Skip to main content

XSS

38834 CVEs technique

Monthly

CVE-2026-1941 MEDIUM This Month

Stored cross-site scripting in WP Event Aggregator plugin through version 1.8.7 allows authenticated contributors and above to inject malicious scripts via the wp_events shortcode due to inadequate input sanitization. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially compromising user sessions and data. No patch is currently available, leaving affected WordPress installations vulnerable.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1649 MEDIUM This Month

Stored XSS in WordPress Community Events plugin through the 'ce_venue_name' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.5.7 due to inadequate input sanitization and output escaping, with no patch currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1943 MEDIUM This Month

Stored XSS in YayMail plugin for WordPress (versions up to 4.3.2) allows authenticated Shop Manager-level users to inject malicious scripts through inadequately sanitized settings, affecting multi-site installations or those with disabled unfiltered_html. Attackers can execute arbitrary JavaScript in pages viewed by other users, though exploitation requires elevated privileges and specific WordPress configurations. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2281 MEDIUM This Month

Stored XSS in WordPress Private Comment plugin up to version 0.0.4 allows authenticated administrators to inject malicious scripts via the label text setting due to inadequate input sanitization and output escaping. The injected scripts execute in the browsers of users viewing affected pages, impacting multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1807 MEDIUM This Month

InteractiveCalculator for WordPress (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1666 MEDIUM This Month

The Download Manager plugin for WordPress through version 3.3.46 contains a reflected XSS vulnerability in the 'redirect_to' parameter that allows unauthenticated attackers to inject malicious scripts. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1304 MEDIUM This Month

Stored Cross-Site Scripting in the Membership Plugin for WordPress versions up to 3.2.18 allows authenticated administrators to inject malicious scripts into invoice settings fields due to inadequate input sanitization. When other users access pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. Exploitation requires administrator-level access and no patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2025-12122 MEDIUM This Month

The Popup Box - Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-11737 MEDIUM This Month

VK All in One Expansion Unit (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1931 HIGH This Week

Stored cross-site scripting in the Rent Fetch WordPress plugin through version 0.32.4 allows unauthenticated attackers to inject malicious scripts via inadequately sanitized keyword parameters. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-6460 MEDIUM This Month

Display During Conditional Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13959 MEDIUM This Month

The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12037 MEDIUM This Month

WP 404 Auto Redirect to Similar Post (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-62183 This Week

Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.

XSS
NVD
EPSS
0.1%
CVE-2025-33135 MEDIUM This Month

IBM Financial Transaction Manager for ACH Services and Check Services for Multi-Platform 3.0.0.0 versions up to 3.0.5.4 is affected by cross-site scripting (xss) (CVSS 6.1).

IBM XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2622 LOW POC Monitor

A vulnerability was detected in Blossom up to 1.17.1. This vulnerability affects the function content of the file blossom-backend/backend/src/main/java/com/blossom/backend/server/article/draft/ArticleController.java of the component Article Title Handler. [CVSS 3.5 LOW]

Java XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-26357 MEDIUM This Month

Stored cross-site scripting in Dell Unisphere for PowerMax 9.2.4.x allows authenticated remote attackers to inject malicious scripts that execute in users' browsers, potentially enabling session hijacking or credential theft. The vulnerability requires user interaction and carries a medium severity rating with no patch currently available.

XSS Information Disclosure
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-70846 HIGH This Week

lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) on the /tools/Password/add page in the input field password. [CVSS 7.1 HIGH]

XSS
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-27901 MEDIUM This Month

Db2 Recovery Expert versions up to 5.5.0 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 6.5).

IBM Linux Windows XSS Db2 Recovery Expert
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-36019 MEDIUM This Month

IBM Concert 1.0.0 through 2.1.0 for Z hub framework is vulnerable to cross-site scripting. [CVSS 6.1 MEDIUM]

IBM XSS Concert
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-23861 MEDIUM This Month

Cross-site scripting in Dell Unisphere for PowerMax vApp 9.2.4.x enables authenticated remote attackers to inject malicious scripts that execute in victim browsers, potentially compromising session tokens or stealing sensitive information. The vulnerability requires user interaction and low-level privileges, but no patch is currently available to address it.

XSS Information Disclosure
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-8303 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in EKA Software Computer Information Advertising Services Ltd. [CVSS 6.5 MEDIUM]

XSS
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1216 HIGH This Week

Reflected XSS in WordPress RSS Aggregator plugin versions up to 5.0.10 allows unauthenticated attackers to inject malicious scripts through the unvalidated 'template' parameter. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-2002 MEDIUM This Month

Stored XSS in Forminator Forms plugin for WordPress (versions up to 1.50.2) allows authenticated administrators and delegated form managers to inject malicious scripts through the form_name parameter due to inadequate input sanitization. When users access pages containing injected forms, the scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2019-25395 HIGH POC This Week

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the preferences.cgi script that allow attackers to inject malicious scripts through the HOSTNAME, KEYMAP, and OPENNESS parameters. [CVSS 7.2 HIGH]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2019-25394 HIGH POC This Week

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the modem.cgi script that allow attackers to inject malicious scripts through POST parameters. [CVSS 7.2 HIGH]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2019-25393 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25392 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the IP parameter. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25390 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the interfaces.cgi script that allow attackers to inject malicious scripts through multiple parameters including GREEN_ADDRESS, GREEN_NETMASK, RED_DHCP_HOSTNAME, RED_ADDRESS, DNS1_OVERRIDE, DNS2_OVERRIDE, RED_MAC, RED_NETMASK, DEFAULT_GATEWAY, DNS1, and DNS2. [CVSS 5.4 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2019-25389 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the MACHINES parameter. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25388 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the ipblock.cgi endpoint. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25387 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the xtaccess.cgi endpoint. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25386 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the dmzholes.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25385 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the MACHINE and MACHINECOMMENT parameters. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25384 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the portfw.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25383 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the apcupsd.cgi script that allow attackers to inject malicious scripts through multiple POST parameters. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25382 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the NTP_SERVER parameter. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25381 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25380 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the dhcp.cgi script that allow attackers to inject malicious scripts through multiple parameters. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25379 HIGH POC This Week

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains stored and reflected cross-site scripting vulnerabilities in the urlfilter.cgi endpoint that allow attackers to inject malicious scripts. [CVSS 7.2 HIGH]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2019-25378 MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple cross-site scripting vulnerabilities in the proxy.cgi endpoint that allow attackers to inject malicious scripts through parameters including CACHE_SIZE, MAX_SIZE, MIN_SIZE, MAX_OUTGOING_SIZE, and MAX_INCOMING_SIZE. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2101 HIGH This Week

ENOVIAvpm Web Access versions 1.16 through 1.19 contain a reflected XSS vulnerability that allows authenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session through a crafted URL. The vulnerability requires user interaction to trigger but can lead to session hijacking, credential theft, or malware distribution across the affected organization. No patch is currently available, requiring organizations to implement network-level mitigations or restrict access until a fix is released.

XSS
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-26930 HIGH This Week

SmarterTools SmarterMail before 9526 allows XSS via MAPI requests. [CVSS 7.2 HIGH]

XSS
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-65717 MEDIUM POC This Month

An issue in Visual Studio Code Extensions Live Server v5.7.9 allows attackers to exfiltrate files via user interaction with a crafted HTML page. [CVSS 4.3 MEDIUM]

XSS Live Server
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2557 LOW POC Monitor

A vulnerability was detected in cskefu up to 8.0.1. Impacted is the function Upload of the file com/cskefu/cc/controller/resource/MediaController.java of the component File Upload. [CVSS 3.5 LOW]

Java XSS File Upload
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-59905 MEDIUM This Month

Cross-Site Scripting (XSS) vulnerability reflected in Kubysoft, which occurs through multiple parameters within the endpoint ‘/node/kudaby/nodeFN/procedure’. [CVSS 6.1 MEDIUM]

XSS Kubysoft
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-59904 MEDIUM This Month

Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered through multiple parameters in the '/kForms/app' endpoint. This issue allows malicious scripts to be injected and executed persistently in the context of users accessing the affected resource. [CVSS 5.4 MEDIUM]

XSS Kubysoft
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-59903 MEDIUM This Month

Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. [CVSS 5.4 MEDIUM]

XSS Kubysoft
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2547 LOW POC Monitor

A vulnerability was detected in LigeroSmart up to 6.1.26. The impacted element is the function AgentDashboard of the file /otrs/index.pl. [CVSS 3.5 LOW]

XSS Ligerosmart
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2546 LOW POC Monitor

A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. [CVSS 3.5 LOW]

XSS Ligerosmart
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2545 LOW POC Monitor

A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketSearch. [CVSS 3.5 LOW]

XSS Ligerosmart
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2019-25377 MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. [CVSS 5.4 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2019-25376 MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. [CVSS 6.1 MEDIUM]

XSS Opnsense
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25375 MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. [CVSS 6.1 MEDIUM]

XSS Opnsense
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25374 MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. [CVSS 6.1 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25373 MEDIUM POC This Month

OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. [CVSS 6.4 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25372 MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25371 MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25370 MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. [CVSS 6.1 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25369 MEDIUM POC This Month

OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. [CVSS 6.4 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25368 MEDIUM POC This Month

OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. [CVSS 5.4 MEDIUM]

PHP XSS Opnsense Nextcloud
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2019-25367 MEDIUM POC This Month

ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. [CVSS 5.4 MEDIUM]

XSS
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1512 MEDIUM This Month

Stored XSS in Essential Addons for Elementor plugin (versions up to 6.5.9) allows authenticated contributors to inject malicious scripts into pages through the Info Box widget due to inadequate input sanitization. The injected scripts execute for all users viewing the affected pages, potentially leading to credential theft or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1843 HIGH This Week

Stored cross-site scripting in Super Page Cache for WordPress (versions up to 5.2.2) allows unauthenticated attackers to inject malicious scripts through the Activity Log due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-0550 MEDIUM This Month

The myCred WordPress plugin through version 2.9.7.3 contains a stored cross-site scripting vulnerability in the 'mycred_load_coupon' shortcode that allows authenticated contributors and above to inject malicious scripts into pages through inadequately sanitized shortcode attributes. When site visitors access pages containing the injected payload, the attacker's script executes in their browsers, potentially compromising user sessions and sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1985 MEDIUM This Month

Stored XSS in WordPress Press3D plugin (versions up to 1.0.2) allows authenticated authors to inject malicious JavaScript through unsanitized URL schemes in 3D model blocks, executing arbitrary scripts when users interact with affected content. The vulnerability requires author-level access or higher and impacts all installations of the vulnerable plugin versions without available patches.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1939 MEDIUM This Month

Stored XSS in the Percent to Infograph WordPress plugin (versions up to 1.0) allows authenticated users with contributor-level or higher privileges to inject malicious scripts through the percent_to_graph shortcode due to inadequate input sanitization. When pages containing the injected payload are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site security and user data.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1915 MEDIUM This Month

Stored cross-site scripting in the Simple Plyr WordPress plugin through version 0.0.1 allows authenticated users with Contributor access or higher to inject malicious scripts via the 'poster' parameter in the plyr shortcode due to inadequate input validation. When victims visit pages containing the injected payload, the attacker's scripts execute in their browsers, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1910 MEDIUM This Month

Stored cross-site scripting in the UpMenu WordPress plugin through version 3.1 allows authenticated contributors and above to inject malicious scripts via the 'lang' shortcode attribute due to inadequate input sanitization and output escaping. When victims visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1905 MEDIUM This Month

Stored cross-site scripting in WordPress Sphere Manager plugin through version 1.0.2 allows authenticated users with Contributor privileges or higher to inject malicious scripts via the 'width' parameter in shortcodes due to improper input sanitization. Injected scripts execute in the browsers of any user viewing the affected page, potentially compromising site visitors. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1903 MEDIUM This Month

Stored XSS in the Ravelry Designs Widget WordPress plugin through version 1.0.0 allows authenticated contributors to inject malicious scripts into page shortcodes due to inadequate input sanitization. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. An active patch is not currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1901 MEDIUM This Month

Authenticated attackers with Contributor access or higher can inject malicious scripts into WordPress pages via the QuestionPro Surveys plugin's 'questionpro' shortcode, exploiting inadequate input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for versions up to 1.0.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1796 MEDIUM This Month

The StyleBidet WordPress plugin through version 1.0.0 fails to properly sanitize URL path parameters, enabling unauthenticated attackers to inject malicious scripts that execute in victim browsers. An attacker can exploit this reflected XSS vulnerability by crafting a malicious link and tricking users into clicking it, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1795 MEDIUM This Month

The Address Bar Ads plugin for WordPress versions up to 1.0.0 contains a reflected cross-site scripting vulnerability in the URL path due to inadequate input sanitization, allowing unauthenticated attackers to inject malicious scripts that execute when users click on crafted links. This attack requires user interaction and affects the confidentiality and integrity of affected sites. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1792 MEDIUM This Month

Stored XSS in the Geo Widget WordPress plugin through version 1.0 allows unauthenticated attackers to inject malicious scripts via insufficiently sanitized URL parameters that execute when users visit affected pages. The vulnerability requires user interaction to trigger but impacts all site visitors who access injected content. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1187 MEDIUM This Month

Stored cross-site scripting in the ZoomifyWP Free WordPress plugin through version 1.1 allows authenticated contributors and higher to inject malicious scripts via the filename parameter in the zoomify shortcode due to inadequate input sanitization. When other users visit pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or data. No patch is currently available for this vulnerability.

WordPress Zoom XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1096 MEDIUM This Month

Stored XSS in the Best-wp-google-map WordPress plugin through versions 2.1 allows authenticated contributors and above to inject malicious scripts via insufficiently sanitized latitude and longitude shortcode parameters. When other users view pages containing the injected shortcode, the attacker's scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0753 HIGH This Week

Reflected XSS in the Super Simple Contact Form WordPress plugin through version 1.6.2 allows unauthenticated attackers to inject malicious scripts via the 'sscf_name' parameter due to inadequate input sanitization. An attacker can exploit this by tricking users into clicking a crafted link, causing arbitrary JavaScript to execute in their browsers and potentially leading to session hijacking or credential theft. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-0751 MEDIUM This Month

Stored XSS in the Payment Page | Payment Form for Stripe WordPress plugin (versions up to 1.4.6) allows authenticated users with Author-level permissions or higher to inject malicious scripts through the 'pricing_plan_select_text_font_family' parameter due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0736 MEDIUM This Month

Chatbot for WordPress by Collect.chat (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0735 MEDIUM This Month

Stored XSS in the WordPress User Language Switch plugin through the 'tab_color_picker_language_switch' parameter allows authenticated administrators to inject malicious scripts on multi-site installations or when unfiltered_html is disabled. The injected scripts execute in the context of other users accessing affected pages. This vulnerability affects all versions up to 1.6.10, with no patch currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0693 MEDIUM This Month

Allow HTML in Category Descriptions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0559 MEDIUM This Month

Stored cross-site scripting in MasterStudy LMS WordPress Plugin versions up to 3.7.11 allows authenticated contributors and above to inject malicious scripts through the 'stm_lms_courses_grid_display' shortcode due to insufficient input sanitization and output escaping. When users access pages containing the injected payload, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0557 MEDIUM This Month

Stored XSS in WordPress WP Data Access plugin versions up to 5.5.63 allows authenticated contributors and higher to inject malicious scripts into pages via the 'wpda_app' shortcode due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15483 MEDIUM This Month

The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2027 MEDIUM This Month

AMP Enhancer plugin for WordPress versions up to 1.0.49 allows authenticated administrators to inject stored XSS payloads through the Custom CSS setting due to insufficient input sanitization, affecting multi-site installations and those with unfiltered_html disabled. An attacker with admin-level access can execute arbitrary JavaScript in the context of user browsers visiting affected pages. A security patch is not yet available.

WordPress XSS
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1912 MEDIUM This Month

Stored XSS in the Citations tools WordPress plugin (versions up to 0.3.2) allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized shortcode parameters, which execute in the browsers of users viewing affected pages. The vulnerability requires authentication but affects all site visitors who access pages containing the injected code. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1904 MEDIUM This Month

Simple Wp colorfull Accordion (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1754 MEDIUM This Month

The personal-authors-category WordPress plugin through version 0.3 contains a reflected XSS vulnerability in the URL path due to inadequate input validation and output encoding. Unauthenticated attackers can exploit this by crafting malicious links that, when clicked by victims, execute arbitrary JavaScript in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1164 MEDIUM This Month

Stored XSS in the Easy Voice Mail WordPress plugin through version 1.2.5 allows authenticated administrators to inject malicious scripts via the message parameter due to inadequate input validation. An attacker with admin privileges can exploit this to execute arbitrary JavaScript in the browsers of users who access affected pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in WP Event Aggregator plugin through version 1.8.7 allows authenticated contributors and above to inject malicious scripts via the wp_events shortcode due to inadequate input sanitization. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially compromising user sessions and data. No patch is currently available, leaving affected WordPress installations vulnerable.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WordPress Community Events plugin through the 'ce_venue_name' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.5.7 due to inadequate input sanitization and output escaping, with no patch currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in YayMail plugin for WordPress (versions up to 4.3.2) allows authenticated Shop Manager-level users to inject malicious scripts through inadequately sanitized settings, affecting multi-site installations or those with disabled unfiltered_html. Attackers can execute arbitrary JavaScript in pages viewed by other users, though exploitation requires elevated privileges and specific WordPress configurations. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WordPress Private Comment plugin up to version 0.0.4 allows authenticated administrators to inject malicious scripts via the label text setting due to inadequate input sanitization and output escaping. The injected scripts execute in the browsers of users viewing affected pages, impacting multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

InteractiveCalculator for WordPress (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Download Manager plugin for WordPress through version 3.3.46 contains a reflected XSS vulnerability in the 'redirect_to' parameter that allows unauthenticated attackers to inject malicious scripts. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Membership Plugin for WordPress versions up to 3.2.18 allows authenticated administrators to inject malicious scripts into invoice settings fields due to inadequate input sanitization. When other users access pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. Exploitation requires administrator-level access and no patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Popup Box - Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

VK All in One Expansion Unit (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Rent Fetch WordPress plugin through version 0.32.4 allows unauthenticated attackers to inject malicious scripts via inadequately sanitized keyword parameters. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Display During Conditional Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

WP 404 Auto Redirect to Similar Post (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS PHP
NVD
EPSS 0%
This Week

Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.

XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

IBM Financial Transaction Manager for ACH Services and Check Services for Multi-Platform 3.0.0.0 versions up to 3.0.5.4 is affected by cross-site scripting (xss) (CVSS 6.1).

IBM XSS
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was detected in Blossom up to 1.17.1. This vulnerability affects the function content of the file blossom-backend/backend/src/main/java/com/blossom/backend/server/article/draft/ArticleController.java of the component Article Title Handler. [CVSS 3.5 LOW]

Java XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Dell Unisphere for PowerMax 9.2.4.x allows authenticated remote attackers to inject malicious scripts that execute in users' browsers, potentially enabling session hijacking or credential theft. The vulnerability requires user interaction and carries a medium severity rating with no patch currently available.

XSS Information Disclosure
NVD
EPSS 0% CVSS 7.1
HIGH This Week

lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) on the /tools/Password/add page in the input field password. [CVSS 7.1 HIGH]

XSS
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Db2 Recovery Expert versions up to 5.5.0 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 6.5).

IBM Linux Windows +2
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

IBM Concert 1.0.0 through 2.1.0 for Z hub framework is vulnerable to cross-site scripting. [CVSS 6.1 MEDIUM]

IBM XSS Concert
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site scripting in Dell Unisphere for PowerMax vApp 9.2.4.x enables authenticated remote attackers to inject malicious scripts that execute in victim browsers, potentially compromising session tokens or stealing sensitive information. The vulnerability requires user interaction and low-level privileges, but no patch is currently available to address it.

XSS Information Disclosure
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in EKA Software Computer Information Advertising Services Ltd. [CVSS 6.5 MEDIUM]

XSS
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Reflected XSS in WordPress RSS Aggregator plugin versions up to 5.0.10 allows unauthenticated attackers to inject malicious scripts through the unvalidated 'template' parameter. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in Forminator Forms plugin for WordPress (versions up to 1.50.2) allows authenticated administrators and delegated form managers to inject malicious scripts through the form_name parameter due to inadequate input sanitization. When users access pages containing injected forms, the scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH POC This Week

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the preferences.cgi script that allow attackers to inject malicious scripts through the HOSTNAME, KEYMAP, and OPENNESS parameters. [CVSS 7.2 HIGH]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 7.2
HIGH POC This Week

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the modem.cgi script that allow attackers to inject malicious scripts through POST parameters. [CVSS 7.2 HIGH]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the IP parameter. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the interfaces.cgi script that allow attackers to inject malicious scripts through multiple parameters including GREEN_ADDRESS, GREEN_NETMASK, RED_DHCP_HOSTNAME, RED_ADDRESS, DNS1_OVERRIDE, DNS2_OVERRIDE, RED_MAC, RED_NETMASK, DEFAULT_GATEWAY, DNS1, and DNS2. [CVSS 5.4 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the MACHINES parameter. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the ipblock.cgi endpoint. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the xtaccess.cgi endpoint. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the dmzholes.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the MACHINE and MACHINECOMMENT parameters. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the portfw.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the apcupsd.cgi script that allow attackers to inject malicious scripts through multiple POST parameters. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the NTP_SERVER parameter. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the dhcp.cgi script that allow attackers to inject malicious scripts through multiple parameters. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 7.2
HIGH POC This Week

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains stored and reflected cross-site scripting vulnerabilities in the urlfilter.cgi endpoint that allow attackers to inject malicious scripts. [CVSS 7.2 HIGH]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple cross-site scripting vulnerabilities in the proxy.cgi endpoint that allow attackers to inject malicious scripts through parameters including CACHE_SIZE, MAX_SIZE, MIN_SIZE, MAX_OUTGOING_SIZE, and MAX_INCOMING_SIZE. [CVSS 6.1 MEDIUM]

XSS Smoothwall Express
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH This Week

ENOVIAvpm Web Access versions 1.16 through 1.19 contain a reflected XSS vulnerability that allows authenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session through a crafted URL. The vulnerability requires user interaction to trigger but can lead to session hijacking, credential theft, or malware distribution across the affected organization. No patch is currently available, requiring organizations to implement network-level mitigations or restrict access until a fix is released.

XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

SmarterTools SmarterMail before 9526 allows XSS via MAPI requests. [CVSS 7.2 HIGH]

XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

An issue in Visual Studio Code Extensions Live Server v5.7.9 allows attackers to exfiltrate files via user interaction with a crafted HTML page. [CVSS 4.3 MEDIUM]

XSS Live Server
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was detected in cskefu up to 8.0.1. Impacted is the function Upload of the file com/cskefu/cc/controller/resource/MediaController.java of the component File Upload. [CVSS 3.5 LOW]

Java XSS File Upload
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Scripting (XSS) vulnerability reflected in Kubysoft, which occurs through multiple parameters within the endpoint ‘/node/kudaby/nodeFN/procedure’. [CVSS 6.1 MEDIUM]

XSS Kubysoft
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered through multiple parameters in the '/kForms/app' endpoint. This issue allows malicious scripts to be injected and executed persistently in the context of users accessing the affected resource. [CVSS 5.4 MEDIUM]

XSS Kubysoft
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. [CVSS 5.4 MEDIUM]

XSS Kubysoft
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was detected in LigeroSmart up to 6.1.26. The impacted element is the function AgentDashboard of the file /otrs/index.pl. [CVSS 3.5 LOW]

XSS Ligerosmart
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. [CVSS 3.5 LOW]

XSS Ligerosmart
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketSearch. [CVSS 3.5 LOW]

XSS Ligerosmart
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. [CVSS 5.4 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. [CVSS 6.1 MEDIUM]

XSS Opnsense
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. [CVSS 6.1 MEDIUM]

XSS Opnsense
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. [CVSS 6.1 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. [CVSS 6.4 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. [CVSS 6.1 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. [CVSS 6.4 MEDIUM]

PHP XSS Opnsense
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM POC This Month

OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. [CVSS 5.4 MEDIUM]

PHP XSS Opnsense +1
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM POC This Month

ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. [CVSS 5.4 MEDIUM]

XSS
NVD Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in Essential Addons for Elementor plugin (versions up to 6.5.9) allows authenticated contributors to inject malicious scripts into pages through the Info Box widget due to inadequate input sanitization. The injected scripts execute for all users viewing the affected pages, potentially leading to credential theft or malware distribution. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in Super Page Cache for WordPress (versions up to 5.2.2) allows unauthenticated attackers to inject malicious scripts through the Activity Log due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The myCred WordPress plugin through version 2.9.7.3 contains a stored cross-site scripting vulnerability in the 'mycred_load_coupon' shortcode that allows authenticated contributors and above to inject malicious scripts into pages through inadequately sanitized shortcode attributes. When site visitors access pages containing the injected payload, the attacker's script executes in their browsers, potentially compromising user sessions and sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress Press3D plugin (versions up to 1.0.2) allows authenticated authors to inject malicious JavaScript through unsanitized URL schemes in 3D model blocks, executing arbitrary scripts when users interact with affected content. The vulnerability requires author-level access or higher and impacts all installations of the vulnerable plugin versions without available patches.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Percent to Infograph WordPress plugin (versions up to 1.0) allows authenticated users with contributor-level or higher privileges to inject malicious scripts through the percent_to_graph shortcode due to inadequate input sanitization. When pages containing the injected payload are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site security and user data.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Simple Plyr WordPress plugin through version 0.0.1 allows authenticated users with Contributor access or higher to inject malicious scripts via the 'poster' parameter in the plyr shortcode due to inadequate input validation. When victims visit pages containing the injected payload, the attacker's scripts execute in their browsers, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the UpMenu WordPress plugin through version 3.1 allows authenticated contributors and above to inject malicious scripts via the 'lang' shortcode attribute due to inadequate input sanitization and output escaping. When victims visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in WordPress Sphere Manager plugin through version 1.0.2 allows authenticated users with Contributor privileges or higher to inject malicious scripts via the 'width' parameter in shortcodes due to improper input sanitization. Injected scripts execute in the browsers of any user viewing the affected page, potentially compromising site visitors. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Ravelry Designs Widget WordPress plugin through version 1.0.0 allows authenticated contributors to inject malicious scripts into page shortcodes due to inadequate input sanitization. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. An active patch is not currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Authenticated attackers with Contributor access or higher can inject malicious scripts into WordPress pages via the QuestionPro Surveys plugin's 'questionpro' shortcode, exploiting inadequate input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for versions up to 1.0.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The StyleBidet WordPress plugin through version 1.0.0 fails to properly sanitize URL path parameters, enabling unauthenticated attackers to inject malicious scripts that execute in victim browsers. An attacker can exploit this reflected XSS vulnerability by crafting a malicious link and tricking users into clicking it, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Address Bar Ads plugin for WordPress versions up to 1.0.0 contains a reflected cross-site scripting vulnerability in the URL path due to inadequate input sanitization, allowing unauthenticated attackers to inject malicious scripts that execute when users click on crafted links. This attack requires user interaction and affects the confidentiality and integrity of affected sites. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored XSS in the Geo Widget WordPress plugin through version 1.0 allows unauthenticated attackers to inject malicious scripts via insufficiently sanitized URL parameters that execute when users visit affected pages. The vulnerability requires user interaction to trigger but impacts all site visitors who access injected content. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the ZoomifyWP Free WordPress plugin through version 1.1 allows authenticated contributors and higher to inject malicious scripts via the filename parameter in the zoomify shortcode due to inadequate input sanitization. When other users visit pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or data. No patch is currently available for this vulnerability.

WordPress Zoom XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Best-wp-google-map WordPress plugin through versions 2.1 allows authenticated contributors and above to inject malicious scripts via insufficiently sanitized latitude and longitude shortcode parameters. When other users view pages containing the injected shortcode, the attacker's scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Reflected XSS in the Super Simple Contact Form WordPress plugin through version 1.6.2 allows unauthenticated attackers to inject malicious scripts via the 'sscf_name' parameter due to inadequate input sanitization. An attacker can exploit this by tricking users into clicking a crafted link, causing arbitrary JavaScript to execute in their browsers and potentially leading to session hijacking or credential theft. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Payment Page | Payment Form for Stripe WordPress plugin (versions up to 1.4.6) allows authenticated users with Author-level permissions or higher to inject malicious scripts through the 'pricing_plan_select_text_font_family' parameter due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Chatbot for WordPress by Collect.chat (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in the WordPress User Language Switch plugin through the 'tab_color_picker_language_switch' parameter allows authenticated administrators to inject malicious scripts on multi-site installations or when unfiltered_html is disabled. The injected scripts execute in the context of other users accessing affected pages. This vulnerability affects all versions up to 1.6.10, with no patch currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Allow HTML in Category Descriptions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in MasterStudy LMS WordPress Plugin versions up to 3.7.11 allows authenticated contributors and above to inject malicious scripts through the 'stm_lms_courses_grid_display' shortcode due to insufficient input sanitization and output escaping. When users access pages containing the injected payload, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress WP Data Access plugin versions up to 5.5.63 allows authenticated contributors and higher to inject malicious scripts into pages via the 'wpda_app' shortcode due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

AMP Enhancer plugin for WordPress versions up to 1.0.49 allows authenticated administrators to inject stored XSS payloads through the Custom CSS setting due to insufficient input sanitization, affecting multi-site installations and those with unfiltered_html disabled. An attacker with admin-level access can execute arbitrary JavaScript in the context of user browsers visiting affected pages. A security patch is not yet available.

WordPress XSS
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Citations tools WordPress plugin (versions up to 0.3.2) allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized shortcode parameters, which execute in the browsers of users viewing affected pages. The vulnerability requires authentication but affects all site visitors who access pages containing the injected code. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Simple Wp colorfull Accordion (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The personal-authors-category WordPress plugin through version 0.3 contains a reflected XSS vulnerability in the URL path due to inadequate input validation and output encoding. Unauthenticated attackers can exploit this by crafting malicious links that, when clicked by victims, execute arbitrary JavaScript in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored XSS in the Easy Voice Mail WordPress plugin through version 1.2.5 allows authenticated administrators to inject malicious scripts via the message parameter due to inadequate input validation. An attacker with admin privileges can exploit this to execute arbitrary JavaScript in the browsers of users who access affected pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
Prev Page 41 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy