attack method.
Stored cross-site scripting (XSS) in Gora Tech Cooked WordPress plugin versions up to 1.11.3 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers. The vulnerability persists in the plugin's database and is triggered when affected content is viewed, enabling account compromise, session hijacking, or malware distribution to site visitors. This is a low-probability exploitation risk (EPSS 0.04%) but represents a meaningful concern for multi-user WordPress installations where contributor or editor-level accounts are delegated.
Stored cross-site scripting (XSS) in the eleopard Behance Portfolio Manager WordPress plugin versions 1.7.5 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other users visiting affected pages. The vulnerability stems from improper input sanitization during portfolio content generation, enabling attackers with contributor-level access or higher to compromise site visitors. No public exploit code or active exploitation has been reported, though the vulnerability carries a low EPSS score (0.04%, percentile 13%) suggesting limited real-world exploitation likelihood at time of analysis.