XSS

Stored Cross-Site Scripting in WP Job Portal plugin for WordPress up to version 2.4.4 allows authenticated attackers with Editor-level access or higher to inject arbitrary JavaScript into job description fields by exploiting explicit whitelisting of the `<script>` tag in the WPJOBPORTAL_ALLOWED_TAGS configuration. The injected scripts execute when users view affected job listings, enabling session hijacking, credential theft, and other malicious activities. Impact is limited to multi-site installations or sites with unfiltered_html disabled. CVSS score of 4.4 reflects the high privilege requirement (PR:H) and high attack complexity (AC:H), though the vulnerability affects a potentially large number of WordPress installations.

Stored Cross-Site Scripting in Bold Timeline Lite WordPress plugin up to version 1.2.7 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'bold_timeline_group' shortcode, executing malicious scripts whenever users view affected pages. CVSS 6.4 reflects moderate impact (confidentiality and integrity compromise across trust boundaries); EPSS 0.04% indicates low real-world exploitation probability. No public exploit code or active exploitation confirmed.

Stored Cross-Site Scripting in BUKAZU Search widget plugin for WordPress allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript through the 'shortcode' parameter of the 'bukazu_search' shortcode. The vulnerability affects all versions up to and including 3.3.2 and results from insufficient input sanitization and output escaping. Malicious scripts execute in the context of any user accessing affected pages. EPSS score of 0.04% indicates low real-world exploitation probability despite moderate CVSS 6.4 severity.

Stored Cross-Site Scripting in NewStatPress WordPress plugin versions up to 1.4.3 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript into pages via a regex bypass in the nsp_shortcode function. When site visitors access pages containing the injected malicious shortcode attribute, the attacker's script executes in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified; EPSS score of 0.04% reflects the requirement for authenticated access and user interaction.

Reflected cross-site scripting (XSS) in Accept Stripe Payments Using Contact Form 7 WordPress plugin versions up to 3.1 allows unauthenticated attackers to inject arbitrary JavaScript via the 'failure_message' parameter due to insufficient input sanitization and output escaping. An attacker can craft a malicious link that, when clicked by a victim, executes JavaScript in the victim's browser session with access to sensitive data or session tokens. No public exploit code or active exploitation has been confirmed at the time of analysis.

Stored cross-site scripting in Better Elementor Addons plugin for WordPress up to version 1.5.5 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript through insufficiently sanitized Slider widget attributes, which executes when any user views the affected page. This is a stored XSS vulnerability affecting a widely-deployed WordPress plugin; no public exploit code or active exploitation has been confirmed at time of analysis, but the low CVSS complexity (AC:L) and moderate EPSS exploitation probability make this a practical concern for any WordPress site running the vulnerable plugin versions with user roles permitted to edit pages.

Shopware, an open commerce platform, contains a reflected cross-site scripting (XSS) vulnerability in its authentication controller where the 'waitTime' URL parameter from the login page is rendered directly into the Twig template without validation or sanitization. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 are affected, allowing attackers to inject malicious JavaScript code through crafted URLs. With an EPSS score of only 0.04% (11th percentile), active exploitation appears low despite the availability of patches and public advisories.

DOM-based cross-site scripting (XSS) in muffingroup Betheme WordPress theme versions up to 28.2 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects the confidentiality, integrity, and availability of affected installations; EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been confirmed.

DOM-based cross-site scripting in Dream-Theme The7 WordPress theme versions before 12.9.0 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers via improperly sanitized input during web page generation. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting real-world exploitability despite a moderate CVSS score of 6.5. EPSS exploitation probability is low at 0.04th percentile, and no public exploit code or active exploitation has been reported.

Improper HTML tag neutralization in sevenspark Contact Form 7 - Dynamic Text Extension through version 5.0.5 allows unauthenticated remote attackers to inject malicious scripts via a network-based attack with no user interaction required, resulting in confidentiality compromise through information disclosure. The vulnerability is classified as cross-site scripting (XSS) with low exploitability probability (EPSS 0.06%, percentile 18%), suggesting limited real-world attack incentive despite the network-accessible attack vector.

Stored cross-site scripting (XSS) in Porto Theme - Functionality plugin for WordPress allows authenticated users with low privileges to inject malicious scripts into web pages that execute in the browsers of other site visitors. The vulnerability affects Porto Theme - Functionality versions below 3.7.3 and has a low exploitation probability (EPSS 0.01%), but requires user interaction and authenticated access to exploit, limiting immediate risk to well-managed WordPress installations with access controls.

DOM-Based Cross-Site Scripting (XSS) in KALLYAS WordPress theme versions below 4.25.0 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users, potentially stealing session cookies, credentials, or performing unauthorized actions on their behalf. The vulnerability requires user interaction (clicking a malicious link) and affects the theme's web page generation routines. EPSS probability is 0.01% (very low), suggesting minimal real-world exploitation likelihood despite the moderate CVSS score of 6.5.

DOM-based cross-site scripting in WordPress plugin WP Ultimate Review versions ≤2.3.7 allows remote attackers to execute malicious JavaScript in victims' browsers via crafted input that is improperly sanitized during client-side page rendering. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling attacks via social engineering or malicious links. Exploitation probability is low (EPSS 0.04%, 14th percentile), with no public exploit identified at time of analysis and no confirmed active exploitation (not in CISA KEV).

Stored cross-site scripting (XSS) in Master Addons for Elementor through version 2.0.9.9.4 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or stealing sensitive data. The vulnerability requires user interaction (UI:R) and affects the plugin's input sanitization during web page generation. With an EPSS score of 0.04% and no confirmed active exploitation, this represents a lower real-world risk despite the moderate CVSS base score of 6.5.

Stored cross-site scripting (XSS) in SimpLy Gallery WordPress plugin (versions up to 3.3.2.1) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially leading to session hijacking, credential theft, or site defacement. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

Stored XSS in Make Section & Column Clickable For Elementor WordPress plugin (versions through 2.4) allows authenticated users with high privileges to inject malicious scripts that execute in other users' browsers. The vulnerability requires user interaction (UI:R) and affects site confidentiality, integrity, and availability with limited scope. EPSS score of 0.04% indicates low exploitation probability despite the presence of a public vulnerability disclosure.

DOM-based cross-site scripting (XSS) in ThimPress WP Hotel Booking plugin versions up to 2.2.8 allows authenticated users with high privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and high administrator privileges (PR:H), limiting its real-world impact despite a moderate CVSS score of 5.9. EPSS exploitation probability is very low at 0.04%, indicating minimal practical attack likelihood.

Stored cross-site scripting (XSS) in Generic Elements for Elementor plugin versions 1.2.9 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (clicking a malicious link) and affects WordPress installations using this plugin. EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been identified.

IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using a specially crafted URL to redirect the user to a malicious site.

A stored cross-site scripting vulnerability exists in the web management interface of the R.V.R. Elettronica TLK302T telemetry controller (firmware 1.5.1799).

Barix Instreamer v04.06 and v04.05 contains a stored cross-site scripting (XSS) vulnerability in the Web UI Configuration Streaming Destination input.

A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. An authenticated user with access to Settings Player can save arbitrary HTML/JavaScript in the Player name field. That value is stored by the server and later rendered without proper output encoding on the Information (Player Info) tab, causing the script to execute in the context of any user viewing that page.

Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting (XSS) in the Web UI I/O & Serial configuration page, specifically the CTS close command user-input field which is stored and later rendered on the Status page.

In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS). On the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and innerHTML. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (user.html).  This issue affects Vulnerability-Lookup: before 2.18.0.

A flaw has been found in GreenCMS 2.3.0603. Affected by this issue is some unknown functionality of the file /Admin/Controller/CustomController.class.php of the component Menu Management Page. This manipulation of the argument Link causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

A weakness has been identified in Yealink SIP-T21P E2 52.84.0.15. Impacted is an unknown function of the component Local Directory Page. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

A vulnerability was detected in SourceCodester Online Banking System 1.0. This impacts an unknown function of the file /?page=user. The manipulation of the argument First Name/Last Name results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used.

A vulnerability was found in code-projects Chamber of Commerce Membership Management System 1.0. Impacted is an unknown function of the file /membership_profile.php of the component Your Info Handler. Performing manipulation of the argument Full Name/Address/City/State results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

A vulnerability was found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected by this vulnerability is an unknown functionality of the file /dishsub.php. The manipulation of the argument item.name results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected is an unknown function of the file /usersub.php of the component Request Pending Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was identified in code-projects Employee Profile Management System 1.0. This issue affects some unknown processing of the file /view_personnel.php. The manipulation of the argument per_address/dr_school/other_school leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.

A security flaw has been discovered in Grandstream GXP1625 1.0.7.4. The impacted element is an unknown function of the file /cgi-bin/api.values.post of the component Network Status Page. Performing manipulation of the argument vpn_ip results in basic cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

The Rich Shortcodes for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contents of a Google Review in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially patched in version 6.6.2.

The CSS3 Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Ultra Skype Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn_id' parameter of the [ultra_skype] shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Social Feed Gallery Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [igp-wp] shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `token` parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter of the webclap_button shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Extra Post Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the extra-images shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Cute News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The myLCO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The Application Passwords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'reject_url' parameter in all versions up to, and including, 0.1.3. This is due to insufficient input sanitization and output escaping on user supplied URLs, which allows javascript: URI schemes to be embedded in the reject_url parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when a user clicks the "No, I do not approve of this connection" button, granted they can successfully trick the victim into performing an action such as clicking on a link.

The Live Sales Notification for Woocommerce - Woomotiv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'woomotiv_limit' parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The List Attachments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_list' parameter in the [list-attachments] shortcode in all versions up to, and including, 0.4.1a due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'percentage' field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 13.2.4 due to insufficient input sanitization and output escaping on Google Reviews data imported by the plugin. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute in the admin panel (and potentially on the frontend) whenever a user accesses imported reviews, granted they can add a malicious review to a Google Place that is connected to the vulnerable site.

The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

TUUI is a desktop MCP client designed as a tool unitary utility integration.

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/addins/menus endpoint. When an authenticated user adds or edits an AddIns menu entry, the label and path values are stored in plugin configuration data and later rendered in the AddIns UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected AddIns entry, potentially enabling session compromise and unauthorized actions as the victim.

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/rule-engines endpoint. When an authenticated user creates or updates a rule for an agent, the rule fields min, max, and unit are stored and later rendered in rule listings or detail views without proper HTML sanitation. An attacker can inject malicious script into one or more of these fields, which is then executed in the browser context of users who view or interact with the affected rule, potentially enabling session compromise and unauthorized actions as the victim.

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/dog/{agentId} endpoint. When an authenticated user adds or edits Software Watchdog process rules for an agent, the monitored process name is stored in the settings array and later rendered in the Software Watchdog UI without proper HTML sanitation. An attacker can inject malicious script into the process name, which is then executed in the browser context of users who view or interact with the affected rules, potentially enabling session compromise and unauthorized actions as the victim.

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/dashboards/menus endpoint. When an authenticated user adds or edits a dashboard entry, the label and path values are stored in plugin configuration data and later rendered in the dashboard UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected dashboard, potentially enabling session compromise and unauthorized actions as the victim.

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devices/name/{agent_id} endpoint. When an authenticated user renames a device, the new_name value is stored and later rendered in device listings or detail views without proper HTML sanitation. An attacker can inject malicious script into the device name, which is then executed in the browser context of users who view or interact with the affected device, potentially enabling session compromise and unauthorized actions as the victim.

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicegroups/ endpoint. When an authenticated user creates a device group, the name and description values are stored and later rendered in device group listings without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected device group, potentially enabling session compromise and unauthorized actions as the victim.

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/schedule endpoint. When an authenticated user adds a schedule to an existing task, the schedule name is stored and later rendered in schedule listings without HTML sanitation. An attacker can inject malicious script into the schedule name, which is then executed in the browser context of users who view or interact with the affected schedule, potentially enabling session compromise and unauthorized actions as the victim.

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicemap/building endpoint. When an authenticated user creates a map entry, the name parameter is stored and later rendered in the map list UI without HTML sanitzation. An attacker can inject malicious script into the map entry name, which is then executed in the browser context of users who view or interact with the affected map entry, potentially enabling session compromise and unauthorized actions as the victim.

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicemap/plan endpoint. When an authenticated user adds an area to a map entry, the name parameter is stored and later rendered in the map list without HTML sanitization. An attacker can inject malicious script into the area name, which is then executed in the browser context of users who view or interact with the affected map entry, potentially enabling session compromise and unauthorized actions as the victim.

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/defined endpoint. When an authenticated user creates a task, the defined_name value is stored and later rendered in the Overview page without HTML sanitization. An attacker can inject malicious script into defined_name, which is then executed in the browser context of users who view the affected task, potentially enabling session compromise and unauthorized actions as the victim.

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page.

A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint.

The CryptX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `cryptx` shortcode in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Trail Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

The Thai Lottery Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `thailottery` shortcode in all versions up to, and including, 2.5. This is due to insufficient input sanitization and output escaping on the user supplied `width` and `height` shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Cool Tag Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cool_tag_cloud' shortcode in all versions up to, and including, 2.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Nouri.sh Newsletter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The Weekly Planner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

The Easy Jump Links Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `h_tags` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The WP-SOS-Donate Donation Sidebar Plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The Twitscription plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The Jabbernotification plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.99-RC2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The Sermon Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sermon-views` shortcode in all versions up to, and including, 2.30.0. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The PDF Catalog for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdfcatalog' AJAX action in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

The SurveyFunnel - Survey Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'surveyfunnel_lite_survey' shortcode in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bookingcalendar' shortcode in all versions up to, and including, 10.14.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags).

SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This vulnerability is fixed in 2025.102.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS via the IPS module. This vulnerability requires an authenticated administrator session to a locally managed Firebox. This issue affects Firebox: from 12.0 through 12.11.2.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Gateway Wireless Controller module) allows Stored XSS.This issue affects Fireware OS 11.7.2 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Autotask Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.