XSS
Monthly
Stored cross-site scripting in WP Event Aggregator plugin through version 1.8.7 allows authenticated contributors and above to inject malicious scripts via the wp_events shortcode due to inadequate input sanitization. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially compromising user sessions and data. No patch is currently available, leaving affected WordPress installations vulnerable.
Stored XSS in WordPress Community Events plugin through the 'ce_venue_name' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.5.7 due to inadequate input sanitization and output escaping, with no patch currently available.
Stored XSS in YayMail plugin for WordPress (versions up to 4.3.2) allows authenticated Shop Manager-level users to inject malicious scripts through inadequately sanitized settings, affecting multi-site installations or those with disabled unfiltered_html. Attackers can execute arbitrary JavaScript in pages viewed by other users, though exploitation requires elevated privileges and specific WordPress configurations. No patch is currently available.
Stored XSS in WordPress Private Comment plugin up to version 0.0.4 allows authenticated administrators to inject malicious scripts via the label text setting due to inadequate input sanitization and output escaping. The injected scripts execute in the browsers of users viewing affected pages, impacting multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.
InteractiveCalculator for WordPress (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The Download Manager plugin for WordPress through version 3.3.46 contains a reflected XSS vulnerability in the 'redirect_to' parameter that allows unauthenticated attackers to inject malicious scripts. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.
Stored Cross-Site Scripting in the Membership Plugin for WordPress versions up to 3.2.18 allows authenticated administrators to inject malicious scripts into invoice settings fields due to inadequate input sanitization. When other users access pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. Exploitation requires administrator-level access and no patch is currently available.
The Popup Box - Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
VK All in One Expansion Unit (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored cross-site scripting in the Rent Fetch WordPress plugin through version 0.32.4 allows unauthenticated attackers to inject malicious scripts via inadequately sanitized keyword parameters. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.
Display During Conditional Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
WP 404 Auto Redirect to Similar Post (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.
IBM Financial Transaction Manager for ACH Services and Check Services for Multi-Platform 3.0.0.0 versions up to 3.0.5.4 is affected by cross-site scripting (xss) (CVSS 6.1).
A vulnerability was detected in Blossom up to 1.17.1. This vulnerability affects the function content of the file blossom-backend/backend/src/main/java/com/blossom/backend/server/article/draft/ArticleController.java of the component Article Title Handler. [CVSS 3.5 LOW]
Stored cross-site scripting in Dell Unisphere for PowerMax 9.2.4.x allows authenticated remote attackers to inject malicious scripts that execute in users' browsers, potentially enabling session hijacking or credential theft. The vulnerability requires user interaction and carries a medium severity rating with no patch currently available.
lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) on the /tools/Password/add page in the input field password. [CVSS 7.1 HIGH]
Db2 Recovery Expert versions up to 5.5.0 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 6.5).
IBM Concert 1.0.0 through 2.1.0 for Z hub framework is vulnerable to cross-site scripting. [CVSS 6.1 MEDIUM]
Cross-site scripting in Dell Unisphere for PowerMax vApp 9.2.4.x enables authenticated remote attackers to inject malicious scripts that execute in victim browsers, potentially compromising session tokens or stealing sensitive information. The vulnerability requires user interaction and low-level privileges, but no patch is currently available to address it.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in EKA Software Computer Information Advertising Services Ltd. [CVSS 6.5 MEDIUM]
Reflected XSS in WordPress RSS Aggregator plugin versions up to 5.0.10 allows unauthenticated attackers to inject malicious scripts through the unvalidated 'template' parameter. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.
Stored XSS in Forminator Forms plugin for WordPress (versions up to 1.50.2) allows authenticated administrators and delegated form managers to inject malicious scripts through the form_name parameter due to inadequate input sanitization. When users access pages containing injected forms, the scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the preferences.cgi script that allow attackers to inject malicious scripts through the HOSTNAME, KEYMAP, and OPENNESS parameters. [CVSS 7.2 HIGH]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the modem.cgi script that allow attackers to inject malicious scripts through POST parameters. [CVSS 7.2 HIGH]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the IP parameter. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the interfaces.cgi script that allow attackers to inject malicious scripts through multiple parameters including GREEN_ADDRESS, GREEN_NETMASK, RED_DHCP_HOSTNAME, RED_ADDRESS, DNS1_OVERRIDE, DNS2_OVERRIDE, RED_MAC, RED_NETMASK, DEFAULT_GATEWAY, DNS1, and DNS2. [CVSS 5.4 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the MACHINES parameter. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the ipblock.cgi endpoint. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the xtaccess.cgi endpoint. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the dmzholes.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the MACHINE and MACHINECOMMENT parameters. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the portfw.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the apcupsd.cgi script that allow attackers to inject malicious scripts through multiple POST parameters. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the NTP_SERVER parameter. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the dhcp.cgi script that allow attackers to inject malicious scripts through multiple parameters. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains stored and reflected cross-site scripting vulnerabilities in the urlfilter.cgi endpoint that allow attackers to inject malicious scripts. [CVSS 7.2 HIGH]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple cross-site scripting vulnerabilities in the proxy.cgi endpoint that allow attackers to inject malicious scripts through parameters including CACHE_SIZE, MAX_SIZE, MIN_SIZE, MAX_OUTGOING_SIZE, and MAX_INCOMING_SIZE. [CVSS 6.1 MEDIUM]
ENOVIAvpm Web Access versions 1.16 through 1.19 contain a reflected XSS vulnerability that allows authenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session through a crafted URL. The vulnerability requires user interaction to trigger but can lead to session hijacking, credential theft, or malware distribution across the affected organization. No patch is currently available, requiring organizations to implement network-level mitigations or restrict access until a fix is released.
SmarterTools SmarterMail before 9526 allows XSS via MAPI requests. [CVSS 7.2 HIGH]
An issue in Visual Studio Code Extensions Live Server v5.7.9 allows attackers to exfiltrate files via user interaction with a crafted HTML page. [CVSS 4.3 MEDIUM]
A vulnerability was detected in cskefu up to 8.0.1. Impacted is the function Upload of the file com/cskefu/cc/controller/resource/MediaController.java of the component File Upload. [CVSS 3.5 LOW]
Cross-Site Scripting (XSS) vulnerability reflected in Kubysoft, which occurs through multiple parameters within the endpoint ‘/node/kudaby/nodeFN/procedure’. [CVSS 6.1 MEDIUM]
Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered through multiple parameters in the '/kForms/app' endpoint. This issue allows malicious scripts to be injected and executed persistently in the context of users accessing the affected resource. [CVSS 5.4 MEDIUM]
Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. [CVSS 5.4 MEDIUM]
A vulnerability was detected in LigeroSmart up to 6.1.26. The impacted element is the function AgentDashboard of the file /otrs/index.pl. [CVSS 3.5 LOW]
A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. [CVSS 3.5 LOW]
A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketSearch. [CVSS 3.5 LOW]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. [CVSS 5.4 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. [CVSS 6.4 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. [CVSS 6.4 MEDIUM]
OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. [CVSS 5.4 MEDIUM]
ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. [CVSS 5.4 MEDIUM]
Stored XSS in Essential Addons for Elementor plugin (versions up to 6.5.9) allows authenticated contributors to inject malicious scripts into pages through the Info Box widget due to inadequate input sanitization. The injected scripts execute for all users viewing the affected pages, potentially leading to credential theft or malware distribution. No patch is currently available.
Stored cross-site scripting in Super Page Cache for WordPress (versions up to 5.2.2) allows unauthenticated attackers to inject malicious scripts through the Activity Log due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
The myCred WordPress plugin through version 2.9.7.3 contains a stored cross-site scripting vulnerability in the 'mycred_load_coupon' shortcode that allows authenticated contributors and above to inject malicious scripts into pages through inadequately sanitized shortcode attributes. When site visitors access pages containing the injected payload, the attacker's script executes in their browsers, potentially compromising user sessions and sensitive data. No patch is currently available for this vulnerability.
Stored XSS in WordPress Press3D plugin (versions up to 1.0.2) allows authenticated authors to inject malicious JavaScript through unsanitized URL schemes in 3D model blocks, executing arbitrary scripts when users interact with affected content. The vulnerability requires author-level access or higher and impacts all installations of the vulnerable plugin versions without available patches.
Stored XSS in the Percent to Infograph WordPress plugin (versions up to 1.0) allows authenticated users with contributor-level or higher privileges to inject malicious scripts through the percent_to_graph shortcode due to inadequate input sanitization. When pages containing the injected payload are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site security and user data.
Stored cross-site scripting in the Simple Plyr WordPress plugin through version 0.0.1 allows authenticated users with Contributor access or higher to inject malicious scripts via the 'poster' parameter in the plyr shortcode due to inadequate input validation. When victims visit pages containing the injected payload, the attacker's scripts execute in their browsers, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.
Stored cross-site scripting in the UpMenu WordPress plugin through version 3.1 allows authenticated contributors and above to inject malicious scripts via the 'lang' shortcode attribute due to inadequate input sanitization and output escaping. When victims visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.
Stored cross-site scripting in WordPress Sphere Manager plugin through version 1.0.2 allows authenticated users with Contributor privileges or higher to inject malicious scripts via the 'width' parameter in shortcodes due to improper input sanitization. Injected scripts execute in the browsers of any user viewing the affected page, potentially compromising site visitors. No patch is currently available.
Stored XSS in the Ravelry Designs Widget WordPress plugin through version 1.0.0 allows authenticated contributors to inject malicious scripts into page shortcodes due to inadequate input sanitization. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. An active patch is not currently available.
Authenticated attackers with Contributor access or higher can inject malicious scripts into WordPress pages via the QuestionPro Surveys plugin's 'questionpro' shortcode, exploiting inadequate input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for versions up to 1.0.
The StyleBidet WordPress plugin through version 1.0.0 fails to properly sanitize URL path parameters, enabling unauthenticated attackers to inject malicious scripts that execute in victim browsers. An attacker can exploit this reflected XSS vulnerability by crafting a malicious link and tricking users into clicking it, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.
The Address Bar Ads plugin for WordPress versions up to 1.0.0 contains a reflected cross-site scripting vulnerability in the URL path due to inadequate input sanitization, allowing unauthenticated attackers to inject malicious scripts that execute when users click on crafted links. This attack requires user interaction and affects the confidentiality and integrity of affected sites. No patch is currently available for this vulnerability.
Stored XSS in the Geo Widget WordPress plugin through version 1.0 allows unauthenticated attackers to inject malicious scripts via insufficiently sanitized URL parameters that execute when users visit affected pages. The vulnerability requires user interaction to trigger but impacts all site visitors who access injected content. No patch is currently available.
Stored cross-site scripting in the ZoomifyWP Free WordPress plugin through version 1.1 allows authenticated contributors and higher to inject malicious scripts via the filename parameter in the zoomify shortcode due to inadequate input sanitization. When other users visit pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or data. No patch is currently available for this vulnerability.
Stored XSS in the Best-wp-google-map WordPress plugin through versions 2.1 allows authenticated contributors and above to inject malicious scripts via insufficiently sanitized latitude and longitude shortcode parameters. When other users view pages containing the injected shortcode, the attacker's scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
Reflected XSS in the Super Simple Contact Form WordPress plugin through version 1.6.2 allows unauthenticated attackers to inject malicious scripts via the 'sscf_name' parameter due to inadequate input sanitization. An attacker can exploit this by tricking users into clicking a crafted link, causing arbitrary JavaScript to execute in their browsers and potentially leading to session hijacking or credential theft. No patch is currently available.
Stored XSS in the Payment Page | Payment Form for Stripe WordPress plugin (versions up to 1.4.6) allows authenticated users with Author-level permissions or higher to inject malicious scripts through the 'pricing_plan_select_text_font_family' parameter due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.
Chatbot for WordPress by Collect.chat (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored XSS in the WordPress User Language Switch plugin through the 'tab_color_picker_language_switch' parameter allows authenticated administrators to inject malicious scripts on multi-site installations or when unfiltered_html is disabled. The injected scripts execute in the context of other users accessing affected pages. This vulnerability affects all versions up to 1.6.10, with no patch currently available.
Allow HTML in Category Descriptions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Stored cross-site scripting in MasterStudy LMS WordPress Plugin versions up to 3.7.11 allows authenticated contributors and above to inject malicious scripts through the 'stm_lms_courses_grid_display' shortcode due to insufficient input sanitization and output escaping. When users access pages containing the injected payload, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available.
Stored XSS in WordPress WP Data Access plugin versions up to 5.5.63 allows authenticated contributors and higher to inject malicious scripts into pages via the 'wpda_app' shortcode due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
AMP Enhancer plugin for WordPress versions up to 1.0.49 allows authenticated administrators to inject stored XSS payloads through the Custom CSS setting due to insufficient input sanitization, affecting multi-site installations and those with unfiltered_html disabled. An attacker with admin-level access can execute arbitrary JavaScript in the context of user browsers visiting affected pages. A security patch is not yet available.
Stored XSS in the Citations tools WordPress plugin (versions up to 0.3.2) allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized shortcode parameters, which execute in the browsers of users viewing affected pages. The vulnerability requires authentication but affects all site visitors who access pages containing the injected code. No patch is currently available.
Simple Wp colorfull Accordion (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The personal-authors-category WordPress plugin through version 0.3 contains a reflected XSS vulnerability in the URL path due to inadequate input validation and output encoding. Unauthenticated attackers can exploit this by crafting malicious links that, when clicked by victims, execute arbitrary JavaScript in their browsers. No patch is currently available for this vulnerability.
Stored XSS in the Easy Voice Mail WordPress plugin through version 1.2.5 allows authenticated administrators to inject malicious scripts via the message parameter due to inadequate input validation. An attacker with admin privileges can exploit this to execute arbitrary JavaScript in the browsers of users who access affected pages. No patch is currently available for this vulnerability.
Stored cross-site scripting in WP Event Aggregator plugin through version 1.8.7 allows authenticated contributors and above to inject malicious scripts via the wp_events shortcode due to inadequate input sanitization. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially compromising user sessions and data. No patch is currently available, leaving affected WordPress installations vulnerable.
Stored XSS in WordPress Community Events plugin through the 'ce_venue_name' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.5.7 due to inadequate input sanitization and output escaping, with no patch currently available.
Stored XSS in YayMail plugin for WordPress (versions up to 4.3.2) allows authenticated Shop Manager-level users to inject malicious scripts through inadequately sanitized settings, affecting multi-site installations or those with disabled unfiltered_html. Attackers can execute arbitrary JavaScript in pages viewed by other users, though exploitation requires elevated privileges and specific WordPress configurations. No patch is currently available.
Stored XSS in WordPress Private Comment plugin up to version 0.0.4 allows authenticated administrators to inject malicious scripts via the label text setting due to inadequate input sanitization and output escaping. The injected scripts execute in the browsers of users viewing affected pages, impacting multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.
InteractiveCalculator for WordPress (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The Download Manager plugin for WordPress through version 3.3.46 contains a reflected XSS vulnerability in the 'redirect_to' parameter that allows unauthenticated attackers to inject malicious scripts. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.
Stored Cross-Site Scripting in the Membership Plugin for WordPress versions up to 3.2.18 allows authenticated administrators to inject malicious scripts into invoice settings fields due to inadequate input sanitization. When other users access pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. Exploitation requires administrator-level access and no patch is currently available.
The Popup Box - Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
VK All in One Expansion Unit (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored cross-site scripting in the Rent Fetch WordPress plugin through version 0.32.4 allows unauthenticated attackers to inject malicious scripts via inadequately sanitized keyword parameters. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.
Display During Conditional Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
WP 404 Auto Redirect to Similar Post (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.
IBM Financial Transaction Manager for ACH Services and Check Services for Multi-Platform 3.0.0.0 versions up to 3.0.5.4 is affected by cross-site scripting (xss) (CVSS 6.1).
A vulnerability was detected in Blossom up to 1.17.1. This vulnerability affects the function content of the file blossom-backend/backend/src/main/java/com/blossom/backend/server/article/draft/ArticleController.java of the component Article Title Handler. [CVSS 3.5 LOW]
Stored cross-site scripting in Dell Unisphere for PowerMax 9.2.4.x allows authenticated remote attackers to inject malicious scripts that execute in users' browsers, potentially enabling session hijacking or credential theft. The vulnerability requires user interaction and carries a medium severity rating with no patch currently available.
lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) on the /tools/Password/add page in the input field password. [CVSS 7.1 HIGH]
Db2 Recovery Expert versions up to 5.5.0 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 6.5).
IBM Concert 1.0.0 through 2.1.0 for Z hub framework is vulnerable to cross-site scripting. [CVSS 6.1 MEDIUM]
Cross-site scripting in Dell Unisphere for PowerMax vApp 9.2.4.x enables authenticated remote attackers to inject malicious scripts that execute in victim browsers, potentially compromising session tokens or stealing sensitive information. The vulnerability requires user interaction and low-level privileges, but no patch is currently available to address it.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in EKA Software Computer Information Advertising Services Ltd. [CVSS 6.5 MEDIUM]
Reflected XSS in WordPress RSS Aggregator plugin versions up to 5.0.10 allows unauthenticated attackers to inject malicious scripts through the unvalidated 'template' parameter. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.
Stored XSS in Forminator Forms plugin for WordPress (versions up to 1.50.2) allows authenticated administrators and delegated form managers to inject malicious scripts through the form_name parameter due to inadequate input sanitization. When users access pages containing injected forms, the scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the preferences.cgi script that allow attackers to inject malicious scripts through the HOSTNAME, KEYMAP, and OPENNESS parameters. [CVSS 7.2 HIGH]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the modem.cgi script that allow attackers to inject malicious scripts through POST parameters. [CVSS 7.2 HIGH]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the IP parameter. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the interfaces.cgi script that allow attackers to inject malicious scripts through multiple parameters including GREEN_ADDRESS, GREEN_NETMASK, RED_DHCP_HOSTNAME, RED_ADDRESS, DNS1_OVERRIDE, DNS2_OVERRIDE, RED_MAC, RED_NETMASK, DEFAULT_GATEWAY, DNS1, and DNS2. [CVSS 5.4 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the MACHINES parameter. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the ipblock.cgi endpoint. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the xtaccess.cgi endpoint. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the dmzholes.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the MACHINE and MACHINECOMMENT parameters. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the portfw.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the apcupsd.cgi script that allow attackers to inject malicious scripts through multiple POST parameters. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the NTP_SERVER parameter. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the dhcp.cgi script that allow attackers to inject malicious scripts through multiple parameters. [CVSS 6.1 MEDIUM]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains stored and reflected cross-site scripting vulnerabilities in the urlfilter.cgi endpoint that allow attackers to inject malicious scripts. [CVSS 7.2 HIGH]
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple cross-site scripting vulnerabilities in the proxy.cgi endpoint that allow attackers to inject malicious scripts through parameters including CACHE_SIZE, MAX_SIZE, MIN_SIZE, MAX_OUTGOING_SIZE, and MAX_INCOMING_SIZE. [CVSS 6.1 MEDIUM]
ENOVIAvpm Web Access versions 1.16 through 1.19 contain a reflected XSS vulnerability that allows authenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session through a crafted URL. The vulnerability requires user interaction to trigger but can lead to session hijacking, credential theft, or malware distribution across the affected organization. No patch is currently available, requiring organizations to implement network-level mitigations or restrict access until a fix is released.
SmarterTools SmarterMail before 9526 allows XSS via MAPI requests. [CVSS 7.2 HIGH]
An issue in Visual Studio Code Extensions Live Server v5.7.9 allows attackers to exfiltrate files via user interaction with a crafted HTML page. [CVSS 4.3 MEDIUM]
A vulnerability was detected in cskefu up to 8.0.1. Impacted is the function Upload of the file com/cskefu/cc/controller/resource/MediaController.java of the component File Upload. [CVSS 3.5 LOW]
Cross-Site Scripting (XSS) vulnerability reflected in Kubysoft, which occurs through multiple parameters within the endpoint ‘/node/kudaby/nodeFN/procedure’. [CVSS 6.1 MEDIUM]
Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered through multiple parameters in the '/kForms/app' endpoint. This issue allows malicious scripts to be injected and executed persistently in the context of users accessing the affected resource. [CVSS 5.4 MEDIUM]
Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. [CVSS 5.4 MEDIUM]
A vulnerability was detected in LigeroSmart up to 6.1.26. The impacted element is the function AgentDashboard of the file /otrs/index.pl. [CVSS 3.5 LOW]
A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. [CVSS 3.5 LOW]
A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketSearch. [CVSS 3.5 LOW]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. [CVSS 5.4 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. [CVSS 6.4 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. [CVSS 6.4 MEDIUM]
OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. [CVSS 5.4 MEDIUM]
ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. [CVSS 5.4 MEDIUM]
Stored XSS in Essential Addons for Elementor plugin (versions up to 6.5.9) allows authenticated contributors to inject malicious scripts into pages through the Info Box widget due to inadequate input sanitization. The injected scripts execute for all users viewing the affected pages, potentially leading to credential theft or malware distribution. No patch is currently available.
Stored cross-site scripting in Super Page Cache for WordPress (versions up to 5.2.2) allows unauthenticated attackers to inject malicious scripts through the Activity Log due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
The myCred WordPress plugin through version 2.9.7.3 contains a stored cross-site scripting vulnerability in the 'mycred_load_coupon' shortcode that allows authenticated contributors and above to inject malicious scripts into pages through inadequately sanitized shortcode attributes. When site visitors access pages containing the injected payload, the attacker's script executes in their browsers, potentially compromising user sessions and sensitive data. No patch is currently available for this vulnerability.
Stored XSS in WordPress Press3D plugin (versions up to 1.0.2) allows authenticated authors to inject malicious JavaScript through unsanitized URL schemes in 3D model blocks, executing arbitrary scripts when users interact with affected content. The vulnerability requires author-level access or higher and impacts all installations of the vulnerable plugin versions without available patches.
Stored XSS in the Percent to Infograph WordPress plugin (versions up to 1.0) allows authenticated users with contributor-level or higher privileges to inject malicious scripts through the percent_to_graph shortcode due to inadequate input sanitization. When pages containing the injected payload are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site security and user data.
Stored cross-site scripting in the Simple Plyr WordPress plugin through version 0.0.1 allows authenticated users with Contributor access or higher to inject malicious scripts via the 'poster' parameter in the plyr shortcode due to inadequate input validation. When victims visit pages containing the injected payload, the attacker's scripts execute in their browsers, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.
Stored cross-site scripting in the UpMenu WordPress plugin through version 3.1 allows authenticated contributors and above to inject malicious scripts via the 'lang' shortcode attribute due to inadequate input sanitization and output escaping. When victims visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.
Stored cross-site scripting in WordPress Sphere Manager plugin through version 1.0.2 allows authenticated users with Contributor privileges or higher to inject malicious scripts via the 'width' parameter in shortcodes due to improper input sanitization. Injected scripts execute in the browsers of any user viewing the affected page, potentially compromising site visitors. No patch is currently available.
Stored XSS in the Ravelry Designs Widget WordPress plugin through version 1.0.0 allows authenticated contributors to inject malicious scripts into page shortcodes due to inadequate input sanitization. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. An active patch is not currently available.
Authenticated attackers with Contributor access or higher can inject malicious scripts into WordPress pages via the QuestionPro Surveys plugin's 'questionpro' shortcode, exploiting inadequate input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for versions up to 1.0.
The StyleBidet WordPress plugin through version 1.0.0 fails to properly sanitize URL path parameters, enabling unauthenticated attackers to inject malicious scripts that execute in victim browsers. An attacker can exploit this reflected XSS vulnerability by crafting a malicious link and tricking users into clicking it, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.
The Address Bar Ads plugin for WordPress versions up to 1.0.0 contains a reflected cross-site scripting vulnerability in the URL path due to inadequate input sanitization, allowing unauthenticated attackers to inject malicious scripts that execute when users click on crafted links. This attack requires user interaction and affects the confidentiality and integrity of affected sites. No patch is currently available for this vulnerability.
Stored XSS in the Geo Widget WordPress plugin through version 1.0 allows unauthenticated attackers to inject malicious scripts via insufficiently sanitized URL parameters that execute when users visit affected pages. The vulnerability requires user interaction to trigger but impacts all site visitors who access injected content. No patch is currently available.
Stored cross-site scripting in the ZoomifyWP Free WordPress plugin through version 1.1 allows authenticated contributors and higher to inject malicious scripts via the filename parameter in the zoomify shortcode due to inadequate input sanitization. When other users visit pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or data. No patch is currently available for this vulnerability.
Stored XSS in the Best-wp-google-map WordPress plugin through versions 2.1 allows authenticated contributors and above to inject malicious scripts via insufficiently sanitized latitude and longitude shortcode parameters. When other users view pages containing the injected shortcode, the attacker's scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
Reflected XSS in the Super Simple Contact Form WordPress plugin through version 1.6.2 allows unauthenticated attackers to inject malicious scripts via the 'sscf_name' parameter due to inadequate input sanitization. An attacker can exploit this by tricking users into clicking a crafted link, causing arbitrary JavaScript to execute in their browsers and potentially leading to session hijacking or credential theft. No patch is currently available.
Stored XSS in the Payment Page | Payment Form for Stripe WordPress plugin (versions up to 1.4.6) allows authenticated users with Author-level permissions or higher to inject malicious scripts through the 'pricing_plan_select_text_font_family' parameter due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.
Chatbot for WordPress by Collect.chat (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored XSS in the WordPress User Language Switch plugin through the 'tab_color_picker_language_switch' parameter allows authenticated administrators to inject malicious scripts on multi-site installations or when unfiltered_html is disabled. The injected scripts execute in the context of other users accessing affected pages. This vulnerability affects all versions up to 1.6.10, with no patch currently available.
Allow HTML in Category Descriptions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Stored cross-site scripting in MasterStudy LMS WordPress Plugin versions up to 3.7.11 allows authenticated contributors and above to inject malicious scripts through the 'stm_lms_courses_grid_display' shortcode due to insufficient input sanitization and output escaping. When users access pages containing the injected payload, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available.
Stored XSS in WordPress WP Data Access plugin versions up to 5.5.63 allows authenticated contributors and higher to inject malicious scripts into pages via the 'wpda_app' shortcode due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
AMP Enhancer plugin for WordPress versions up to 1.0.49 allows authenticated administrators to inject stored XSS payloads through the Custom CSS setting due to insufficient input sanitization, affecting multi-site installations and those with unfiltered_html disabled. An attacker with admin-level access can execute arbitrary JavaScript in the context of user browsers visiting affected pages. A security patch is not yet available.
Stored XSS in the Citations tools WordPress plugin (versions up to 0.3.2) allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized shortcode parameters, which execute in the browsers of users viewing affected pages. The vulnerability requires authentication but affects all site visitors who access pages containing the injected code. No patch is currently available.
Simple Wp colorfull Accordion (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The personal-authors-category WordPress plugin through version 0.3 contains a reflected XSS vulnerability in the URL path due to inadequate input validation and output encoding. Unauthenticated attackers can exploit this by crafting malicious links that, when clicked by victims, execute arbitrary JavaScript in their browsers. No patch is currently available for this vulnerability.
Stored XSS in the Easy Voice Mail WordPress plugin through version 1.2.5 allows authenticated administrators to inject malicious scripts via the message parameter due to inadequate input validation. An attacker with admin privileges can exploit this to execute arbitrary JavaScript in the browsers of users who access affected pages. No patch is currently available for this vulnerability.