Skip to main content

XSS

38830 CVEs technique

Monthly

CVE-2019-25407 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the backup schedule interface. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25406 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the organization parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25405 HIGH POC This Week

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the newLicense parameter. [CVSS 7.2 HIGH]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2019-25404 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input through admin management parameters. [CVSS 6.4 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25403 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the comment parameter. [CVSS 6.4 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25402 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the username parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-15562 MEDIUM This Month

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker. [CVSS 6.1 MEDIUM]

RCE XSS Worktime
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2718 MEDIUM This Month

The Dealia - Request a Quote WordPress plugin through version 1.0.6 allows authenticated contributors and above to inject malicious scripts into pages via improperly escaped Gutenberg block attributes. An attacker with contributor-level access can embed arbitrary JavaScript that executes when users view the affected pages, potentially compromising user sessions and data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2716 MEDIUM This Month

Stored XSS in the Client Testimonial Slider WordPress plugin through version 2.0 allows administrators to inject malicious scripts into the 'Testimonial Heading' setting due to inadequate input sanitization. The injected scripts execute when users view affected pages, impacting multi-site WordPress installations or sites with unfiltered_html disabled. Currently no patch is available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2736 MEDIUM This Month

Reflected XSS in OpenCms v18.0 via the 'q' parameter in /search/index.html allows unauthenticated attackers to inject malicious scripts through crafted URLs. Successful exploitation enables session hijacking, credential theft, and arbitrary actions performed on behalf of authenticated users. No patch is currently available.

XSS Opencms
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2735 MEDIUM This Month

Stored XSS in OpenCms v18.0 allows authenticated attackers to inject malicious scripts through the 'text' parameter in blog article creation requests, which execute in other users' browsers when they view the affected content. The vulnerability requires user interaction and results in limited impact to confidentiality and integrity, but currently has no available patch.

XSS Opencms
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27094 MEDIUM This Month

GoDaddy CoBlocks through version 3.1.16 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages, potentially compromising other users who view the affected content. The vulnerability requires user interaction and can impact the confidentiality, integrity, and availability of affected systems. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27074 MEDIUM This Month

Stored XSS in Shortcoder plugin version 6.5.1 and earlier enables authenticated attackers to inject malicious scripts into web pages, affecting all users who view the compromised content. An attacker with user-level privileges can execute arbitrary JavaScript in victims' browsers through improper input sanitization during page generation. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27069 MEDIUM This Month

DOM-based cross-site scripting in PenciDesign Soledad through version 8.7.2 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or data theft. The vulnerability requires user interaction and impacts the confidentiality, integrity, and availability of affected installations. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27059 MEDIUM This Month

DOM-based cross-site scripting in PenciDesign Penci Recipe plugin version 4.1 and earlier allows authenticated attackers to inject malicious scripts that execute in users' browsers, potentially stealing session data or performing actions on behalf of affected users. The vulnerability requires user interaction and affects installations using vulnerable versions of the Penci Recipe component.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27058 MEDIUM This Month

DOM-based cross-site scripting in PenciDesign Penci Podcast through version 1.7 allows authenticated attackers to inject malicious scripts that execute in users' browsers with user interaction. An attacker with login credentials can exploit improper input sanitization during page generation to steal session tokens, redirect users, or perform actions on their behalf. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27057 MEDIUM This Month

PenciDesign Penci Filter Everything penci-filter-everything is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25472 MEDIUM This Month

Stored cross-site scripting in ThemeFusion Fusion Builder through version 3.14.3 allows authenticated attackers to inject malicious scripts that execute in other users' browsers when viewing affected pages. An attacker with login credentials can leverage this vulnerability to steal session cookies, redirect users, or perform actions on their behalf. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25463 MEDIUM This Month

Stored cross-site scripting in WpEstate Wpresidence Core through version 5.4.0 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction to trigger the payload and affects the broader site context, making it a persistence risk for compromised WordPress installations. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25453 MEDIUM This Month

DOM-based cross-site scripting in Advanced iFrame plugin through version 2025.10 allows authenticated attackers to inject malicious scripts that execute in users' browsers, potentially compromising session data and user interactions. The vulnerability requires user interaction and network access but can affect multiple security domains due to its scope impact. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25451 MEDIUM This Month

Bold Page Builder through version 5.6.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages. An attacker with user privileges can craft malicious input that persists in the application and executes in the browsers of other users who view the affected pages, potentially leading to credential theft or unauthorized actions. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25432 MEDIUM This Month

Stored cross-site scripting in Omnipress versions 1.6.7 and earlier allows authenticated users to inject malicious scripts that execute in other users' browsers, potentially compromising session data and user interactions. The vulnerability requires user interaction to trigger but can affect any user viewing the affected content due to its stored nature. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25362 MEDIUM This Month

Stored XSS in FooGallery through version 3.1.11 allows authenticated users with high privileges to inject malicious scripts that execute in other users' browsers when viewing gallery content. An attacker with administrative or elevated access could leverage this vulnerability to steal session tokens, modify gallery data, or redirect users to malicious sites. A patch is not currently available for affected installations.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-25343 MEDIUM This Month

DOM-based cross-site scripting in VeronaLabs WP SMS plugin version 7.1 and earlier for WordPress allows authenticated attackers with high privileges to execute arbitrary JavaScript in users' browsers through improper input handling. An attacker could exploit this vulnerability to steal session cookies, perform unauthorized actions on behalf of users, or deface web pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-25331 MEDIUM This Month

Melapress WP Activity Log wp-security-audit-log is affected by cross-site scripting (xss) (CVSS 6.5).

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25307 MEDIUM This Month

DOM-based XSS in the 8theme XStore Core et-core-plugin versions below 5.7 enables authenticated attackers to inject malicious scripts that execute in users' browsers through improper input handling during page generation. An attacker with user-level privileges and ability to trigger user interaction can exploit this to steal session data, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for this medium-severity vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25305 MEDIUM This Month

DOM-based cross-site scripting in 8theme XStore through version 9.6.4 allows authenticated attackers to inject malicious scripts that execute in users' browsers, potentially stealing sensitive information or performing actions on behalf of victims. The vulnerability requires user interaction and affects the scope beyond the vulnerable component, with no patch currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25006 MEDIUM This Month

XStore versions 9.6.4 and earlier fail to properly sanitize HTML script tags, enabling attackers to inject malicious code that executes in users' browsers. This stored or reflected cross-site scripting vulnerability requires no authentication or user interaction, allowing attackers to steal session tokens, deface content, or redirect users to malicious sites. No patch is currently available, leaving affected installations vulnerable.

XSS
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-25004 MEDIUM This Month

CreativeMindsSolutions CM Business Directory cm-business-directory is affected by cross-site scripting (xss) (CVSS 4.8).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24392 MEDIUM This Month

Stored XSS in HurryTimer through version 2.14.2 enables authenticated attackers with high privileges to inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. The vulnerability requires user interaction to trigger but can affect multiple users due to its persistent nature. No patch is currently available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-40697 This Week

Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter.

PHP XSS
NVD
EPSS
0.4%
CVE-2026-2502 MEDIUM This Month

Stored cross-site scripting in the WordPress XML-RPC Attacks Blocker plugin up to version 1.0 allows unauthenticated attackers to inject malicious scripts via the X-Forwarded-For HTTP header, which are then executed when administrators access the debug log page. The vulnerability stems from improper handling of untrusted header data without output escaping. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2282 MEDIUM This Month

Stored XSS in WordPress Slidorion plugin through version 1.0.2 allows administrators to inject malicious scripts via insufficiently sanitized settings that execute when other users view affected pages. The vulnerability requires high privileges and only manifests in multisite WordPress installations or those with unfiltered HTML disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1646 MEDIUM This Month

Stored cross-site scripting in the Advance Block Extend WordPress plugin versions up to 1.0.4 allows authenticated contributors and above to inject malicious scripts through the TitleColor attribute in the Latest Posts block, which execute in the browsers of users viewing affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling persistent payload injection. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1373 MEDIUM This Month

Stored XSS in WordPress Easy Author Image plugin up to version 1.7 allows authenticated subscribers and above to inject malicious scripts through the author_profile_picture_url parameter due to inadequate input sanitization. Attackers can embed arbitrary JavaScript that executes when other users view affected pages, potentially compromising user sessions and data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1055 MEDIUM This Month

Stored XSS in the TalkJS WordPress plugin through version 0.1.15 permits high-privilege administrators to inject malicious scripts into admin settings that execute for all users viewing affected pages, restricted to multisite installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the plugin's settings handling. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1047 MEDIUM This Month

Stored XSS in the Salavat Counter WordPress plugin up to version 0.9.5 allows authenticated administrators to inject malicious scripts through the 'image_url' parameter due to inadequate input sanitization and output escaping. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising site integrity and user sessions. A patch is not currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1044 MEDIUM This Month

Stored cross-site scripting in Tennis Court Bookings plugin for WordPress through version 1.2.7 allows administrators to inject malicious scripts into admin settings that execute when other users access affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1043 MEDIUM This Month

PostmarkApp Email Integrator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0561 MEDIUM This Month

Shield Security plugin for WordPress versions up to 21.0.8 contains a reflected XSS vulnerability in the 'message' parameter that allows unauthenticated attackers to inject malicious scripts through specially crafted links. Successful exploitation requires tricking users into clicking a malicious link, resulting in execution of arbitrary JavaScript in their browser context. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-0556 MEDIUM This Month

Stored XSS in the XO Event Calendar WordPress plugin through version 3.2.10 allows authenticated contributors and above to inject malicious scripts into pages via the 'xo_event_field' shortcode due to improper input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0549 MEDIUM This Month

Stored XSS in WordPress Groups plugin through the 'groups_group_info' shortcode allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via inadequate input validation. When other users access the compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking or account compromise. No patch is currently available for versions up to 3.10.0.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14983 MEDIUM This Month

The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-14851 MEDIUM This Month

The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14452 HIGH This Week

The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-14445 MEDIUM This Month

The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14076 MEDIUM This Month

The iXML - Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-13738 MEDIUM This Month

The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13732 MEDIUM This Month

The s2Member - Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13617 MEDIUM This Month

Apollo13 Framework Extensions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13612 MEDIUM This Month

Album and Image Gallery plus Lightbox (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13048 MEDIUM This Month

The StatCounter - Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12451 MEDIUM This Month

The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-12448 MEDIUM This Month

The Smartsupp - live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS AI / ML PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12117 MEDIUM This Month

The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12116 MEDIUM This Month

The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-11706 MEDIUM This Month

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the dbstatus parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-26281 MEDIUM POC PATCH This Month

Stored XSS in InvoicePlane's Sumex invoice view enables authenticated users with invoice management privileges to inject malicious JavaScript that executes in other users' browsers, potentially compromising sessions and enabling data theft. Public exploit code exists for this vulnerability. Version 1.7.1 and later contain the fix.

XSS Invoiceplane
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-26270 MEDIUM PATCH This Month

InvoicePlane 1.7.0 and earlier contains a stored XSS vulnerability in the Invoice Groups "Identifier Format" field that authenticated users can exploit to inject malicious scripts executed when other users access the invoice list or dashboard. An attacker with invoice group management permissions can inject arbitrary JavaScript that runs in the context of other users' browsers, potentially leading to session hijacking or credential theft. A patch is available in version 1.7.1.

XSS Invoiceplane
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25596 MEDIUM POC PATCH This Month

InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Product Unit Name field that allows authenticated administrators to inject malicious scripts executed when other admins view affected invoices. Public exploit code exists for this vulnerability, though exploitation requires high-privilege administrator access and user interaction. Version 1.7.1 resolves the issue.

XSS Invoiceplane
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25595 MEDIUM POC PATCH This Month

InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Invoice Number field that allows authenticated administrators to inject malicious JavaScript executing in other administrators' browsers when viewing invoices or the dashboard. Public exploit code exists for this vulnerability, which has a CVSS score of 4.8 and can result in data theft or unauthorized actions within the application. A patch is available in version 1.7.1.

XSS Invoiceplane
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25594 MEDIUM POC PATCH This Month

InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Family Name field that executes malicious scripts in administrators' browsers when they access the product form. An authenticated administrator can inject payloads via the family dropdown to compromise other admin sessions. Public exploit code exists for this vulnerability, though a patch is available in version 1.7.1.

XSS Invoiceplane
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-24745 MEDIUM POC PATCH This Month

Stored XSS via SVG file upload in InvoicePlane 1.7.0 Login Logo functionality allows authenticated administrators to inject persistent malicious scripts, potentially compromising application integrity and enabling unauthorized data modification. Public exploit code exists for this vulnerability, which requires high-level privileges but can lead to persistent backdoors and full application compromise. InvoicePlane 1.7.1 addresses this issue.

Golang XSS Invoiceplane
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-27178 HIGH POC This Week

MajorDomo's shoutbox feature is vulnerable to stored XSS due to unsanitized user input in the /objects/?method= endpoint, allowing unauthenticated attackers to inject malicious scripts that persist in the database. When administrators access the auto-refreshing dashboard, the stored payload executes automatically, enabling session hijacking and cookie theft. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP XSS Majordomo
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-27177 HIGH POC This Week

MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to inject stored XSS payloads that execute when administrators access the property editor, with public exploit code available. The vulnerability is compounded by session cookies lacking HttpOnly protection, enabling attackers to enumerate properties via the /api.php/data/ endpoint and hijack admin sessions through JavaScript exfiltration.

PHP IoT XSS Majordomo
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-27176 MEDIUM POC This Month

Reflected XSS in MajorDoMo's command.php allows remote attackers to inject arbitrary JavaScript through an unsanitized qry parameter, affecting users who click malicious links. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP XSS Majordomo
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-24744 MEDIUM POC PATCH This Month

Stored XSS in InvoicePlane 1.7.0's invoice editing function fails to sanitize the invoice_number parameter, allowing authenticated administrators to inject malicious scripts that persist in the application. Public exploit code exists for this vulnerability, enabling attackers with admin access to modify data, create backdoors, and compromise application integrity. Version 1.7.1 addresses this issue.

XSS Invoiceplane
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-24743 MEDIUM POC PATCH This Month

Stored XSS in InvoicePlane 1.7.0 via malicious SVG file upload in the Invoice Logo function allows authenticated administrators to inject persistent malicious scripts and compromise application integrity. Public exploit code exists for this vulnerability. Version 1.7.1 contains the patch.

Golang XSS Invoiceplane
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2019-25400 MEDIUM POC This Month

IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp_name, remark, SRV_NAME, SRV_PORT, SRVGRP_NAME, SRVGRP_REMARK, and updatesrvgrp. [CVSS 5.4 MEDIUM]

XSS Ipfire
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2019-25399 MEDIUM POC This Month

IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. [CVSS 6.4 MEDIUM]

XSS Ipfire
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25398 MEDIUM POC This Month

IPFire 2.21 Core Update 127 contains multiple cross-site scripting vulnerabilities in the ovpnmain.cgi script that allow attackers to inject malicious scripts through VPN configuration parameters. [CVSS 6.1 MEDIUM]

XSS Ipfire
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25397 MEDIUM POC This Month

IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]

XSS Ipfire
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25396 MEDIUM POC This Month

IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. [CVSS 6.1 MEDIUM]

XSS Ipfire
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25356 MEDIUM POC This Month

Bematech (formerly Logic Controls, now Elgin) MP-4200 TH printer contains a cross-site scripting vulnerability in the admin configuration page. [CVSS 6.1 MEDIUM]

XSS
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-24746 MEDIUM POC PATCH This Month

Stored XSS in InvoicePlane 1.7.0's Edit Quotes function allows authenticated administrators to inject malicious scripts via the unvalidated quote_number parameter, enabling persistent code execution and data manipulation. Public exploit code exists for this vulnerability, which could lead to unauthorized modification of invoices, creation of backdoors, and complete compromise of application integrity. Version 1.7.1 addresses this flaw.

XSS Invoiceplane
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-27099 Maven HIGH PATCH This Week

Jenkins versions 2.483-2.550 and LTS 2.492.1-2.541.1 contain a stored XSS vulnerability in the agent offline cause description field that fails to properly sanitize user input. Attackers with Agent/Configure or Agent/Disconnect permissions can inject malicious scripts that execute in the browsers of other users viewing the affected agent configuration. No patch is currently available for this vulnerability.

Jenkins XSS Red Hat
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-1404 MEDIUM This Month

The Ultimate Member WordPress plugin through version 2.11.1 contains a reflected XSS vulnerability in filter parameters that lack proper input sanitization and output escaping. Unauthenticated attackers can inject malicious scripts into pages by crafting malicious links and convincing users to click them. Successful exploitation results in arbitrary JavaScript execution in the context of the affected user's browser session.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1441 MEDIUM This Month

Graylog Web Interface 2.2.3 contains a reflected XSS vulnerability in the /system/index_sets/ endpoint where unsanitized URL parameters are echoed into HTML responses, enabling attackers to execute arbitrary JavaScript in users' browsers. An attacker can craft a malicious URL to steal session cookies, hijack user sessions, or perform unauthorized actions within the victim's Graylog interface. No patch is currently available for this vulnerability.

XSS Graylog
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1440 MEDIUM This Month

Reflected XSS in Graylog Web Interface version 2.2.3 fails to properly sanitize user-supplied input in the /system/pipelines/ endpoint, enabling attackers to inject malicious JavaScript through specially crafted URLs. An attacker can execute arbitrary scripts in a victim's browser and potentially hijack user sessions when the victim visits a malicious link. No patch is currently available for this vulnerability.

XSS Graylog
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1439 MEDIUM This Month

Graylog Web Interface 2.2.3 contains a reflected XSS vulnerability in the /alerts/ endpoint where unencoded URL parameters are reflected in HTML responses, enabling attackers to execute arbitrary JavaScript in a victim's browser through malicious links. Successful exploitation allows session hijacking and limited account manipulation when users click crafted URLs. No patch is currently available for this vulnerability.

XSS Graylog
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1438 MEDIUM This Month

Graylog Web Interface 2.2.3 contains a reflected XSS vulnerability in the /system/nodes/ endpoint where unescaped URL parameters are reflected in HTML responses, enabling attackers to execute arbitrary JavaScript in a victim's browser. An attacker can craft a malicious URL to steal session credentials or manipulate user actions within the affected Graylog instance when a user clicks the link. No patch is currently available for this vulnerability.

XSS Graylog
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1437 MEDIUM This Month

Reflected XSS in Graylog 2.2.3's web interface allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting malicious URLs that bypass HTML output sanitization, particularly through the user edit endpoint. An attacker can exploit this to perform session hijacking or manipulate user context with no user interaction required beyond visiting a crafted link. No patch is currently available for this vulnerability.

XSS Graylog
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-8308 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Key Software Solutions Inc. [CVSS 6.3 MEDIUM]

XSS
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-14340 POC This Week

Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.

XSS
NVD
EPSS
0.1%
CVE-2025-13727 MEDIUM This Month

The Video Share VOD - Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-11185 MEDIUM This Month

The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cmplz-accept-link shortcode in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1941 MEDIUM This Month

Stored cross-site scripting in WP Event Aggregator plugin through version 1.8.7 allows authenticated contributors and above to inject malicious scripts via the wp_events shortcode due to inadequate input sanitization. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially compromising user sessions and data. No patch is currently available, leaving affected WordPress installations vulnerable.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1649 MEDIUM This Month

Stored XSS in WordPress Community Events plugin through the 'ce_venue_name' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.5.7 due to inadequate input sanitization and output escaping, with no patch currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1943 MEDIUM This Month

Stored XSS in YayMail plugin for WordPress (versions up to 4.3.2) allows authenticated Shop Manager-level users to inject malicious scripts through inadequately sanitized settings, affecting multi-site installations or those with disabled unfiltered_html. Attackers can execute arbitrary JavaScript in pages viewed by other users, though exploitation requires elevated privileges and specific WordPress configurations. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2281 MEDIUM This Month

Stored XSS in WordPress Private Comment plugin up to version 0.0.4 allows authenticated administrators to inject malicious scripts via the label text setting due to inadequate input sanitization and output escaping. The injected scripts execute in the browsers of users viewing affected pages, impacting multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the backup schedule interface. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the organization parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
EPSS 0% CVSS 7.2
HIGH POC This Week

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the newLicense parameter. [CVSS 7.2 HIGH]

XSS Dome Firewall
NVD Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input through admin management parameters. [CVSS 6.4 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the comment parameter. [CVSS 6.4 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the username parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM This Month

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker. [CVSS 6.1 MEDIUM]

RCE XSS Worktime
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Dealia - Request a Quote WordPress plugin through version 1.0.6 allows authenticated contributors and above to inject malicious scripts into pages via improperly escaped Gutenberg block attributes. An attacker with contributor-level access can embed arbitrary JavaScript that executes when users view the affected pages, potentially compromising user sessions and data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in the Client Testimonial Slider WordPress plugin through version 2.0 allows administrators to inject malicious scripts into the 'Testimonial Heading' setting due to inadequate input sanitization. The injected scripts execute when users view affected pages, impacting multi-site WordPress installations or sites with unfiltered_html disabled. Currently no patch is available.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in OpenCms v18.0 via the 'q' parameter in /search/index.html allows unauthenticated attackers to inject malicious scripts through crafted URLs. Successful exploitation enables session hijacking, credential theft, and arbitrary actions performed on behalf of authenticated users. No patch is currently available.

XSS Opencms
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in OpenCms v18.0 allows authenticated attackers to inject malicious scripts through the 'text' parameter in blog article creation requests, which execute in other users' browsers when they view the affected content. The vulnerability requires user interaction and results in limited impact to confidentiality and integrity, but currently has no available patch.

XSS Opencms
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

GoDaddy CoBlocks through version 3.1.16 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages, potentially compromising other users who view the affected content. The vulnerability requires user interaction and can impact the confidentiality, integrity, and availability of affected systems. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored XSS in Shortcoder plugin version 6.5.1 and earlier enables authenticated attackers to inject malicious scripts into web pages, affecting all users who view the compromised content. An attacker with user-level privileges can execute arbitrary JavaScript in victims' browsers through improper input sanitization during page generation. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-based cross-site scripting in PenciDesign Soledad through version 8.7.2 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or data theft. The vulnerability requires user interaction and impacts the confidentiality, integrity, and availability of affected installations. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-based cross-site scripting in PenciDesign Penci Recipe plugin version 4.1 and earlier allows authenticated attackers to inject malicious scripts that execute in users' browsers, potentially stealing session data or performing actions on behalf of affected users. The vulnerability requires user interaction and affects installations using vulnerable versions of the Penci Recipe component.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-based cross-site scripting in PenciDesign Penci Podcast through version 1.7 allows authenticated attackers to inject malicious scripts that execute in users' browsers with user interaction. An attacker with login credentials can exploit improper input sanitization during page generation to steal session tokens, redirect users, or perform actions on their behalf. No patch is currently available for this vulnerability.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

PenciDesign Penci Filter Everything penci-filter-everything is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting in ThemeFusion Fusion Builder through version 3.14.3 allows authenticated attackers to inject malicious scripts that execute in other users' browsers when viewing affected pages. An attacker with login credentials can leverage this vulnerability to steal session cookies, redirect users, or perform actions on their behalf. No patch is currently available for this vulnerability.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting in WpEstate Wpresidence Core through version 5.4.0 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction to trigger the payload and affects the broader site context, making it a persistence risk for compromised WordPress installations. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-based cross-site scripting in Advanced iFrame plugin through version 2025.10 allows authenticated attackers to inject malicious scripts that execute in users' browsers, potentially compromising session data and user interactions. The vulnerability requires user interaction and network access but can affect multiple security domains due to its scope impact. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Bold Page Builder through version 5.6.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages. An attacker with user privileges can craft malicious input that persists in the application and executes in the browsers of other users who view the affected pages, potentially leading to credential theft or unauthorized actions. No patch is currently available for this vulnerability.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting in Omnipress versions 1.6.7 and earlier allows authenticated users to inject malicious scripts that execute in other users' browsers, potentially compromising session data and user interactions. The vulnerability requires user interaction to trigger but can affect any user viewing the affected content due to its stored nature. No patch is currently available.

XSS
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored XSS in FooGallery through version 3.1.11 allows authenticated users with high privileges to inject malicious scripts that execute in other users' browsers when viewing gallery content. An attacker with administrative or elevated access could leverage this vulnerability to steal session tokens, modify gallery data, or redirect users to malicious sites. A patch is not currently available for affected installations.

XSS
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

DOM-based cross-site scripting in VeronaLabs WP SMS plugin version 7.1 and earlier for WordPress allows authenticated attackers with high privileges to execute arbitrary JavaScript in users' browsers through improper input handling. An attacker could exploit this vulnerability to steal session cookies, perform unauthorized actions on behalf of users, or deface web pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Melapress WP Activity Log wp-security-audit-log is affected by cross-site scripting (xss) (CVSS 6.5).

WordPress XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-based XSS in the 8theme XStore Core et-core-plugin versions below 5.7 enables authenticated attackers to inject malicious scripts that execute in users' browsers through improper input handling during page generation. An attacker with user-level privileges and ability to trigger user interaction can exploit this to steal session data, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for this medium-severity vulnerability.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-based cross-site scripting in 8theme XStore through version 9.6.4 allows authenticated attackers to inject malicious scripts that execute in users' browsers, potentially stealing sensitive information or performing actions on behalf of victims. The vulnerability requires user interaction and affects the scope beyond the vulnerable component, with no patch currently available.

XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

XStore versions 9.6.4 and earlier fail to properly sanitize HTML script tags, enabling attackers to inject malicious code that executes in users' browsers. This stored or reflected cross-site scripting vulnerability requires no authentication or user interaction, allowing attackers to steal session tokens, deface content, or redirect users to malicious sites. No patch is currently available, leaving affected installations vulnerable.

XSS
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

CreativeMindsSolutions CM Business Directory cm-business-directory is affected by cross-site scripting (xss) (CVSS 4.8).

XSS
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored XSS in HurryTimer through version 2.14.2 enables authenticated attackers with high privileges to inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. The vulnerability requires user interaction to trigger but can affect multiple users due to its persistent nature. No patch is currently available.

XSS
NVD
EPSS 0%
This Week

Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter.

PHP XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored cross-site scripting in the WordPress XML-RPC Attacks Blocker plugin up to version 1.0 allows unauthenticated attackers to inject malicious scripts via the X-Forwarded-For HTTP header, which are then executed when administrators access the debug log page. The vulnerability stems from improper handling of untrusted header data without output escaping. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WordPress Slidorion plugin through version 1.0.2 allows administrators to inject malicious scripts via insufficiently sanitized settings that execute when other users view affected pages. The vulnerability requires high privileges and only manifests in multisite WordPress installations or those with unfiltered HTML disabled. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Advance Block Extend WordPress plugin versions up to 1.0.4 allows authenticated contributors and above to inject malicious scripts through the TitleColor attribute in the Latest Posts block, which execute in the browsers of users viewing affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling persistent payload injection. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress Easy Author Image plugin up to version 1.7 allows authenticated subscribers and above to inject malicious scripts through the author_profile_picture_url parameter due to inadequate input sanitization. Attackers can embed arbitrary JavaScript that executes when other users view affected pages, potentially compromising user sessions and data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in the TalkJS WordPress plugin through version 0.1.15 permits high-privilege administrators to inject malicious scripts into admin settings that execute for all users viewing affected pages, restricted to multisite installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the plugin's settings handling. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in the Salavat Counter WordPress plugin up to version 0.9.5 allows authenticated administrators to inject malicious scripts through the 'image_url' parameter due to inadequate input sanitization and output escaping. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising site integrity and user sessions. A patch is not currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored cross-site scripting in Tennis Court Bookings plugin for WordPress through version 1.2.7 allows administrators to inject malicious scripts into admin settings that execute when other users access affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

PostmarkApp Email Integrator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Shield Security plugin for WordPress versions up to 21.0.8 contains a reflected XSS vulnerability in the 'message' parameter that allows unauthenticated attackers to inject malicious scripts through specially crafted links. Successful exploitation requires tricking users into clicking a malicious link, resulting in execution of arbitrary JavaScript in their browser context. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the XO Event Calendar WordPress plugin through version 3.2.10 allows authenticated contributors and above to inject malicious scripts into pages via the 'xo_event_field' shortcode due to improper input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress Groups plugin through the 'groups_group_info' shortcode allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via inadequate input validation. When other users access the compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking or account compromise. No patch is currently available for versions up to 3.10.0.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The iXML - Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The s2Member - Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Apollo13 Framework Extensions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Album and Image Gallery plus Lightbox (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The StatCounter - Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Smartsupp - live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS AI / ML +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the dbstatus parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.4
MEDIUM POC PATCH This Month

Stored XSS in InvoicePlane's Sumex invoice view enables authenticated users with invoice management privileges to inject malicious JavaScript that executes in other users' browsers, potentially compromising sessions and enabling data theft. Public exploit code exists for this vulnerability. Version 1.7.1 and later contain the fix.

XSS Invoiceplane
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

InvoicePlane 1.7.0 and earlier contains a stored XSS vulnerability in the Invoice Groups "Identifier Format" field that authenticated users can exploit to inject malicious scripts executed when other users access the invoice list or dashboard. An attacker with invoice group management permissions can inject arbitrary JavaScript that runs in the context of other users' browsers, potentially leading to session hijacking or credential theft. A patch is available in version 1.7.1.

XSS Invoiceplane
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Product Unit Name field that allows authenticated administrators to inject malicious scripts executed when other admins view affected invoices. Public exploit code exists for this vulnerability, though exploitation requires high-privilege administrator access and user interaction. Version 1.7.1 resolves the issue.

XSS Invoiceplane
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Invoice Number field that allows authenticated administrators to inject malicious JavaScript executing in other administrators' browsers when viewing invoices or the dashboard. Public exploit code exists for this vulnerability, which has a CVSS score of 4.8 and can result in data theft or unauthorized actions within the application. A patch is available in version 1.7.1.

XSS Invoiceplane
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Family Name field that executes malicious scripts in administrators' browsers when they access the product form. An authenticated administrator can inject payloads via the family dropdown to compromise other admin sessions. Public exploit code exists for this vulnerability, though a patch is available in version 1.7.1.

XSS Invoiceplane
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM POC PATCH This Month

Stored XSS via SVG file upload in InvoicePlane 1.7.0 Login Logo functionality allows authenticated administrators to inject persistent malicious scripts, potentially compromising application integrity and enabling unauthorized data modification. Public exploit code exists for this vulnerability, which requires high-level privileges but can lead to persistent backdoors and full application compromise. InvoicePlane 1.7.1 addresses this issue.

Golang XSS Invoiceplane
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC This Week

MajorDomo's shoutbox feature is vulnerable to stored XSS due to unsanitized user input in the /objects/?method= endpoint, allowing unauthenticated attackers to inject malicious scripts that persist in the database. When administrators access the auto-refreshing dashboard, the stored payload executes automatically, enabling session hijacking and cookie theft. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP XSS Majordomo
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC This Week

MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to inject stored XSS payloads that execute when administrators access the property editor, with public exploit code available. The vulnerability is compounded by session cookies lacking HttpOnly protection, enabling attackers to enumerate properties via the /api.php/data/ endpoint and hijack admin sessions through JavaScript exfiltration.

PHP IoT XSS +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected XSS in MajorDoMo's command.php allows remote attackers to inject arbitrary JavaScript through an unsanitized qry parameter, affecting users who click malicious links. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP XSS Majordomo
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM POC PATCH This Month

Stored XSS in InvoicePlane 1.7.0's invoice editing function fails to sanitize the invoice_number parameter, allowing authenticated administrators to inject malicious scripts that persist in the application. Public exploit code exists for this vulnerability, enabling attackers with admin access to modify data, create backdoors, and compromise application integrity. Version 1.7.1 addresses this issue.

XSS Invoiceplane
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM POC PATCH This Month

Stored XSS in InvoicePlane 1.7.0 via malicious SVG file upload in the Invoice Logo function allows authenticated administrators to inject persistent malicious scripts and compromise application integrity. Public exploit code exists for this vulnerability. Version 1.7.1 contains the patch.

Golang XSS Invoiceplane
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp_name, remark, SRV_NAME, SRV_PORT, SRVGRP_NAME, SRVGRP_REMARK, and updatesrvgrp. [CVSS 5.4 MEDIUM]

XSS Ipfire
NVD Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. [CVSS 6.4 MEDIUM]

XSS Ipfire
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

IPFire 2.21 Core Update 127 contains multiple cross-site scripting vulnerabilities in the ovpnmain.cgi script that allow attackers to inject malicious scripts through VPN configuration parameters. [CVSS 6.1 MEDIUM]

XSS Ipfire
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]

XSS Ipfire
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. [CVSS 6.1 MEDIUM]

XSS Ipfire
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Bematech (formerly Logic Controls, now Elgin) MP-4200 TH printer contains a cross-site scripting vulnerability in the admin configuration page. [CVSS 6.1 MEDIUM]

XSS
NVD Exploit-DB
EPSS 0% CVSS 5.7
MEDIUM POC PATCH This Month

Stored XSS in InvoicePlane 1.7.0's Edit Quotes function allows authenticated administrators to inject malicious scripts via the unvalidated quote_number parameter, enabling persistent code execution and data manipulation. Public exploit code exists for this vulnerability, which could lead to unauthorized modification of invoices, creation of backdoors, and complete compromise of application integrity. Version 1.7.1 addresses this flaw.

XSS Invoiceplane
NVD GitHub
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Jenkins versions 2.483-2.550 and LTS 2.492.1-2.541.1 contain a stored XSS vulnerability in the agent offline cause description field that fails to properly sanitize user input. Attackers with Agent/Configure or Agent/Disconnect permissions can inject malicious scripts that execute in the browsers of other users viewing the affected agent configuration. No patch is currently available for this vulnerability.

Jenkins XSS Red Hat
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Ultimate Member WordPress plugin through version 2.11.1 contains a reflected XSS vulnerability in filter parameters that lack proper input sanitization and output escaping. Unauthenticated attackers can inject malicious scripts into pages by crafting malicious links and convincing users to click them. Successful exploitation results in arbitrary JavaScript execution in the context of the affected user's browser session.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Graylog Web Interface 2.2.3 contains a reflected XSS vulnerability in the /system/index_sets/ endpoint where unsanitized URL parameters are echoed into HTML responses, enabling attackers to execute arbitrary JavaScript in users' browsers. An attacker can craft a malicious URL to steal session cookies, hijack user sessions, or perform unauthorized actions within the victim's Graylog interface. No patch is currently available for this vulnerability.

XSS Graylog
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in Graylog Web Interface version 2.2.3 fails to properly sanitize user-supplied input in the /system/pipelines/ endpoint, enabling attackers to inject malicious JavaScript through specially crafted URLs. An attacker can execute arbitrary scripts in a victim's browser and potentially hijack user sessions when the victim visits a malicious link. No patch is currently available for this vulnerability.

XSS Graylog
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Graylog Web Interface 2.2.3 contains a reflected XSS vulnerability in the /alerts/ endpoint where unencoded URL parameters are reflected in HTML responses, enabling attackers to execute arbitrary JavaScript in a victim's browser through malicious links. Successful exploitation allows session hijacking and limited account manipulation when users click crafted URLs. No patch is currently available for this vulnerability.

XSS Graylog
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Graylog Web Interface 2.2.3 contains a reflected XSS vulnerability in the /system/nodes/ endpoint where unescaped URL parameters are reflected in HTML responses, enabling attackers to execute arbitrary JavaScript in a victim's browser. An attacker can craft a malicious URL to steal session credentials or manipulate user actions within the affected Graylog instance when a user clicks the link. No patch is currently available for this vulnerability.

XSS Graylog
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in Graylog 2.2.3's web interface allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting malicious URLs that bypass HTML output sanitization, particularly through the user edit endpoint. An attacker can exploit this to perform session hijacking or manipulate user context with no user interaction required beyond visiting a crafted link. No patch is currently available for this vulnerability.

XSS Graylog
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Key Software Solutions Inc. [CVSS 6.3 MEDIUM]

XSS
NVD VulDB
EPSS 0%
POC This Week

Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.

XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The Video Share VOD - Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cmplz-accept-link shortcode in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in WP Event Aggregator plugin through version 1.8.7 allows authenticated contributors and above to inject malicious scripts via the wp_events shortcode due to inadequate input sanitization. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially compromising user sessions and data. No patch is currently available, leaving affected WordPress installations vulnerable.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WordPress Community Events plugin through the 'ce_venue_name' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.5.7 due to inadequate input sanitization and output escaping, with no patch currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in YayMail plugin for WordPress (versions up to 4.3.2) allows authenticated Shop Manager-level users to inject malicious scripts through inadequately sanitized settings, affecting multi-site installations or those with disabled unfiltered_html. Attackers can execute arbitrary JavaScript in pages viewed by other users, though exploitation requires elevated privileges and specific WordPress configurations. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WordPress Private Comment plugin up to version 0.0.4 allows authenticated administrators to inject malicious scripts via the label text setting due to inadequate input sanitization and output escaping. The injected scripts execute in the browsers of users viewing affected pages, impacting multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
Prev Page 40 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy