Skip to main content

XSS

38814 CVEs technique

Monthly

CVE-2026-14068 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Chrome's Omnibox on iOS enables remote attackers to inject arbitrary scripts or HTML across security origins by luring users into performing specific UI gestures on a crafted page. Affected versions are Chrome for iOS prior to 150.0.7871.47; the desktop channel is not affected. No public exploit code or active exploitation has been identified at time of analysis, and EPSS sits at 0.18% (8th percentile), consistent with Chromium's own 'Low' severity rating despite the scope-changed CVSS vector.

XSS Apple Google Suse
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-14001 MEDIUM PATCH This Month

Inappropriate implementation in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)

Google XSS Suse
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-14000 MEDIUM PATCH This Month

Inappropriate implementation in XML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)

Google XSS Suse
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-13977 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's HTMLParser prior to 150.0.7871.47 enables remote attackers to inject arbitrary scripts or HTML into a victim's browser context by serving a crafted HTML page. The flaw is classified Medium severity by Google's Chromium security team and carries a CVSS 5.4 score, with EPSS at 0.17% (7th percentile) and no CISA KEV listing, indicating low current exploitation activity. A vendor-released patch exists in Chrome 150.0.7871.47; Chrome's auto-update mechanism substantially narrows the exposure window for most consumer endpoints.

XSS Google Suse
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-13957 MEDIUM PATCH This Month

Incorrect security UI in Google Chrome's Extensions subsystem prior to version 150.0.7871.47 enables Universal Cross-Site Scripting (UXSS), allowing script or HTML injection across web origins via a crafted HTML page. Exploitation requires that the victim user be socially engineered into installing a malicious extension, after which a crafted page triggers the CWE-79 flaw in the Extensions UI. No public exploit exists at time of analysis, EPSS sits at the 4th percentile, and CISA has not listed this in KEV, consistent with the SSVC exploitation:none assessment.

XSS Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-13836 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's CSS implementation prior to version 150.0.7871.47 allows a remote attacker to inject arbitrary scripts or HTML across origin boundaries by luring a victim to a crafted HTML page. The flaw exploits an inappropriate handling of CSS that causes Chrome's renderer to break the same-origin policy, enabling script execution in the context of other origins. No public exploit or CISA KEV listing has been identified; EPSS probability is very low (0.21%, 12th percentile), suggesting limited active exploitation at time of analysis.

XSS Google Suse
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-50040 MEDIUM PATCH CISA This Month

Reflected XSS in Stonefly Storage Concentrator (SC) and Storage Concentrator Virtual Machine (SCVM) allows an unauthenticated attacker to craft a malicious URL that, when opened by an authenticated storage administrator, causes arbitrary JavaScript to execute within the victim's browser session under the application's origin. The vulnerability stems from unsanitized user-supplied content being echoed directly into 404 error page responses, enabling session cookie theft, unauthorized administrative actions, or user redirection against storage management infrastructure. Reported via ICS-CERT (CISA advisory ICSA-26-181-06), no public exploit code or CISA KEV listing has been identified at time of analysis, though the ICS/OT context amplifies the downstream impact of successful exploitation.

XSS Storage Concentrator Storage Concentrator Virtual Machine
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-10585 MEDIUM This Month

Stored cross-site scripting in GitHub Enterprise Server's Q&A Discussion feature allows an authenticated attacker to execute arbitrary JavaScript in any visiting user's browser by embedding a crafted payload into a Discussion title. The AnsweredQuestionStructuredDataComponent unsafely injects user-controlled titles into a server-rendered <script type="application/ld+json"> block, enabling script-context breakout; the attacker then leverages JSONP callback support in the GHES REST API to load arbitrary JavaScript and bypass the Content Security Policy entirely. No public exploit or CISA KEV listing exists at time of analysis, but the CSP bypass mechanism substantially elevates practical impact beyond typical stored XSS, enabling full session hijacking of any user who views the malicious Discussion.

XSS Enterprise Server
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-28322 MEDIUM This Month

Stored cross-site scripting in SolarWinds Database Performance Analyzer enables a highly privileged, adjacent-network attacker to persist malicious scripts in the application that execute within other users' browsers upon page load. The CVSS vector (AV:A/AC:H/PR:H/UI:R) imposes substantial constraints - adjacency, high complexity, admin-level credentials, and victim interaction are all required - limiting realistic risk to insider-threat or post-compromise scenarios. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Database Performance Analyzer
NVD
CVSS 3.1
5.6
EPSS
0.2%
CVE-2026-56356 npm MEDIUM PATCH This Month

Stored XSS in n8n's Chat Trigger node allows authenticated workflow editors to inject JavaScript through a misconfigured sanitize-html filter in the Custom CSS field, which then executes in the browsers of every user visiting the public chat page. Affected are all 1.x releases before 1.123.27, the 2.0.0-2.13.2 range, and 2.14.0; fixed versions are 1.123.27, 2.13.3, and 2.14.1. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS 4.0 score of 5.1 reflects the authenticated prerequisite and bounded per-user impact.

XSS N8n
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-11594 MEDIUM PATCH This Month

Stored/reflected cross-site scripting in the administrative console of IBM WebSphere Application Server 9.0 and 8.5 lets an adjacent-network attacker inject malicious script that executes in an administrator's browser session. Because the CVSS scope is changed and impact is rated high, a successful injection could let the attacker hijack the privileged admin session and pivot to broader server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available.

XSS IBM Websphere Application Server
NVD VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2025-36320 MEDIUM PATCH This Month

Stored cross-site scripting in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 allows authenticated low-privileged users to inject persistent JavaScript into the Web UI, which then executes within the browser sessions of other authenticated users visiting the affected page. The CVSS scope change (S:C) confirms the payload crosses the security boundary from the attacker's session into victims' sessions, enabling credential harvesting within trusted contexts. No public exploit code or CISA KEV listing has been identified at time of analysis, but the stored and persistent nature of the injection elevates operational impact beyond what the 6.4 base score alone conveys.

XSS IBM Watsonx Data Intelligence
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2025-36321 MEDIUM PATCH This Month

HTML injection in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 enables a remote authenticated attacker to plant malicious HTML content that executes in a victim's browser within the hosting site's security context. The CVSS vector (PR:L/UI:R/C:H) confirms exploitation requires low-privilege authentication and a second user to view the injected content, with the primary impact being confidentiality loss - such as session token theft or credential harvesting. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog; a vendor patch is available via IBM advisory 7277801.

XSS IBM Watsonx Data Intelligence
NVD
CVSS 3.1
5.7
EPSS
0.4%
CVE-2025-36323 MEDIUM PATCH This Month

Cross-site scripting in IBM watsonx.data Intelligence 5.2.0 through 5.3.0 allows low-privileged authenticated users to inject arbitrary JavaScript into the Web UI, enabling credential theft or session hijacking against higher-privileged victims. The CVSS scope change (S:C) confirms the injected script executes in the victim's browser context, crossing trust boundaries within the platform. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; IBM has released a patch via advisory PSIRT.

XSS IBM Watsonx Data Intelligence
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-11712 CRITICAL Act Now

Cross-site scripting in IBM WebSphere Application Server 9.0 and 8.5 lets a remote attacker inject malicious script into the administrative console help system, which executes in the browser session of an administrator who is lured into viewing the crafted content. Because the payload runs inside an authenticated admin context, it can be abused to hijack the console session, manipulate configuration, or steal sensitive credentials. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires the victim administrator to interact with the malicious content (UI:R).

XSS IBM Websphere Application Server
NVD VulDB
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-11708 CRITICAL Act Now

Cross-site scripting in IBM WebSphere Application Server 9.0 and 8.5 lets an attacker inject malicious script into the administrative console's integrated help system, which then executes in the browser of an administrator who views the affected page. Successful exploitation can hijack the admin session or perform actions in the console UI context. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, so risk is currently theoretical rather than actively exploited.

XSS IBM Websphere Application Server
NVD VulDB
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-10513 HIGH This Week

Stored cross-site scripting in the Webmention WordPress plugin (versions up to and including 5.8.0) lets unauthenticated attackers persist malicious script through the public webmention REST endpoint, which a moderator or administrator then triggers simply by opening the affected comment's edit screen. Attacker-controlled MF2 'avatar' and 'url' author properties are stored and later echoed unescaped into HTML 'value' attributes, yielding script execution in a privileged admin session. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the provided data.

WordPress XSS Webmention
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-58371 LOW POC PATCH Monitor

Unvalidated JSONP callback reflection in SeaweedFS before 4.30 enables cross-origin reads of cluster topology, volume server URLs, gRPC ports, file identifiers, and directory listings from unauthenticated endpoints reachable in the default deployment configuration. The shared `writeJson` helper in `weed/server/common.go` concatenates the `callback` query parameter verbatim into `application/javascript` responses with no allowlist validation, no `X-Content-Type-Options: nosniff` header, and no CORS policy, allowing attacker-controlled pages to load these endpoints via script tags and receive cluster metadata through the injected callback. A public proof-of-concept exists; the vulnerability is not in CISA KEV; the CVSS 4.0 score of 2.3 reflects constrained direct impact due to required user interaction and high attack complexity, though the leaked reconnaissance data elevates chained-attack risk.

XSS Seaweedfs
NVD GitHub
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-48307 HIGH This Week

Reflected Cross-Site Scripting in Adobe ColdFusion 2025.9, 2023.20 and earlier lets an attacker craft a malicious link that, when opened by a victim, injects and executes attacker-controlled script in the victim's browser session, with Adobe characterizing the impact as potential arbitrary code execution in the context of the current user. Because the CVSS scope is changed and confidentiality, integrity and availability impacts are all rated High, a successful attack against an authenticated ColdFusion administrator could compromise the management interface. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS RCE Coldfusion
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-8403 MEDIUM PATCH This Month

Stored cross-site scripting in SYSGUARD 6001 (versions 2.0.2 through before 6.1.4.0) by Eksagate Electronic Engineering and Computer Industry Trade Inc. permits remote unauthenticated attackers to inject persistent malicious scripts into the product's web interface, which execute in the browsers of any user who subsequently views the affected page. The vendor has confirmed the product is end-of-life and unsupported, meaning no patch will ever be issued, leaving all in-scope deployments permanently vulnerable. No public exploit code or CISA KEV listing exists at time of analysis.

XSS Sysguard 6001
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-8141 HIGH This Week

Stored cross-site scripting in the Ajax Load More - Filters WordPress plugin (all versions through 3.4.1) lets unauthenticated attackers persist arbitrary JavaScript via the 'taxonomy_include_children' parameter, which then executes in the browser of any user who loads an affected page. Wordfence rates it CVSS 7.2 with a changed scope, reflecting that injected script runs in the context of other site visitors and administrators. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

WordPress XSS Ajax Load More Filters
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-6954 MEDIUM This Month

Reflected Cross-Site Scripting in Intermark IT's WebControl CMS v3.5 allows an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the 'urlDestino' parameter of the '/portal.do' endpoint. Successful exploitation enables session cookie theft, phishing overlay injection, and unauthorized actions performed within the victim's authenticated session context. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 score of 5.1 reflects a meaningful subsequent-system integrity impact via the user's browser.

XSS Webcontrol Cms
NVD VulDB
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-6953 MEDIUM This Month

HTML injection in Intermark IT's WebControl CMS v3.5 enables unauthenticated remote attackers to embed malicious markup in outbound emails generated by the contact form, delivered to recipients such as site administrators. Exploitation targets three unsanitized parameters — 'nombreApellidos', 'dirección', and 'comentarios' — in a POST request to '/processContact.do', with the injected content rendered when the recipient opens the resulting email in an HTML-capable mail client. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 5.1 reflects limited scope impact confined to the recipient's mail client.

XSS Webcontrol Cms
NVD VulDB
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-56809 MEDIUM This Month

Reflected cross-site scripting in Ricoh Web Image Monitor allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in the browser of any user who visits a specially crafted URL pointing to the printer's web management interface. The vulnerability affects multiple Ricoh laser printer and MFP product lines that ship with Web Image Monitor, as documented by JPCERT/CC and Ricoh's own security advisory. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

XSS Multiple Laser Printers And Mfps Which Implement Ricoh Web Image Monitor
NVD VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-11589 HIGH POC This Week

Stored cross-site scripting in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets unauthenticated attackers upload files containing malicious JavaScript - such as HTML or SVG payloads - to a publicly accessible location, where the script executes in the browsers of site users and administrators who view it. The flaw stems from missing validation of uploaded file types/content. Publicly available exploit code exists (reported by WPScan), though it is not listed in CISA KEV and no EPSS score was provided.

WordPress XSS Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-12560 MEDIUM This Month

Stored Cross-Site Scripting in the Editorial Rating - Product Review & Rating System WordPress plugin (versions ≤ 4.0.5) enables authenticated administrators to inject persistent JavaScript payloads via the 'Link URL' field, which execute in any site visitor's browser upon loading an affected review page. The attack exploits a WordPress-specific sanitization bypass: because the payload is stored in post meta (_wpas_er_options via update_post_meta) rather than post_content or post_excerpt, WordPress's unfiltered_html capability exemption does not apply, meaning the restriction affects all administrators regardless of their unfiltered_html status. No public exploit has been identified at time of analysis and no active exploitation is confirmed; real-world risk is substantially constrained by the PR:H (administrator) prerequisite.

WordPress XSS Editorial Rating Product Review Rating System
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-12114 MEDIUM This Month

Persistent script injection in the Team Members - Multi Language Supported Team Plugin for WordPress (all versions through 8.7) enables authenticated administrators to embed malicious JavaScript into site pages via insufficient sanitization and escaping in admin settings fields, with injected payloads executing silently for every subsequent page visitor. The vulnerability is constrained to two non-default deployment scenarios: WordPress multisite network installations and single-site installations where the unfiltered_html capability has been explicitly revoked from administrators - standard single-site installs are unaffected. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept exists, placing real-world risk well below what the scope-changed CVSS vector might initially suggest.

WordPress XSS Team Members Multi Language Supported Team Plugin
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-52760 MEDIUM PATCH This Month

Stored cross-site scripting in Apache ActiveMQ Web Console allows an authenticated message producer to inject malicious JavaScript via a crafted JMS message ID, which executes in the browser of any administrator who browses the affected queue. The browse page renders message IDs without HTML sanitization, enabling privilege escalation from producer to administrator via session hijacking or credential theft. No public exploit identified at time of analysis and not listed in CISA KEV; rated moderate severity by Apache, consistent with the authentication prerequisite and required user interaction.

XSS Apache Activemq Activemq Web
NVD VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-50229 MEDIUM POC PATCH This Month

Reflected XSS in Apache Tomcat's bundled 'number guess' example application exposes users of that demo page to script injection across all major Tomcat release lines from 7.0 through 11.0. The flaw resides in a sample JSP/servlet, not the core Tomcat runtime, meaning exploitation depends entirely on the example application being deployed and accessible - a configuration that violates standard production hardening guidance. No public exploit code or active exploitation has been identified at time of analysis; no CVSS vector was assigned by the reporter.

XSS Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-54889 MEDIUM PATCH This Month

Cross-site scripting in MDEx (Elixir Markdown library by leandrocp), versions 0.8.3 through 0.13.1, allows any attacker who can supply Markdown content to inject javascript: URLs that execute in the browser of any user who views the downstream-rendered output. The MDEx to_delta/2 function copies link, wikilink, and image URLs verbatim into Quill Delta attributes without a scheme allowlist, meaning a crafted payload like [click](javascript:alert(document.cookie)) survives intact; when a downstream renderer such as quill-delta-to-html converts that Delta to HTML, the javascript: scheme becomes an executable href. No public exploit has been identified at time of analysis, though the attack requires only standard Markdown syntax, and a vendor-released patch is available in version 0.13.2.

XSS Mdex
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-53427 LOW PATCH Monitor

Stored and reflected cross-site scripting in MDEx's Lumis syntax highlighting adapter allows attackers who can submit Markdown content to inject arbitrary HTML and JavaScript into rendered output viewed by other users, enabling session theft and account takeover. The flaw exists in the native Rust code shared between the mdex (0.11.3-0.12.2) and mdex_native (0.1.0-0.2.2) packages, where the highlight_lines_class code-fence attribute is interpolated into per-line HTML div class attributes without escaping. Exploitation requires a non-default rendering configuration (full_info_string: true with syntax highlighting enabled); no public exploit identified at time of analysis, and vendor-released patches are available.

XSS Mdex Mdex Native
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.4%
CVE-2026-57958 MEDIUM This Month

Reflected XSS in Mixpost through version 2.6.0 enables unauthenticated remote attackers to execute arbitrary JavaScript in authenticated users' browsers by delivering crafted OAuth callback URLs containing malicious error query parameters. The OAuth callback controller fails to sanitize error parameters before routing them through Laravel flash messages, which are then rendered by Vue's v-html directive without HTML escaping - creating a direct injection path into the DOM. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and zero-privilege requirement make delivery straightforward once a victim is identified.

XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-57948 HIGH This Week

Session hijacking in Pinpoint (open-source APM) through version 3.1.0 stems from the pinpointJwt session cookie being issued without the HttpOnly and Secure flags, letting client-side JavaScript read it via document.cookie and allowing it to traverse cleartext HTTP. An attacker who can land a stored or reflected XSS payload, or who can sniff network traffic, can steal the JWT session token and impersonate the victim. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; the CVSS 4.0 base score is 7.6.

XSS
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.1%
CVE-2026-57338 HIGH This Week

Reflected cross-site scripting in the ARForms WordPress plugin (versions 7.1.2 and earlier) lets an unauthenticated remote attacker inject script into a victim's browser when the victim clicks a crafted link. Because the CVSS scope is changed (S:C), successful injection can affect the broader WordPress session/DOM context rather than only the form. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Arforms
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57337 HIGH This Week

Cross-site scripting in the PluginOps Landing Page Builder WordPress plugin (versions <= 1.5.3.5) lets unauthenticated remote attackers inject script that executes in a victim's browser, with a scope change (S:C) indicating the payload can affect resources beyond the vulnerable component. The flaw requires victim interaction (UI:R) such as visiting a crafted link or page, and yields low-level confidentiality, integrity, and availability impact (CVSS 7.1). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Landing Page Builder
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57336 HIGH This Week

Cross-site scripting in the Jobify WordPress job-board theme (Astoundify) through version 4.3.2 lets unauthenticated remote attackers inject script that executes in a victim's browser when the victim is lured into triggering a crafted request or link. The scope-changed CVSS 3.1 score of 7.1 reflects that injected script runs outside the vulnerable component's own boundary, enabling session theft or actions in the WordPress context. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

XSS Jobify
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57333 HIGH This Week

Reflected cross-site scripting in the Link Whisper Free WordPress plugin (versions 0.9.4 and earlier) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The scope-change CVSS vector (S:C) indicates the injected script can affect resources beyond the vulnerable plugin context, such as the broader WordPress admin or site session. No public exploit identified at time of analysis, and it is not listed in CISA KEV; reported by Patchstack.

XSS Link Whisper Free
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57330 MEDIUM This Month

Stored Cross-Site Scripting in the MasterStudy LMS WordPress plugin (versions <= 3.7.27) allows authenticated subscriber-level users to inject malicious scripts that execute in the browsers of higher-privileged users such as administrators. The vulnerability carries a Scope:Changed CVSS vector, meaning successful exploitation breaks the browser security boundary and can impact resources beyond the plugin itself - enabling session hijacking, credential theft, or privilege escalation within the WordPress admin context. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (subscriber role) widens the attacker pool considerably on sites with open or paid user registration.

XSS Masterstudy Lms
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57329 MEDIUM This Month

Stored Cross-Site Scripting in WooCommerce Designer Pro (WordPress plugin) versions 1.9.34 and earlier allows authenticated subscribers to inject malicious scripts that execute in the browsers of other users, including administrators. The scope change (S:C in CVSS) indicates injected payloads can cross privilege boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the subscriber-level entry point lowers the bar for exploitation on any site permitting account registration.

WordPress XSS Woocommerce Designer Pro
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57328 MEDIUM This Month

Cross-site scripting in the Business Directory WordPress plugin (versions 6.4.22 and earlier) allows authenticated subscriber-level users to inject arbitrary JavaScript that executes in other users' browsers. The scope-change indicator in the CVSS vector (S:C) confirms the payload can cross trust boundaries - most critically, scripts injected by a low-privilege subscriber can execute in the context of a higher-privilege user such as an administrator. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XSS Business Directory
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57326 MEDIUM This Month

Unauthenticated cross-site scripting in the Business Directory WordPress plugin (versions <= 6.4.22) allows remote attackers without any authentication to inject and store arbitrary JavaScript that executes in the context of a victim's browser when they visit an affected page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-accessible exploitation requiring no privileges, with a scope change indicating the payload crosses from the plugin's execution context into the victim's browser session. No public exploit code or active exploitation has been identified at time of analysis, but the unauthenticated nature and low complexity lower the barrier to abuse significantly.

XSS Business Directory
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-57320 HIGH This Week

Reflected/stored cross-site scripting in the WordPress plugin BEAR (realmag777's WooCommerce Bulk Editor and Products Manager, woo-bulk-editor) version 1.1.8 and earlier allows an unauthenticated remote attacker to inject malicious script that executes in a victim's browser when the victim is lured to interact with a crafted request. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation that requires user interaction and crosses a security scope boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Patchstack.

XSS Bear
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-13570 LOW Monitor

Stored cross-site scripting in SourceCodester Inventory Management System 1.0 allows a low-privileged remote attacker to inject arbitrary JavaScript via the `full_name` parameter of the User Registration Endpoint at `/api/users_handler.php`. When a privileged user such as an administrator subsequently views the stored user data, the malicious script executes in their browser context, enabling session hijacking, credential theft, or UI redress. Public exploit code exists per VulDB (E:P in CVSS 4.0 vector); however, this vulnerability is not listed in CISA KEV and carries a low CVSS 4.0 base score of 2.0, indicating limited real-world severity.

XSS PHP Inventory Management System
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-13567 LOW POC Monitor

Cross-site scripting in code-projects Online Music Site 1.0 allows unauthenticated remote attackers to inject malicious scripts via the feedback form's fname, femail, faddress, or fmessage parameters handled by /Frontend/Feedback.php. The CVSS 4.0 score of 2.1 (Low) reflects the UI:P requirement - a victim must interact with the crafted content for the payload to execute, limiting autonomous exploitation. A public proof-of-concept is available via GitHub, though no confirmed active exploitation (CISA KEV) has been recorded.

XSS PHP Online Music Site
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-13558 LOW Monitor

Stored cross-site scripting in CodeAstro Complaint Management System 1.0 allows a low-privileged authenticated user to inject persistent malicious scripts via the Report Title field at the /report/addreport endpoint, which then execute in the context of any administrator who views the submitted report. The GitHub-published proof-of-concept confirms the payload is stored and surfaces in the admin panel, enabling session hijacking or admin-context actions without further attacker interaction after initial submission. A public exploit has been released; however, no active exploitation has been confirmed by CISA KEV.

XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.3%
CVE-2026-13557 LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 allows remote attackers to inject arbitrary JavaScript via the unsanitized `Name` parameter in POST requests to `/admin/mod_room/controller.php?action=add`. The CVSS 4.0 base score of 2.1 reflects constrained real-world impact: only vulnerable-system integrity is affected (VI:L), user interaction is required (UI:P), and no confidentiality or availability impact is assessed. A publicly available exploit exists (E:P per CVSS 4.0 supplemental vector), but no active exploitation has been confirmed via CISA KEV, consistent with the niche deployment footprint of this free PHP educational project.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-13556 LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 allows remote attackers to inject malicious JavaScript via the Name argument in a POST request to /admin/mod_users/controller.php?action=edit. The vulnerability requires a victim to interact with the crafted content (CVSS 4.0 UI:P), limiting its reach but not eliminating risk against administrative users. A publicly disclosed proof-of-concept exploit exists per VulDB submission 843586, though no public exploit identified at time of analysis in CISA KEV.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-13554 LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 enables remote attackers to inject arbitrary JavaScript via the Name parameter in the amenities management POST handler at /admin/mod_amenities/controller.php?action=add. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P) confirms no authentication or special attack conditions are required to submit the payload, but passive user interaction - an admin browsing the amenities panel - is needed to trigger execution. A proof-of-concept exploit has been publicly disclosed via GitHub (VulDB submission 843584), though no active exploitation has been confirmed by CISA KEV.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-10083 HIGH POC PATCH NEWS This Week

The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.

WordPress XSS Apcu Manager
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13536 LOW POC Monitor

Reflected cross-site scripting in GotoHTTP up to version 10.2 allows remote attackers to inject arbitrary JavaScript via the `sn` parameter in the `/reg.12x` endpoint. A publicly available proof-of-concept exploit exists (GitHub issue linked in references). The vendor has acknowledged the flaw and removed the parameter echo from source code, but explicitly declined to release a patched build immediately, stating the affected URL is not normally surfaced in a browser or exposed to end users - a claim that partially limits real-world risk but does not eliminate it. No active exploitation confirmed (not in CISA KEV); however, the public POC lowers the bar for abuse.

XSS Gotohttp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-13504 LOW POC Monitor

Cross-site scripting in code-projects Project Management System 1.0 allows a remote authenticated attacker to inject malicious scripts via the /mail.php Mail Compose Page, targeting other users who interact with the crafted mail content. The CVSS 4.0 vector (PR:L/UI:P) confirms exploitation requires a low-privileged authenticated session and passive victim interaction, limiting scope but not eliminating risk in shared environments. A public proof-of-concept exploit has been disclosed on GitHub; no KEV listing and no vendor patch have been identified at time of analysis.

XSS PHP Project Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-13499 LOW POC Monitor

Cross-site scripting in yashpokharna2555/restaurent-management-system allows remote unauthenticated attackers to inject arbitrary client-side script via the Username argument in login_register.php's Registration Handler. The payload executes in the browser of any user who subsequently views the tainted data - most likely an administrator reviewing registered accounts. A public exploit exists per VulDB and GitHub issue #4; no public exploit identified as confirmed actively exploited (CISA KEV). The CVSS 4.0 base score of 2.1 reflects the limited scope and required victim interaction, but the availability of a POC elevates practical risk for any deployment.

XSS PHP Restaurent Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-12399 MEDIUM This Month

Stored Cross-Site Scripting in the Gutenverse WordPress Blocks, Page Builder & Site Editor plugin (all versions through 3.8.0) enables authenticated editor-level users to persist arbitrary JavaScript into pages served to any site visitor. The vulnerability is constrained to WordPress multi-site installations or single-site deployments where unfiltered_html has been explicitly disabled. No public exploit has been identified at time of analysis, and a upstream fix commit (changeset 3578328) has been published to the WordPress plugin repository.

WordPress XSS Gutenverse Wordpress Blocks Page Builder Site Editor
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-11597 MEDIUM This Month

Stored Cross-Site Scripting in the Surbma | Infusionsoft Shortcode WordPress plugin (versions ≤ 2.0.1) allows authenticated contributors to inject persistent malicious scripts that execute in any visitor's browser. The flaw originates in the surbma_infusionsoft_shortcode_shortcode() function, where the 'account' and 'id' shortcode attributes are concatenated without sanitization directly into a <script> tag's src attribute - a particularly dangerous injection point because it bypasses many output-escaping checks that target HTML attribute or element contexts. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.

WordPress XSS Surbma Infusionsoft Shortcode
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13295 MEDIUM This Month

Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor level) makes this a realistic threat on any multi-author or open-registration WordPress installation.

WordPress XSS Page Builder By Siteorigin
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-11783 MEDIUM This Month

Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through 5.0.4) allows any authenticated vendor-level user to permanently inject arbitrary JavaScript into product SKU fields, which then executes in the browsers of all site visitors - including unauthenticated users - via the store search widget's AJAX response path. The scope change (S:C in CVSS) is critical: the attacker plants the payload once as a vendor, but impact is borne by an unbounded population of end users who trigger the search widget. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; however, the attack surface is wide on marketplaces with open vendor registration.

WordPress XSS Dokan
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-9677 MEDIUM This Month

The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

WordPress XSS
NVD WPScan VulDB
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-13245 MEDIUM This Month

Reflected Cross-Site Scripting in the MaxButtons - Create buttons WordPress plugin (versions up to and including 9.8.5) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'view' parameter, executing in the victim's browser context when a crafted URL is clicked. The flaw is traced to insufficient input sanitization in listController.php and maxbuttons-list.php, as confirmed by Wordfence and source-level references in the WordPress plugin repository. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and zero-privilege requirement make social-engineering-based exploitation straightforward.

WordPress XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-11356 MEDIUM This Month

Stored cross-site scripting in Ivory Search - WordPress Search Plugin (all versions through 5.5.15) allows authenticated WordPress administrators to implant persistent JavaScript payloads via the `menu_title` and `menu_magnifier_color` settings fields, which execute in the browsers of any site visitor loading a page that renders the affected search widget. The root cause is insufficient input sanitization and output escaping in both the admin settings handler (class-is-settings-fields.php:249) and public-facing output routines (class-is-public.php:222, 263, 1199), confirmed via plugin source references on WordPress Trac. No public exploit code has been identified at time of analysis, CISA KEV does not list this CVE, and the CVSS score of 4.4 reflects the high privilege prerequisite rather than the cross-site impact scope.

WordPress XSS Ivory Search Wordpress Search Plugin
NVD VulDB
CVSS 3.1
4.4
EPSS
0.3%
CVE-2026-13335 MEDIUM This Month

Stored Cross-Site Scripting in the CodePeople Post Map for Google Maps WordPress plugin (versions through 1.2.6) permits authenticated Contributor-level users to persist malicious JavaScript payloads via the 'cpm_point' post meta field. The CVSS S:C (Scope Changed) flag confirms the injected scripts execute in victim browser sessions beyond the plugin's own context, enabling session hijacking, credential theft, or unauthorized admin actions against any user who visits an injected page. No confirmed active exploitation appears in CISA KEV, and no public exploit code has been identified at time of analysis.

WordPress XSS Google Codepeople Post Map For Google Maps
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-44696 MEDIUM PATCH This Month

CSS injection in OpenProject's rich text rendering pipeline prior to version 17.4.0 allows any authenticated user with write access to inject arbitrary CSS into formattable text fields (work package descriptions, comments, project descriptions, news). The misconfigured Sanitize::Config::RELAXED[:css] setting permits all CSS properties on permitted HTML elements, enabling UI redressing, phishing overlays, and potential CSS-based side-channel data exfiltration when a victim views the malicious content. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the vendor-released fix is available in 17.4.0.

XSS Openproject
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.2%
CVE-2026-52781 MEDIUM PATCH This Month

Stored XSS in OpenProject's HTML sanitizer allows authenticated project contributors to execute arbitrary Turbo Stream actions - including forced redirects - in every other user's authenticated browser session. The sanitizer's `:data` wildcard for `<macro>` elements permits injection of `data-controller` attributes that Stimulus.js silently mounts, chaining an attacker-uploaded attachment through `renderStreamMessage()` to achieve cross-user session manipulation without victim interaction beyond viewing the work package. Patch-confirmed by vendor GitHub Security Advisory GHSA-q33w-f822-hg8x; no public exploit identified at time of analysis.

XSS Openproject
NVD GitHub
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-57656 MEDIUM This Month

Stored/reflected Cross-Site Scripting in the Hester Core WordPress plugin (versions ≤ 1.1.8) allows a high-privileged authenticated user to inject malicious JavaScript into author-related fields, which then executes in victims' browsers when they view affected content. The CVSS scope change (S:C) confirms the injected script escapes the originating context and impacts other users' sessions, potentially enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing has been identified at time of analysis, limiting immediate widespread risk despite the cross-user impact.

XSS
NVD VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-57651 MEDIUM This Month

Cross-site scripting in the Ghost Kit WordPress plugin (versions ≤ 3.6.0) allows authenticated Contributor-level users to inject and store malicious JavaScript payloads via plugin block fields or parameters. When a higher-privileged user - such as an editor or administrator - views the affected content, the attacker's script executes in that user's browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. No CISA KEV listing or public exploit has been identified at time of analysis; however, the CVSS scope-change indicator (S:C) reflects meaningful cross-user impact that can translate to full site compromise if an admin session is hijacked.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57650 MEDIUM This Month

Stored Cross-Site Scripting in the Magazine Blocks WordPress plugin (versions ≤ 1.8.3) allows authenticated contributors to inject persistent malicious JavaScript into page content. Because the vulnerability carries a scope change (S:C in CVSS), successful exploitation targets the browsers of higher-privileged users - typically editors or administrators - who view the affected content. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

XSS
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57638 MEDIUM This Month

Stored cross-site scripting in the Fluent Booking WordPress plugin (versions up to and including 2.1.0) enables authenticated contributors to inject arbitrary JavaScript into booking-related content that executes in the browser of any higher-privileged user who reviews or views that content. The CVSS Scope:Changed metric confirms the payload escapes the contributor's low-privilege context and compromises the browser session of editors or administrators, enabling session hijacking or unauthorized privileged actions. No public exploit code or CISA KEV listing exists at time of analysis, but the vulnerability was confirmed and disclosed by Patchstack.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57629 MEDIUM This Month

Cross-site scripting in the StatCounter WordPress plugin (versions up to and including 2.1.1) allows authenticated Contributor-level users to inject persistent malicious scripts into content that executes in the browser context of higher-privileged users who view that content. The CVSS scope change (S:C) indicates the payload can reach sessions beyond the attacker's own - most critically Administrator sessions - enabling session hijacking, credential theft, or unauthorized administrative actions such as creating backdoor accounts. No public exploit identified at time of analysis, and no confirmed active exploitation (no CISA KEV listing).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57618 MEDIUM This Month

Cross-site scripting in the Neve PRO WordPress theme addon (versions up to and including 3.1.2) allows a contributor-level authenticated user to inject persistent malicious JavaScript that executes in the browser context of other users, including administrators. The S:C scope change in the CVSS vector confirms the payload escapes the WordPress application boundary and executes in the victim's browser session, enabling session hijacking, credential theft, or admin-level privilege escalation. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in the medium-priority tier despite the scope-changed impact.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57617 MEDIUM PATCH This Month

Stored Cross-Site Scripting in SeedProd Pro WordPress plugin (versions below 6.19.5) allows an authenticated Contributor-level user to inject malicious JavaScript that executes in the context of other users' browsers, including administrators. The changed scope (S:C) in the CVSS vector confirms the impact crosses from the plugin's trust boundary into victims' browser sessions, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing is identified at time of analysis, but patch availability is confirmed by the vendor via Patchstack.

XSS
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57431 MEDIUM This Month

Stored Cross-Site Scripting in the Featured Image WordPress plugin (≤ 2.1) allows an authenticated Author-level user to inject malicious JavaScript via featured image metadata, which then executes in the browsers of other users - including administrators - who view the affected content. The Scope:Changed CVSS metric confirms the payload escapes the author's own session and can compromise higher-privileged accounts, making privilege escalation the primary real-world risk. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57325 HIGH This Week

Cross-Site Scripting in the NanoMag WordPress theme (versions 1.8 and earlier) lets unauthenticated remote attackers inject browser-executed script that runs in the context of a victim lured into following a crafted link or loading an attacker-influenced page. The CVSS 3.1 score is 7.1 with a scope change, reflecting that script executes beyond the vulnerable component into the user's session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57322 HIGH This Week

Reflected cross-site scripting in the weMail WordPress plugin (versions 2.1.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The scope-changed CVSS 3.1 score of 7.1 reflects that the injected script runs in the WordPress site context, potentially affecting authenticated admin sessions. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57319 HIGH This Week

Reflected/stored cross-site scripting in the FOX - Currency Switcher Professional for WooCommerce WordPress plugin (versions 1.4.8 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. Because the CVSS scope is marked changed, successful injection can affect resources beyond the vulnerable component, including the broader site session. This was reported by Patchstack (CVE-2026-57319, CVSS 7.1); no public exploit code has been identified and it is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57317 HIGH This Week

Cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions <= 1.6.12.2) lets unauthenticated remote attackers inject script that executes in a victim's browser when they load a crafted page or follow a crafted link. The CVSS:3.1 vector (PR:N, UI:R, S:C) confirms no authentication is required but a user must interact, and the Changed scope reflects script crossing the security boundary into the visitor's browser context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through Patchstack's vulnerability research program.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57314 HIGH This Week

Reflected cross-site scripting in the SureCart WordPress e-commerce plugin (versions 4.3.2 and earlier) lets unauthenticated remote attackers inject browser-executed script by luring a victim to a crafted link. Because the CVSS scope is changed (S:C), the injected payload can act in the security context of the WordPress session, enabling theft of admin session data or actions performed on the victim's behalf. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Patchstack has cataloged it as a confirmed reflected XSS.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57313 MEDIUM This Month

Stored Cross-Site Scripting in SureCart WordPress plugin versions up to and including 4.2.2 allows authenticated subscribers to inject malicious scripts that execute in the browsers of other users, including administrators. The 'Subscriber' designation in the CVE title confirms exploitation requires only a low-privilege WordPress account, lowering the barrier to attack significantly for sites with open registration. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57312 HIGH This Week

Reflected cross-site scripting in the Everest Forms WordPress plugin (versions 3.4.8 and earlier) lets an unauthenticated attacker craft a malicious link that, when opened by a victim, executes arbitrary JavaScript in the victim's browser under the affected site's origin. The CVSS:3.1 base score is 7.1 (scope-changed, low impact across C/I/A) and exploitation requires victim user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56072 HIGH This Week

Reflected cross-site scripting in the WoodMart premium WooCommerce/WordPress theme (versions up to and including 8.5.3) allows unauthenticated remote attackers to inject script that executes in a victim's browser when the victim is lured into triggering a crafted request. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 with a changed scope, reflecting impact that crosses from the theme into the user's authenticated session context. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56047 HIGH This Week

Reflected cross-site scripting in the Perfmatters WordPress plugin (versions 2.6.3 and earlier) allows unauthenticated attackers to inject malicious script that executes in a victim's browser when they follow a crafted link. The scope-changed CVSS 3.1 score of 7.1 reflects that successful exploitation can affect resources beyond the vulnerable component, such as an authenticated administrator's session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56046 MEDIUM This Month

Stored Cross-Site Scripting in ListingPro WordPress theme versions 2.9.11 and below allows authenticated subscriber-level users to inject malicious JavaScript that executes in the browsers of other users who view the affected page. The CVSS scope change (S:C) confirms the injected payload breaks out of the application's security boundary and runs in the victim's browser context, enabling session hijacking or unauthorized actions on behalf of higher-privileged users. No public exploit code or active exploitation has been identified at time of analysis.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-56045 HIGH PATCH This Week

Stored/reflected cross-site scripting in the WP Automatic WordPress plugin (versions before 3.135.1) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser when they visit or interact with a crafted resource. The CVSS 3.1 score is 7.1 with a scope change (S:C), reflecting that injected script can affect components beyond the vulnerable plugin context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56044 HIGH This Week

Stored/reflected Cross-Site Scripting in the Blog2Social WordPress plugin (versions 8.9.2 and earlier) lets unauthenticated remote attackers inject malicious JavaScript that executes in a victim's browser when they view an affected page. The CVSS 3.1 vector (AV:N/PR:N/UI:R) indicates no authentication is required but the victim must take an action such as visiting a crafted URL. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied with this report from Patchstack.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56043 HIGH This Week

Stored/reflected Cross-Site Scripting in the Customer Reviews for WooCommerce WordPress plugin (versions up to and including 5.110.1) lets unauthenticated attackers inject malicious script that executes in a victim's browser when they view the affected page. The CVSS:3.1 vector (AV:N/PR:N/UI:R, scope changed) indicates network-reachable, no-authentication exploitation that requires the victim to interact with attacker-controlled content. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.

WordPress XSS
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56041 HIGH This Week

Cross-site scripting in the Responsive Lightbox WordPress plugin (versions up to and including 2.7.6) lets unauthenticated remote attackers inject script that executes in a victim's browser when they interact with a crafted link or page. The CVSS 3.1 score of 7.1 reflects a scope-changing reflected/stored XSS (UI:R) that can run in the context of any visitor or logged-in administrator. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56040 HIGH This Week

Cross-site scripting in the Gutenverse Form WordPress plugin (versions ≤ 2.4.7) lets unauthenticated remote attackers inject script that executes in a victim's browser when the victim interacts with a crafted link or page. The CVSS:3.1 score is 7.1 with a changed scope, reflecting that injected script crosses the trust boundary into the user's authenticated WordPress session. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56039 HIGH This Week

Reflected cross-site scripting in the Quick Interest Slider WordPress plugin (versions 3.1.6 and earlier) lets an unauthenticated attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link or load a malicious page. The CVSS 3.1 base score is 7.1 with a scope change, reflecting that script execution crosses the plugin's security boundary into the broader WordPress session. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56011 HIGH This Week

Reflected/stored Cross-Site Scripting in the MapPress Maps for WordPress plugin (versions 2.97.3 and earlier) allows an unauthenticated remote attacker to inject malicious JavaScript that executes in the browser of a victim who interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script can act beyond the vulnerable component to affect logged-in users including administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-68075 MEDIUM This Month

Stored Cross-Site Scripting in the BNE Testimonials WordPress plugin (versions 2.0.8 and below) allows an authenticated Contributor-level user to inject persistent malicious scripts into testimonial entries. When a privileged user such as an administrator views the affected content, the injected script executes in their browser context, potentially enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector underscores that impact extends beyond the contributing user's own session.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-68074 MEDIUM This Month

Stored Cross-Site Scripting in the Image Carousel WordPress plugin (versions <= 1.0.0.41) allows authenticated contributors to inject persistent malicious JavaScript into carousel elements. When a higher-privileged user such as an administrator views the affected content, the injected script executes in their browser context, enabling session hijacking or unauthorized administrative actions. No active exploitation or public exploit code has been identified at time of analysis, and the attack is bounded by the requirement for contributor-level access and victim interaction.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-64637 MEDIUM This Month

Unauthenticated content injection in the Auros Core WordPress plugin (versions 5.3.1 and earlier) permits remote attackers to inject script-related HTML tags into rendered page output without any privileges or user interaction. The vulnerability is classified under CWE-80 (Basic XSS) and carries a CVSS 3.1 score of 5.3 (Medium), with impact limited to low confidentiality - consistent with an attacker reading page-context data rather than persistently compromising other users' sessions. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS
NVD
CVSS 3.1
5.3
EPSS
0.2%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Chrome's Omnibox on iOS enables remote attackers to inject arbitrary scripts or HTML across security origins by luring users into performing specific UI gestures on a crafted page. Affected versions are Chrome for iOS prior to 150.0.7871.47; the desktop channel is not affected. No public exploit code or active exploitation has been identified at time of analysis, and EPSS sits at 0.18% (8th percentile), consistent with Chromium's own 'Low' severity rating despite the scope-changed CVSS vector.

XSS Apple Google +1
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Inappropriate implementation in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)

Google XSS Suse
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Inappropriate implementation in XML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)

Google XSS Suse
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's HTMLParser prior to 150.0.7871.47 enables remote attackers to inject arbitrary scripts or HTML into a victim's browser context by serving a crafted HTML page. The flaw is classified Medium severity by Google's Chromium security team and carries a CVSS 5.4 score, with EPSS at 0.17% (7th percentile) and no CISA KEV listing, indicating low current exploitation activity. A vendor-released patch exists in Chrome 150.0.7871.47; Chrome's auto-update mechanism substantially narrows the exposure window for most consumer endpoints.

XSS Google Suse
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Incorrect security UI in Google Chrome's Extensions subsystem prior to version 150.0.7871.47 enables Universal Cross-Site Scripting (UXSS), allowing script or HTML injection across web origins via a crafted HTML page. Exploitation requires that the victim user be socially engineered into installing a malicious extension, after which a crafted page triggers the CWE-79 flaw in the Extensions UI. No public exploit exists at time of analysis, EPSS sits at the 4th percentile, and CISA has not listed this in KEV, consistent with the SSVC exploitation:none assessment.

XSS Google Suse
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's CSS implementation prior to version 150.0.7871.47 allows a remote attacker to inject arbitrary scripts or HTML across origin boundaries by luring a victim to a crafted HTML page. The flaw exploits an inappropriate handling of CSS that causes Chrome's renderer to break the same-origin policy, enabling script execution in the context of other origins. No public exploit or CISA KEV listing has been identified; EPSS probability is very low (0.21%, 12th percentile), suggesting limited active exploitation at time of analysis.

XSS Google Suse
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Stonefly Storage Concentrator (SC) and Storage Concentrator Virtual Machine (SCVM) allows an unauthenticated attacker to craft a malicious URL that, when opened by an authenticated storage administrator, causes arbitrary JavaScript to execute within the victim's browser session under the application's origin. The vulnerability stems from unsanitized user-supplied content being echoed directly into 404 error page responses, enabling session cookie theft, unauthorized administrative actions, or user redirection against storage management infrastructure. Reported via ICS-CERT (CISA advisory ICSA-26-181-06), no public exploit code or CISA KEV listing has been identified at time of analysis, though the ICS/OT context amplifies the downstream impact of successful exploitation.

XSS Storage Concentrator Storage Concentrator Virtual Machine
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Stored cross-site scripting in GitHub Enterprise Server's Q&A Discussion feature allows an authenticated attacker to execute arbitrary JavaScript in any visiting user's browser by embedding a crafted payload into a Discussion title. The AnsweredQuestionStructuredDataComponent unsafely injects user-controlled titles into a server-rendered <script type="application/ld+json"> block, enabling script-context breakout; the attacker then leverages JSONP callback support in the GHES REST API to load arbitrary JavaScript and bypass the Content Security Policy entirely. No public exploit or CISA KEV listing exists at time of analysis, but the CSP bypass mechanism substantially elevates practical impact beyond typical stored XSS, enabling full session hijacking of any user who views the malicious Discussion.

XSS Enterprise Server
NVD GitHub VulDB
EPSS 0% CVSS 5.6
MEDIUM This Month

Stored cross-site scripting in SolarWinds Database Performance Analyzer enables a highly privileged, adjacent-network attacker to persist malicious scripts in the application that execute within other users' browsers upon page load. The CVSS vector (AV:A/AC:H/PR:H/UI:R) imposes substantial constraints - adjacency, high complexity, admin-level credentials, and victim interaction are all required - limiting realistic risk to insider-threat or post-compromise scenarios. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Database Performance Analyzer
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored XSS in n8n's Chat Trigger node allows authenticated workflow editors to inject JavaScript through a misconfigured sanitize-html filter in the Custom CSS field, which then executes in the browsers of every user visiting the public chat page. Affected are all 1.x releases before 1.123.27, the 2.0.0-2.13.2 range, and 2.14.0; fixed versions are 1.123.27, 2.13.3, and 2.14.1. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS 4.0 score of 5.1 reflects the authenticated prerequisite and bounded per-user impact.

XSS N8n
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored/reflected cross-site scripting in the administrative console of IBM WebSphere Application Server 9.0 and 8.5 lets an adjacent-network attacker inject malicious script that executes in an administrator's browser session. Because the CVSS scope is changed and impact is rated high, a successful injection could let the attacker hijack the privileged admin session and pivot to broader server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available.

XSS IBM Websphere Application Server
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Stored cross-site scripting in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 allows authenticated low-privileged users to inject persistent JavaScript into the Web UI, which then executes within the browser sessions of other authenticated users visiting the affected page. The CVSS scope change (S:C) confirms the payload crosses the security boundary from the attacker's session into victims' sessions, enabling credential harvesting within trusted contexts. No public exploit code or CISA KEV listing has been identified at time of analysis, but the stored and persistent nature of the injection elevates operational impact beyond what the 6.4 base score alone conveys.

XSS IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

HTML injection in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 enables a remote authenticated attacker to plant malicious HTML content that executes in a victim's browser within the hosting site's security context. The CVSS vector (PR:L/UI:R/C:H) confirms exploitation requires low-privilege authentication and a second user to view the injected content, with the primary impact being confidentiality loss - such as session token theft or credential harvesting. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog; a vendor patch is available via IBM advisory 7277801.

XSS IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in IBM watsonx.data Intelligence 5.2.0 through 5.3.0 allows low-privileged authenticated users to inject arbitrary JavaScript into the Web UI, enabling credential theft or session hijacking against higher-privileged victims. The CVSS scope change (S:C) confirms the injected script executes in the victim's browser context, crossing trust boundaries within the platform. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; IBM has released a patch via advisory PSIRT.

XSS IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Cross-site scripting in IBM WebSphere Application Server 9.0 and 8.5 lets a remote attacker inject malicious script into the administrative console help system, which executes in the browser session of an administrator who is lured into viewing the crafted content. Because the payload runs inside an authenticated admin context, it can be abused to hijack the console session, manipulate configuration, or steal sensitive credentials. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires the victim administrator to interact with the malicious content (UI:R).

XSS IBM Websphere Application Server
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Cross-site scripting in IBM WebSphere Application Server 9.0 and 8.5 lets an attacker inject malicious script into the administrative console's integrated help system, which then executes in the browser of an administrator who views the affected page. Successful exploitation can hijack the admin session or perform actions in the console UI context. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, so risk is currently theoretical rather than actively exploited.

XSS IBM Websphere Application Server
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Webmention WordPress plugin (versions up to and including 5.8.0) lets unauthenticated attackers persist malicious script through the public webmention REST endpoint, which a moderator or administrator then triggers simply by opening the affected comment's edit screen. Attacker-controlled MF2 'avatar' and 'url' author properties are stored and later echoed unescaped into HTML 'value' attributes, yielding script execution in a privileged admin session. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the provided data.

WordPress XSS Webmention
NVD
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

Unvalidated JSONP callback reflection in SeaweedFS before 4.30 enables cross-origin reads of cluster topology, volume server URLs, gRPC ports, file identifiers, and directory listings from unauthenticated endpoints reachable in the default deployment configuration. The shared `writeJson` helper in `weed/server/common.go` concatenates the `callback` query parameter verbatim into `application/javascript` responses with no allowlist validation, no `X-Content-Type-Options: nosniff` header, and no CORS policy, allowing attacker-controlled pages to load these endpoints via script tags and receive cluster metadata through the injected callback. A public proof-of-concept exists; the vulnerability is not in CISA KEV; the CVSS 4.0 score of 2.3 reflects constrained direct impact due to required user interaction and high attack complexity, though the leaked reconnaissance data elevates chained-attack risk.

XSS Seaweedfs
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Reflected Cross-Site Scripting in Adobe ColdFusion 2025.9, 2023.20 and earlier lets an attacker craft a malicious link that, when opened by a victim, injects and executes attacker-controlled script in the victim's browser session, with Adobe characterizing the impact as potential arbitrary code execution in the context of the current user. Because the CVSS scope is changed and confidentiality, integrity and availability impacts are all rated High, a successful attack against an authenticated ColdFusion administrator could compromise the management interface. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS RCE Coldfusion
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored cross-site scripting in SYSGUARD 6001 (versions 2.0.2 through before 6.1.4.0) by Eksagate Electronic Engineering and Computer Industry Trade Inc. permits remote unauthenticated attackers to inject persistent malicious scripts into the product's web interface, which execute in the browsers of any user who subsequently views the affected page. The vendor has confirmed the product is end-of-life and unsupported, meaning no patch will ever be issued, leaving all in-scope deployments permanently vulnerable. No public exploit code or CISA KEV listing exists at time of analysis.

XSS Sysguard 6001
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Ajax Load More - Filters WordPress plugin (all versions through 3.4.1) lets unauthenticated attackers persist arbitrary JavaScript via the 'taxonomy_include_children' parameter, which then executes in the browser of any user who loads an affected page. Wordfence rates it CVSS 7.2 with a changed scope, reflecting that injected script runs in the context of other site visitors and administrators. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

WordPress XSS Ajax Load More Filters
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected Cross-Site Scripting in Intermark IT's WebControl CMS v3.5 allows an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the 'urlDestino' parameter of the '/portal.do' endpoint. Successful exploitation enables session cookie theft, phishing overlay injection, and unauthorized actions performed within the victim's authenticated session context. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 score of 5.1 reflects a meaningful subsequent-system integrity impact via the user's browser.

XSS Webcontrol Cms
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

HTML injection in Intermark IT's WebControl CMS v3.5 enables unauthenticated remote attackers to embed malicious markup in outbound emails generated by the contact form, delivered to recipients such as site administrators. Exploitation targets three unsanitized parameters — 'nombreApellidos', 'dirección', and 'comentarios' — in a POST request to '/processContact.do', with the injected content rendered when the recipient opens the resulting email in an HTML-capable mail client. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 5.1 reflects limited scope impact confined to the recipient's mail client.

XSS Webcontrol Cms
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected cross-site scripting in Ricoh Web Image Monitor allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in the browser of any user who visits a specially crafted URL pointing to the printer's web management interface. The vulnerability affects multiple Ricoh laser printer and MFP product lines that ship with Web Image Monitor, as documented by JPCERT/CC and Ricoh's own security advisory. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

XSS Multiple Laser Printers And Mfps Which Implement Ricoh Web Image Monitor
NVD VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Stored cross-site scripting in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets unauthenticated attackers upload files containing malicious JavaScript - such as HTML or SVG payloads - to a publicly accessible location, where the script executes in the browsers of site users and administrators who view it. The flaw stems from missing validation of uploaded file types/content. Publicly available exploit code exists (reported by WPScan), though it is not listed in CISA KEV and no EPSS score was provided.

WordPress XSS Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Editorial Rating - Product Review & Rating System WordPress plugin (versions ≤ 4.0.5) enables authenticated administrators to inject persistent JavaScript payloads via the 'Link URL' field, which execute in any site visitor's browser upon loading an affected review page. The attack exploits a WordPress-specific sanitization bypass: because the payload is stored in post meta (_wpas_er_options via update_post_meta) rather than post_content or post_excerpt, WordPress's unfiltered_html capability exemption does not apply, meaning the restriction affects all administrators regardless of their unfiltered_html status. No public exploit has been identified at time of analysis and no active exploitation is confirmed; real-world risk is substantially constrained by the PR:H (administrator) prerequisite.

WordPress XSS Editorial Rating Product Review Rating System
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Persistent script injection in the Team Members - Multi Language Supported Team Plugin for WordPress (all versions through 8.7) enables authenticated administrators to embed malicious JavaScript into site pages via insufficient sanitization and escaping in admin settings fields, with injected payloads executing silently for every subsequent page visitor. The vulnerability is constrained to two non-default deployment scenarios: WordPress multisite network installations and single-site installations where the unfiltered_html capability has been explicitly revoked from administrators - standard single-site installs are unaffected. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept exists, placing real-world risk well below what the scope-changed CVSS vector might initially suggest.

WordPress XSS Team Members Multi Language Supported Team Plugin
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored cross-site scripting in Apache ActiveMQ Web Console allows an authenticated message producer to inject malicious JavaScript via a crafted JMS message ID, which executes in the browser of any administrator who browses the affected queue. The browse page renders message IDs without HTML sanitization, enabling privilege escalation from producer to administrator via session hijacking or credential theft. No public exploit identified at time of analysis and not listed in CISA KEV; rated moderate severity by Apache, consistent with the authentication prerequisite and required user interaction.

XSS Apache Activemq +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Reflected XSS in Apache Tomcat's bundled 'number guess' example application exposes users of that demo page to script injection across all major Tomcat release lines from 7.0 through 11.0. The flaw resides in a sample JSP/servlet, not the core Tomcat runtime, meaning exploitation depends entirely on the example application being deployed and accessible - a configuration that violates standard production hardening guidance. No public exploit code or active exploitation has been identified at time of analysis; no CVSS vector was assigned by the reporter.

XSS Tomcat Apache +1
NVD VulDB HeroDevs
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site scripting in MDEx (Elixir Markdown library by leandrocp), versions 0.8.3 through 0.13.1, allows any attacker who can supply Markdown content to inject javascript: URLs that execute in the browser of any user who views the downstream-rendered output. The MDEx to_delta/2 function copies link, wikilink, and image URLs verbatim into Quill Delta attributes without a scheme allowlist, meaning a crafted payload like [click](javascript:alert(document.cookie)) survives intact; when a downstream renderer such as quill-delta-to-html converts that Delta to HTML, the javascript: scheme becomes an executable href. No public exploit has been identified at time of analysis, though the attack requires only standard Markdown syntax, and a vendor-released patch is available in version 0.13.2.

XSS Mdex
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Stored and reflected cross-site scripting in MDEx's Lumis syntax highlighting adapter allows attackers who can submit Markdown content to inject arbitrary HTML and JavaScript into rendered output viewed by other users, enabling session theft and account takeover. The flaw exists in the native Rust code shared between the mdex (0.11.3-0.12.2) and mdex_native (0.1.0-0.2.2) packages, where the highlight_lines_class code-fence attribute is interpolated into per-line HTML div class attributes without escaping. Exploitation requires a non-default rendering configuration (full_info_string: true with syntax highlighting enabled); no public exploit identified at time of analysis, and vendor-released patches are available.

XSS Mdex Mdex Native
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected XSS in Mixpost through version 2.6.0 enables unauthenticated remote attackers to execute arbitrary JavaScript in authenticated users' browsers by delivering crafted OAuth callback URLs containing malicious error query parameters. The OAuth callback controller fails to sanitize error parameters before routing them through Laravel flash messages, which are then rendered by Vue's v-html directive without HTML escaping - creating a direct injection path into the DOM. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and zero-privilege requirement make delivery straightforward once a victim is identified.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Session hijacking in Pinpoint (open-source APM) through version 3.1.0 stems from the pinpointJwt session cookie being issued without the HttpOnly and Secure flags, letting client-side JavaScript read it via document.cookie and allowing it to traverse cleartext HTTP. An attacker who can land a stored or reflected XSS payload, or who can sniff network traffic, can steal the JWT session token and impersonate the victim. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; the CVSS 4.0 base score is 7.6.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the ARForms WordPress plugin (versions 7.1.2 and earlier) lets an unauthenticated remote attacker inject script into a victim's browser when the victim clicks a crafted link. Because the CVSS scope is changed (S:C), successful injection can affect the broader WordPress session/DOM context rather than only the form. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Arforms
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the PluginOps Landing Page Builder WordPress plugin (versions <= 1.5.3.5) lets unauthenticated remote attackers inject script that executes in a victim's browser, with a scope change (S:C) indicating the payload can affect resources beyond the vulnerable component. The flaw requires victim interaction (UI:R) such as visiting a crafted link or page, and yields low-level confidentiality, integrity, and availability impact (CVSS 7.1). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Landing Page Builder
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Jobify WordPress job-board theme (Astoundify) through version 4.3.2 lets unauthenticated remote attackers inject script that executes in a victim's browser when the victim is lured into triggering a crafted request or link. The scope-changed CVSS 3.1 score of 7.1 reflects that injected script runs outside the vulnerable component's own boundary, enabling session theft or actions in the WordPress context. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

XSS Jobify
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Link Whisper Free WordPress plugin (versions 0.9.4 and earlier) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The scope-change CVSS vector (S:C) indicates the injected script can affect resources beyond the vulnerable plugin context, such as the broader WordPress admin or site session. No public exploit identified at time of analysis, and it is not listed in CISA KEV; reported by Patchstack.

XSS Link Whisper Free
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the MasterStudy LMS WordPress plugin (versions <= 3.7.27) allows authenticated subscriber-level users to inject malicious scripts that execute in the browsers of higher-privileged users such as administrators. The vulnerability carries a Scope:Changed CVSS vector, meaning successful exploitation breaks the browser security boundary and can impact resources beyond the plugin itself - enabling session hijacking, credential theft, or privilege escalation within the WordPress admin context. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (subscriber role) widens the attacker pool considerably on sites with open or paid user registration.

XSS Masterstudy Lms
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in WooCommerce Designer Pro (WordPress plugin) versions 1.9.34 and earlier allows authenticated subscribers to inject malicious scripts that execute in the browsers of other users, including administrators. The scope change (S:C in CVSS) indicates injected payloads can cross privilege boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the subscriber-level entry point lowers the bar for exploitation on any site permitting account registration.

WordPress XSS Woocommerce Designer Pro
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site scripting in the Business Directory WordPress plugin (versions 6.4.22 and earlier) allows authenticated subscriber-level users to inject arbitrary JavaScript that executes in other users' browsers. The scope-change indicator in the CVSS vector (S:C) confirms the payload can cross trust boundaries - most critically, scripts injected by a low-privilege subscriber can execute in the context of a higher-privilege user such as an administrator. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XSS Business Directory
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauthenticated cross-site scripting in the Business Directory WordPress plugin (versions <= 6.4.22) allows remote attackers without any authentication to inject and store arbitrary JavaScript that executes in the context of a victim's browser when they visit an affected page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-accessible exploitation requiring no privileges, with a scope change indicating the payload crosses from the plugin's execution context into the victim's browser session. No public exploit code or active exploitation has been identified at time of analysis, but the unauthenticated nature and low complexity lower the barrier to abuse significantly.

XSS Business Directory
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the WordPress plugin BEAR (realmag777's WooCommerce Bulk Editor and Products Manager, woo-bulk-editor) version 1.1.8 and earlier allows an unauthenticated remote attacker to inject malicious script that executes in a victim's browser when the victim is lured to interact with a crafted request. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation that requires user interaction and crosses a security scope boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Patchstack.

XSS Bear
NVD
EPSS 0% CVSS 2.0
LOW Monitor

Stored cross-site scripting in SourceCodester Inventory Management System 1.0 allows a low-privileged remote attacker to inject arbitrary JavaScript via the `full_name` parameter of the User Registration Endpoint at `/api/users_handler.php`. When a privileged user such as an administrator subsequently views the stored user data, the malicious script executes in their browser context, enabling session hijacking, credential theft, or UI redress. Public exploit code exists per VulDB (E:P in CVSS 4.0 vector); however, this vulnerability is not listed in CISA KEV and carries a low CVSS 4.0 base score of 2.0, indicating limited real-world severity.

XSS PHP Inventory Management System
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in code-projects Online Music Site 1.0 allows unauthenticated remote attackers to inject malicious scripts via the feedback form's fname, femail, faddress, or fmessage parameters handled by /Frontend/Feedback.php. The CVSS 4.0 score of 2.1 (Low) reflects the UI:P requirement - a victim must interact with the crafted content for the payload to execute, limiting autonomous exploitation. A public proof-of-concept is available via GitHub, though no confirmed active exploitation (CISA KEV) has been recorded.

XSS PHP Online Music Site
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW Monitor

Stored cross-site scripting in CodeAstro Complaint Management System 1.0 allows a low-privileged authenticated user to inject persistent malicious scripts via the Report Title field at the /report/addreport endpoint, which then execute in the context of any administrator who views the submitted report. The GitHub-published proof-of-concept confirms the payload is stored and surfaces in the admin panel, enabling session hijacking or admin-context actions without further attacker interaction after initial submission. A public exploit has been released; however, no active exploitation has been confirmed by CISA KEV.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 allows remote attackers to inject arbitrary JavaScript via the unsanitized `Name` parameter in POST requests to `/admin/mod_room/controller.php?action=add`. The CVSS 4.0 base score of 2.1 reflects constrained real-world impact: only vulnerable-system integrity is affected (VI:L), user interaction is required (UI:P), and no confidentiality or availability impact is assessed. A publicly available exploit exists (E:P per CVSS 4.0 supplemental vector), but no active exploitation has been confirmed via CISA KEV, consistent with the niche deployment footprint of this free PHP educational project.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 allows remote attackers to inject malicious JavaScript via the Name argument in a POST request to /admin/mod_users/controller.php?action=edit. The vulnerability requires a victim to interact with the crafted content (CVSS 4.0 UI:P), limiting its reach but not eliminating risk against administrative users. A publicly disclosed proof-of-concept exploit exists per VulDB submission 843586, though no public exploit identified at time of analysis in CISA KEV.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 enables remote attackers to inject arbitrary JavaScript via the Name parameter in the amenities management POST handler at /admin/mod_amenities/controller.php?action=add. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P) confirms no authentication or special attack conditions are required to submit the payload, but passive user interaction - an admin browsing the amenities panel - is needed to trigger execution. A proof-of-concept exploit has been publicly disclosed via GitHub (VulDB submission 843584), though no active exploitation has been confirmed by CISA KEV.

XSS PHP
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.

WordPress XSS Apcu Manager
NVD WPScan VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in GotoHTTP up to version 10.2 allows remote attackers to inject arbitrary JavaScript via the `sn` parameter in the `/reg.12x` endpoint. A publicly available proof-of-concept exploit exists (GitHub issue linked in references). The vendor has acknowledged the flaw and removed the parameter echo from source code, but explicitly declined to release a patched build immediately, stating the affected URL is not normally surfaced in a browser or exposed to end users - a claim that partially limits real-world risk but does not eliminate it. No active exploitation confirmed (not in CISA KEV); however, the public POC lowers the bar for abuse.

XSS Gotohttp
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Cross-site scripting in code-projects Project Management System 1.0 allows a remote authenticated attacker to inject malicious scripts via the /mail.php Mail Compose Page, targeting other users who interact with the crafted mail content. The CVSS 4.0 vector (PR:L/UI:P) confirms exploitation requires a low-privileged authenticated session and passive victim interaction, limiting scope but not eliminating risk in shared environments. A public proof-of-concept exploit has been disclosed on GitHub; no KEV listing and no vendor patch have been identified at time of analysis.

XSS PHP Project Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in yashpokharna2555/restaurent-management-system allows remote unauthenticated attackers to inject arbitrary client-side script via the Username argument in login_register.php's Registration Handler. The payload executes in the browser of any user who subsequently views the tainted data - most likely an administrator reviewing registered accounts. A public exploit exists per VulDB and GitHub issue #4; no public exploit identified as confirmed actively exploited (CISA KEV). The CVSS 4.0 base score of 2.1 reflects the limited scope and required victim interaction, but the availability of a POC elevates practical risk for any deployment.

XSS PHP Restaurent Management System
NVD VulDB GitHub
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Gutenverse WordPress Blocks, Page Builder & Site Editor plugin (all versions through 3.8.0) enables authenticated editor-level users to persist arbitrary JavaScript into pages served to any site visitor. The vulnerability is constrained to WordPress multi-site installations or single-site deployments where unfiltered_html has been explicitly disabled. No public exploit has been identified at time of analysis, and a upstream fix commit (changeset 3578328) has been published to the WordPress plugin repository.

WordPress XSS Gutenverse Wordpress Blocks Page Builder Site Editor
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Surbma | Infusionsoft Shortcode WordPress plugin (versions ≤ 2.0.1) allows authenticated contributors to inject persistent malicious scripts that execute in any visitor's browser. The flaw originates in the surbma_infusionsoft_shortcode_shortcode() function, where the 'account' and 'id' shortcode attributes are concatenated without sanitization directly into a <script> tag's src attribute - a particularly dangerous injection point because it bypasses many output-escaping checks that target HTML attribute or element contexts. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.

WordPress XSS Surbma Infusionsoft Shortcode
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor level) makes this a realistic threat on any multi-author or open-registration WordPress installation.

WordPress XSS Page Builder By Siteorigin
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through 5.0.4) allows any authenticated vendor-level user to permanently inject arbitrary JavaScript into product SKU fields, which then executes in the browsers of all site visitors - including unauthenticated users - via the store search widget's AJAX response path. The scope change (S:C in CVSS) is critical: the attacker plants the payload once as a vendor, but impact is borne by an unbounded population of end users who trigger the search widget. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; however, the attack surface is wide on marketplaces with open vendor registration.

WordPress XSS Dokan
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

WordPress XSS
NVD WPScan VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the MaxButtons - Create buttons WordPress plugin (versions up to and including 9.8.5) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'view' parameter, executing in the victim's browser context when a crafted URL is clicked. The flaw is traced to insufficient input sanitization in listController.php and maxbuttons-list.php, as confirmed by Wordfence and source-level references in the WordPress plugin repository. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and zero-privilege requirement make social-engineering-based exploitation straightforward.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored cross-site scripting in Ivory Search - WordPress Search Plugin (all versions through 5.5.15) allows authenticated WordPress administrators to implant persistent JavaScript payloads via the `menu_title` and `menu_magnifier_color` settings fields, which execute in the browsers of any site visitor loading a page that renders the affected search widget. The root cause is insufficient input sanitization and output escaping in both the admin settings handler (class-is-settings-fields.php:249) and public-facing output routines (class-is-public.php:222, 263, 1199), confirmed via plugin source references on WordPress Trac. No public exploit code has been identified at time of analysis, CISA KEV does not list this CVE, and the CVSS score of 4.4 reflects the high privilege prerequisite rather than the cross-site impact scope.

WordPress XSS Ivory Search Wordpress Search Plugin
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the CodePeople Post Map for Google Maps WordPress plugin (versions through 1.2.6) permits authenticated Contributor-level users to persist malicious JavaScript payloads via the 'cpm_point' post meta field. The CVSS S:C (Scope Changed) flag confirms the injected scripts execute in victim browser sessions beyond the plugin's own context, enabling session hijacking, credential theft, or unauthorized admin actions against any user who visits an injected page. No confirmed active exploitation appears in CISA KEV, and no public exploit code has been identified at time of analysis.

WordPress XSS Google +1
NVD VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

CSS injection in OpenProject's rich text rendering pipeline prior to version 17.4.0 allows any authenticated user with write access to inject arbitrary CSS into formattable text fields (work package descriptions, comments, project descriptions, news). The misconfigured Sanitize::Config::RELAXED[:css] setting permits all CSS properties on permitted HTML elements, enabling UI redressing, phishing overlays, and potential CSS-based side-channel data exfiltration when a victim views the malicious content. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the vendor-released fix is available in 17.4.0.

XSS Openproject
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Stored XSS in OpenProject's HTML sanitizer allows authenticated project contributors to execute arbitrary Turbo Stream actions - including forced redirects - in every other user's authenticated browser session. The sanitizer's `:data` wildcard for `<macro>` elements permits injection of `data-controller` attributes that Stimulus.js silently mounts, chaining an attacker-uploaded attachment through `renderStreamMessage()` to achieve cross-user session manipulation without victim interaction beyond viewing the work package. Patch-confirmed by vendor GitHub Security Advisory GHSA-q33w-f822-hg8x; no public exploit identified at time of analysis.

XSS Openproject
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored/reflected Cross-Site Scripting in the Hester Core WordPress plugin (versions ≤ 1.1.8) allows a high-privileged authenticated user to inject malicious JavaScript into author-related fields, which then executes in victims' browsers when they view affected content. The CVSS scope change (S:C) confirms the injected script escapes the originating context and impacts other users' sessions, potentially enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing has been identified at time of analysis, limiting immediate widespread risk despite the cross-user impact.

XSS
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site scripting in the Ghost Kit WordPress plugin (versions ≤ 3.6.0) allows authenticated Contributor-level users to inject and store malicious JavaScript payloads via plugin block fields or parameters. When a higher-privileged user - such as an editor or administrator - views the affected content, the attacker's script executes in that user's browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. No CISA KEV listing or public exploit has been identified at time of analysis; however, the CVSS scope-change indicator (S:C) reflects meaningful cross-user impact that can translate to full site compromise if an admin session is hijacked.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the Magazine Blocks WordPress plugin (versions ≤ 1.8.3) allows authenticated contributors to inject persistent malicious JavaScript into page content. Because the vulnerability carries a scope change (S:C in CVSS), successful exploitation targets the browsers of higher-privileged users - typically editors or administrators - who view the affected content. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

XSS
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting in the Fluent Booking WordPress plugin (versions up to and including 2.1.0) enables authenticated contributors to inject arbitrary JavaScript into booking-related content that executes in the browser of any higher-privileged user who reviews or views that content. The CVSS Scope:Changed metric confirms the payload escapes the contributor's low-privilege context and compromises the browser session of editors or administrators, enabling session hijacking or unauthorized privileged actions. No public exploit code or CISA KEV listing exists at time of analysis, but the vulnerability was confirmed and disclosed by Patchstack.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site scripting in the StatCounter WordPress plugin (versions up to and including 2.1.1) allows authenticated Contributor-level users to inject persistent malicious scripts into content that executes in the browser context of higher-privileged users who view that content. The CVSS scope change (S:C) indicates the payload can reach sessions beyond the attacker's own - most critically Administrator sessions - enabling session hijacking, credential theft, or unauthorized administrative actions such as creating backdoor accounts. No public exploit identified at time of analysis, and no confirmed active exploitation (no CISA KEV listing).

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site scripting in the Neve PRO WordPress theme addon (versions up to and including 3.1.2) allows a contributor-level authenticated user to inject persistent malicious JavaScript that executes in the browser context of other users, including administrators. The S:C scope change in the CVSS vector confirms the payload escapes the WordPress application boundary and executes in the victim's browser session, enabling session hijacking, credential theft, or admin-level privilege escalation. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in the medium-priority tier despite the scope-changed impact.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Stored Cross-Site Scripting in SeedProd Pro WordPress plugin (versions below 6.19.5) allows an authenticated Contributor-level user to inject malicious JavaScript that executes in the context of other users' browsers, including administrators. The changed scope (S:C) in the CVSS vector confirms the impact crosses from the plugin's trust boundary into victims' browser sessions, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing is identified at time of analysis, but patch availability is confirmed by the vendor via Patchstack.

XSS
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the Featured Image WordPress plugin (≤ 2.1) allows an authenticated Author-level user to inject malicious JavaScript via featured image metadata, which then executes in the browsers of other users - including administrators - who view the affected content. The Scope:Changed CVSS metric confirms the payload escapes the author's own session and can compromise higher-privileged accounts, making privilege escalation the primary real-world risk. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Scripting in the NanoMag WordPress theme (versions 1.8 and earlier) lets unauthenticated remote attackers inject browser-executed script that runs in the context of a victim lured into following a crafted link or loading an attacker-influenced page. The CVSS 3.1 score is 7.1 with a scope change, reflecting that script executes beyond the vulnerable component into the user's session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the weMail WordPress plugin (versions 2.1.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The scope-changed CVSS 3.1 score of 7.1 reflects that the injected script runs in the WordPress site context, potentially affecting authenticated admin sessions. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the FOX - Currency Switcher Professional for WooCommerce WordPress plugin (versions 1.4.8 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. Because the CVSS scope is marked changed, successful injection can affect resources beyond the vulnerable component, including the broader site session. This was reported by Patchstack (CVE-2026-57319, CVSS 7.1); no public exploit code has been identified and it is not listed in CISA KEV.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions <= 1.6.12.2) lets unauthenticated remote attackers inject script that executes in a victim's browser when they load a crafted page or follow a crafted link. The CVSS:3.1 vector (PR:N, UI:R, S:C) confirms no authentication is required but a user must interact, and the Changed scope reflects script crossing the security boundary into the visitor's browser context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through Patchstack's vulnerability research program.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the SureCart WordPress e-commerce plugin (versions 4.3.2 and earlier) lets unauthenticated remote attackers inject browser-executed script by luring a victim to a crafted link. Because the CVSS scope is changed (S:C), the injected payload can act in the security context of the WordPress session, enabling theft of admin session data or actions performed on the victim's behalf. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Patchstack has cataloged it as a confirmed reflected XSS.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in SureCart WordPress plugin versions up to and including 4.2.2 allows authenticated subscribers to inject malicious scripts that execute in the browsers of other users, including administrators. The 'Subscriber' designation in the CVE title confirms exploitation requires only a low-privilege WordPress account, lowering the barrier to attack significantly for sites with open registration. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Everest Forms WordPress plugin (versions 3.4.8 and earlier) lets an unauthenticated attacker craft a malicious link that, when opened by a victim, executes arbitrary JavaScript in the victim's browser under the affected site's origin. The CVSS:3.1 base score is 7.1 (scope-changed, low impact across C/I/A) and exploitation requires victim user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the WoodMart premium WooCommerce/WordPress theme (versions up to and including 8.5.3) allows unauthenticated remote attackers to inject script that executes in a victim's browser when the victim is lured into triggering a crafted request. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 with a changed scope, reflecting impact that crosses from the theme into the user's authenticated session context. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Perfmatters WordPress plugin (versions 2.6.3 and earlier) allows unauthenticated attackers to inject malicious script that executes in a victim's browser when they follow a crafted link. The scope-changed CVSS 3.1 score of 7.1 reflects that successful exploitation can affect resources beyond the vulnerable component, such as an authenticated administrator's session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in ListingPro WordPress theme versions 2.9.11 and below allows authenticated subscriber-level users to inject malicious JavaScript that executes in the browsers of other users who view the affected page. The CVSS scope change (S:C) confirms the injected payload breaks out of the application's security boundary and runs in the victim's browser context, enabling session hijacking or unauthorized actions on behalf of higher-privileged users. No public exploit code or active exploitation has been identified at time of analysis.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stored/reflected cross-site scripting in the WP Automatic WordPress plugin (versions before 3.135.1) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser when they visit or interact with a crafted resource. The CVSS 3.1 score is 7.1 with a scope change (S:C), reflecting that injected script can affect components beyond the vulnerable plugin context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected Cross-Site Scripting in the Blog2Social WordPress plugin (versions 8.9.2 and earlier) lets unauthenticated remote attackers inject malicious JavaScript that executes in a victim's browser when they view an affected page. The CVSS 3.1 vector (AV:N/PR:N/UI:R) indicates no authentication is required but the victim must take an action such as visiting a crafted URL. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied with this report from Patchstack.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/reflected Cross-Site Scripting in the Customer Reviews for WooCommerce WordPress plugin (versions up to and including 5.110.1) lets unauthenticated attackers inject malicious script that executes in a victim's browser when they view the affected page. The CVSS:3.1 vector (AV:N/PR:N/UI:R, scope changed) indicates network-reachable, no-authentication exploitation that requires the victim to interact with attacker-controlled content. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Responsive Lightbox WordPress plugin (versions up to and including 2.7.6) lets unauthenticated remote attackers inject script that executes in a victim's browser when they interact with a crafted link or page. The CVSS 3.1 score of 7.1 reflects a scope-changing reflected/stored XSS (UI:R) that can run in the context of any visitor or logged-in administrator. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Gutenverse Form WordPress plugin (versions ≤ 2.4.7) lets unauthenticated remote attackers inject script that executes in a victim's browser when the victim interacts with a crafted link or page. The CVSS:3.1 score is 7.1 with a changed scope, reflecting that injected script crosses the trust boundary into the user's authenticated WordPress session. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Quick Interest Slider WordPress plugin (versions 3.1.6 and earlier) lets an unauthenticated attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link or load a malicious page. The CVSS 3.1 base score is 7.1 with a scope change, reflecting that script execution crosses the plugin's security boundary into the broader WordPress session. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored Cross-Site Scripting in the MapPress Maps for WordPress plugin (versions 2.97.3 and earlier) allows an unauthenticated remote attacker to inject malicious JavaScript that executes in the browser of a victim who interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script can act beyond the vulnerable component to affect logged-in users including administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the BNE Testimonials WordPress plugin (versions 2.0.8 and below) allows an authenticated Contributor-level user to inject persistent malicious scripts into testimonial entries. When a privileged user such as an administrator views the affected content, the injected script executes in their browser context, potentially enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector underscores that impact extends beyond the contributing user's own session.

XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the Image Carousel WordPress plugin (versions <= 1.0.0.41) allows authenticated contributors to inject persistent malicious JavaScript into carousel elements. When a higher-privileged user such as an administrator views the affected content, the injected script executes in their browser context, enabling session hijacking or unauthorized administrative actions. No active exploitation or public exploit code has been identified at time of analysis, and the attack is bounded by the requirement for contributor-level access and victim interaction.

XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated content injection in the Auros Core WordPress plugin (versions 5.3.1 and earlier) permits remote attackers to inject script-related HTML tags into rendered page output without any privileges or user interaction. The vulnerability is classified under CWE-80 (Basic XSS) and carries a CVSS 3.1 score of 5.3 (Medium), with impact limited to low confidentiality - consistent with an attacker reading page-context data rather than persistently compromising other users' sessions. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS
NVD
Prev Page 6 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy