Skip to main content

XSS

38822 CVEs technique

Monthly

CVE-2026-48823 MEDIUM This Month

Stored XSS in Shaarli's tag filtering functionality permits an authenticated user to inject persistent JavaScript payloads via the bookmark tags field, which execute in the browsers of any user who subsequently interacts with the 'Filter by tag' search feature on the homepage. All Shaarli deployments running version 0.16.1 or earlier are affected, including instances where administrators use the tag-filter feature. The vulnerability enables session hijacking or credential exfiltration against any user who triggers the tag search, with no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch v0.16.2 (2026-05-23) resolves the issue.

XSS Shaarli
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-48822 MEDIUM This Month

Stored XSS in Shaarli's Markdown rendering pipeline (versions 0.16.1 and prior) allows an authenticated user to inject malicious javascript: URIs via Markdown reference-style links in bookmark descriptions, bypassing the filterProtocols sanitization method in BookmarkMarkdownFormatter.php. When any user or guest visitor views the crafted bookmark, arbitrary JavaScript executes in their browser context, enabling session theft or unauthorized actions. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV; vendor-released patch v0.16.2 is available as of 2026-05-23.

PHP XSS Shaarli
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-55409 PHP HIGH PATCH GHSA This Week

Stored XSS in Filament v3 PHP admin panel framework occurs when a RichEditor form field is rendered in disabled mode, because the disabled view binds raw state via Alpine's x-html directive without HTML sanitization. Authenticated attackers who can write into the underlying field state can plant HTML or JavaScript that executes in the browser of any user later viewing the form, with no public exploit identified at time of analysis and no KEV listing.

XSS
NVD GitHub
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-28737 Go HIGH PATCH GHSA This Week

Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a crafted .gltf file with an unsupported extension name in extensionsRequired is rendered into the DOM via innerHTML without sanitization. Any low-privileged user who can push a file to a repository (including a public fork) can compromise the session of any user who later views the file, enabling token theft and full account takeover. Publicly available exploit code exists (a working PoC is included in the GHSA-9cpj-qc93-vw8v advisory); no public exploit identified at time of analysis in CISA KEV.

Gitea CSRF XSS Node.js
NVD GitHub
CVSS 3.1
8.7
EPSS
0.3%
CVE-2026-48591 MEDIUM This Month

Stored cross-site scripting in earmark (the Elixir Markdown-to-HTML library by pragdave) allows any attacker who can submit markdown content to inject arbitrary JavaScript that executes in the browsers of users who view the rendered output. The root cause is a code path in `_make_att1/2` (`lib/earmark/transform.ex`) that splices HTML attribute values verbatim without encoding double-quote characters, enabling a crafted link URL or title to break out of the `href` attribute and inject additional HTML event handlers. Critically, no patched version will be released - the library has been officially retired from Hex - making migration to a maintained alternative the only complete fix. No public exploit identified at time of analysis, though the CVE description itself contains a working proof-of-concept payload.

XSS Earmark
NVD VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-10850 MEDIUM This Month

Stored cross-site scripting in Plane CE 1.3.1 allows an authenticated low-privileged project member to inject arbitrary HTML and JavaScript via the `description_html` field through the API v1 intake endpoint, with payloads persisting in the database and executing in the browsers of any user who views the affected intake item. The CVSS 4.0 vector rates confidentiality impact on the vulnerable system as High (VC:H), reflecting the realistic threat of session token exfiltration from higher-privileged users such as project administrators. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis.

XSS Plane
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-54013 PyPI HIGH PATCH GHSA This Week

Stored cross-site scripting in Open WebUI versions up to and including 0.9.5 allows any authenticated user holding the default workspace.models permission to embed an SVG payload in a model's profile_image_url and hijack the session of anyone who opens that image URL as a top-level document. The flaw is an incomplete-patch bypass of GHSA-3wgj-c2hg-vm6q and GHSA-3856-3vxq-m6fc - the input validator and the MIME allowlist plus X-Content-Type-Options:nosniff added to the user and webhook endpoints were never applied to ModelMeta or the model image serving endpoint. No public exploit identified at time of analysis beyond the working PoC included in the advisory, and CVSS 7.6 reflects the cross-origin scope change leading to JWT theft and account takeover.

Python XSS
NVD GitHub
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-54011 PyPI MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Open WebUI up to and including v0.9.5 allows authenticated users to execute arbitrary JavaScript in another user's browser under the application origin by uploading a malicious Markdown file containing a crafted Mermaid diagram. The flaw stems from Mermaid being initialized with securityLevel:'loose' and its SVG output being injected via innerHTML in the file preview panel. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis beyond the PoC, and the issue is not listed in CISA KEV.

XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-54006 PyPI MEDIUM PATCH GHSA This Month

{event_id}/update` endpoint validates write access only on the source calendar, silently omitting the destination `calendar_id` authorization check that `create_event` correctly enforces - a classic IDOR pattern. A verified public proof-of-concept exists against v0.9.4 (the official Docker image); the fix is available in v0.9.6. No CISA KEV listing was present in the input data, so widespread in-the-wild exploitation is unconfirmed.

Python Authentication Bypass XSS Docker
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-53929 npm MEDIUM PATCH GHSA This Month

Stored Cross-Site Scripting in NocoDB (npm package, versions <= 0.301.3) allows an authenticated user with upload permissions to deliver malicious `.html` or `.svg` attachments that the victim's browser renders inline from the NocoDB origin, bypassing the intended forced-download behavior. The root cause is a header-key case mismatch in the secure attachment handler: the signed URL generator wrote overrides as PascalCase keys while the Express controller read them as lowercase-hyphen keys, silently dropping `Content-Disposition: attachment` and enabling inline rendering. When exploited, script executing in the victim's browser can exfiltrate the auth JWT stored in `localStorage`, leading to full session compromise. No public exploit code has been identified at time of analysis, and no patched version has been confirmed released.

XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-40720 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in Royal Elementor Addons Pro WordPress plugin versions prior to 1.7.1041 allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with the popularity of Elementor-ecosystem plugins makes this a credible threat to WordPress sites running the Pro variant. Patchstack disclosure indicates a fixed version is available.

XSS Royal Elementor Addons Pro Elementor
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-69140 HIGH This Week

Reflected cross-site scripting in the SweetDate Core WordPress plugin versions prior to 1.1.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim is lured into clicking a crafted link. The CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects unauthenticated network reach with required user interaction and a scope change typical of stored/reflected XSS in browser contexts. No public exploit identified at time of analysis and no EPSS or KEV signal was provided.

XSS Sweetdate Core
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-68524 HIGH This Week

Reflected cross-site scripting in the Avante WordPress theme versions prior to 3.0.5 allows unauthenticated remote attackers to inject script that executes in a victim's browser when the victim clicks a crafted link. Reported by Patchstack with CVSS 7.1 (scope-changed), no public exploit identified at time of analysis, but the unauthenticated nature and prevalence of WordPress themes makes this a practical phishing/account-takeover lure against site visitors and logged-in administrators.

XSS Avante
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-11975 MEDIUM PATCH This Month

Stored XSS in SimplCommerce's news module allows an authenticated administrator to persist arbitrary JavaScript via the ShortContent and FullContent fields of NewsItemApiController, which are stored without HTML sanitization and rendered unencoded through Razor's @Html.Raw() method. Any site visitor who subsequently loads an affected news page will execute the injected script in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing exists at time of analysis; an upstream fix is available at commit 6142d3b5 per Checkmarx's disclosure.

XSS Simplcommerce
NVD GitHub
CVSS 4.0
6.2
EPSS
0.3%
CVE-2025-31013 HIGH This Week

Reflected cross-site scripting in the Themify Folo WordPress theme (versions up to and including 1.9.6) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw is reported by Patchstack with a CVSS 3.1 base score of 7.1 driven by scope change and user interaction; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Themify Folo
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-54195 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the JetFormBuilder WordPress plugin versions 3.6.0.1 and earlier allows remote attackers to inject script into pages rendered to victims. Exploitation requires a victim to interact with a crafted link or form (UI:R), and successful payload execution can hijack sessions or perform actions in the victim's browser context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Jetformbuilder
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-54192 HIGH This Week

Reflected cross-site scripting in the Ays Pro Popup Box WordPress plugin versions 6.2.9 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The CVSS 7.1 score reflects scope change (S:C) typical of XSS escaping the plugin context into the broader WordPress session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Popup Box
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-54189 HIGH This Week

Reflected or stored cross-site scripting in the JetEngine WordPress plugin (versions 3.8.10 and earlier) allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after the user is lured to a crafted link or page. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 with scope change, reflecting impact on the WordPress session context beyond the vulnerable component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Jetengine
NVD VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-54188 HIGH This Week

Unauthenticated cross-site scripting in the JetEngine WordPress plugin versions 3.8.10 and earlier allows remote attackers to inject malicious scripts that execute in the browser of any user who interacts with a crafted link or page. The CVSS 7.1 score reflects the scope change inherent to XSS (attacker-supplied JavaScript runs in the victim's site origin), and no public exploit has been identified at time of analysis. Successful exploitation can lead to session hijacking, credential theft, or administrative account takeover on affected WordPress sites.

XSS Jetengine
NVD VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-49778 HIGH This Week

Stored or reflected cross-site scripting in WPFunnels Pro WordPress plugin versions 2.9.4 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they interact with crafted content. The CVSS 3.1 score of 7.1 reflects the scope-changed impact (S:C) on the WordPress site, including potential session hijacking of administrators. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Wpfunnels Pro
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-49074 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the JetEngine WordPress plugin (versions <= 3.8.9.1) allows remote attackers to inject malicious script into pages rendered by the plugin, which then executes in the browser of any visitor who interacts with the crafted content. Successful exploitation enables session hijacking, credential theft, or administrative actions performed against logged-in WordPress users including site administrators. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Jetengine
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-42385 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Cozmoslabs Profile Builder Pro WordPress plugin (versions 3.15.0 and earlier) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw carries a CVSS 3.1 score of 7.1 with scope change, meaning the injected script can affect resources beyond the vulnerable component (typically the WordPress admin session). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Profile Builder Pro
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-41557 HIGH PATCH This Week

Reflected/stored cross-site scripting in the Kapee WordPress theme versions prior to 1.7.1 allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after user interaction, with a scope change that can impact other components beyond the vulnerable theme. No public exploit identified at time of analysis, but the vulnerability was disclosed via Patchstack with a CVSS of 7.1, reflecting the unauthenticated nature combined with required user interaction.

XSS Kapee
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-40765 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Collectchat WordPress plugin versions 2.4.9 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with scope change (S:C) makes this attractive for opportunistic attacks against WordPress sites running the plugin.

XSS Collectchat
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39597 HIGH This Week

Reflected cross-site scripting in the WPZOOM Addons for Elementor WordPress plugin (versions 1.3.4 and earlier) allows unauthenticated remote attackers to inject arbitrary script into a victim's browser session by tricking them into following a crafted link. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.1 with scope change, reflecting potential impact on the broader WordPress site context; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Wpzoom Addons For Elementor
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-22339 HIGH This Week

Reflected cross-site scripting in the WPJobster WordPress theme through version 6.3.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw carries a CVSS 3.1 score of 7.1 with a scope change (S:C), reflecting impact on browser-side resources beyond the vulnerable application. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Patchstack has catalogued it as a confirmed reflected XSS.

XSS Wpjobster
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-22329 HIGH This Week

Reflected cross-site scripting in the Skillate WordPress theme versions 1.2.10 and below allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link. The flaw carries a CVSS 3.1 score of 7.1 with scope change (S:C), reflecting that the injected script runs in the WordPress site context and can pivot against authenticated users including administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Skillate
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-22328 HIGH This Week

Reflected cross-site scripting in the VamTam Auto Repair WordPress theme versions 22.6 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser after tricking them into clicking a crafted link. The flaw was disclosed via Patchstack and carries a CVSS 7.1 due to scope change impact on the WordPress admin context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Auto Repair
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-59560 HIGH This Week

Reflected or stored cross-site scripting in the Sonaar WordPress theme versions 4.27.4 and earlier allows remote unauthenticated attackers to inject malicious script into pages rendered to victims who follow a crafted link or interact with attacker-controlled content. The CVSS scope-change vector (S:C) indicates the injected script can impact resources beyond the vulnerable component, such as the WordPress admin session of a logged-in user. No public exploit identified at time of analysis, and the issue is not on CISA's KEV list.

XSS Sonaar
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-49269 HIGH This Week

Unauthenticated Cross Site Scripting (XSS) in my flatonica <= 0.0.8 versions. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS My Flatonica
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-27870 MEDIUM PATCH This Month

Stored cross-site scripting in Teldat's Regesta Smart HD-PLC (TLDPH16D2, firmware 11.02.05.10.02) allows a privileged, authenticated attacker to inject arbitrary JavaScript into the device's 'Hostname' configuration field, which executes in the browser of any user who subsequently loads the `/upgrade/query.php?cmd=p+3%3Bversion` endpoint. The CVSS 4.0 score of 4.8 reflects meaningful constraints: high-privilege access (PR:H) is required to write the malicious configuration, and victim user interaction (UI:P) is needed to trigger execution. No public exploit identified at time of analysis and not listed in CISA KEV; a vendor patch is available.

PHP XSS Regesta Smart Hd Plc Tldph16D2
NVD
CVSS 4.0
4.8
EPSS
0.5%
CVE-2026-8494 MEDIUM This Month

Stored Cross-Site Scripting in the Permalink Manager Lite WordPress plugin (all versions through 2.5.3.3) allows authenticated contributors to inject persistent JavaScript into the admin URI Editor interface via crafted post titles. The payload executes in the browser of any administrator who subsequently visits the Permalink Manager page, enabling session hijacking or unauthorized admin-level actions. No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; vendor-released patch 2.5.3.4 is available.

WordPress XSS Permalink Manager Lite
NVD VulDB
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-8607 MEDIUM This Month

Stored XSS in the myCred WordPress plugin (versions up to and including 3.1) allows authenticated attackers holding contributor-level access or above to inject persistent JavaScript payloads via the unsanitized 'wrap' shortcode attribute in the leaderboard shortcode handler. When any user - including administrators - visits a page containing the injected shortcode, the payload executes in their browser, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis; fix is available in version 3.1.1 as confirmed by WordPress plugin trac changeset 3572451.

WordPress XSS Points Management System For Gamification Ranks Badges And Loyalty Rewards Program Mycred
NVD VulDB
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-9570 HIGH POC PATCH This Week

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.

XSS WordPress Taskbuilder
NVD WPScan VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-8089 HIGH POC PATCH This Week

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.

XSS WordPress Wemail
NVD WPScan
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-7850 MEDIUM POC This Month

The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.

XSS WordPress Wp Magnific Popup
NVD WPScan VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-12463 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in the Views component of Google Chrome on Linux (prior to 149.0.7827.155) enables an attacker who has already compromised the renderer process to inject arbitrary scripts or HTML across security origins via a crafted HTML page, breaking Chrome's same-origin policy isolation. This is a post-renderer-compromise escalation step in a multi-stage attack chain, Linux-platform specific, requiring prior renderer RCE as a prerequisite. No public exploit code has been identified at time of analysis; EPSS sits at 0.29% (21st percentile), and CISA SSVC assesses exploitation status as none with partial technical impact.

Google XSS Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.3%
CVE-2026-12459 MEDIUM PATCH This Month

Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)

Google Chrome XSS Red Hat Suse
NVD VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-54326 npm LOW PATCH GHSA Monitor

Stored XSS in the HTML session export feature of pi-coding-agent allows script execution in an exported document when a user clicks a crafted Markdown link. Affected npm packages (@mariozechner/pi-coding-agent 0.27.5–0.73.1 and @earendil-works/pi-coding-agent 0.74.0–0.78.0) either omitted URL scheme validation entirely or implemented a blocklist that could be defeated by prepending C0 control characters (bytes 0x00–0x1F), which browsers silently strip before navigation. No public exploit is identified at time of analysis and this vulnerability is not in CISA KEV; the CVSS score of 2.5 and local attack vector reflect the multi-step, user-dependent exploitation chain discovered and responsibly disclosed by CrowdStrike researchers.

Crowdstrike XSS
NVD GitHub
CVSS 3.1
2.5
EPSS
0.1%
CVE-2026-54302 npm HIGH PATCH GHSA This Week

Stored cross-site scripting in n8n workflow automation platform allows authenticated users with workflow edit permissions to inject arbitrary JavaScript via the Chat Trigger node's webhookId parameter. When a logged-in user visits the chat URL, the injected code executes in the n8n origin with the victim's session privileges, enabling account takeover. No public exploit identified at time of analysis, but a vendor-released patch is available.

XSS
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.4%
CVE-2026-54303 npm MEDIUM PATCH GHSA This Month

Reflected XSS in n8n's Facebook (Meta), WhatsApp, and Microsoft Teams webhook trigger nodes allows an attacker to execute arbitrary JavaScript in an authenticated user's browser by luring them to a crafted URL targeting the vulnerable webhook verification endpoints. Affected are all n8n deployments running version < 2.24.0 with any of the four vulnerable trigger nodes active; the CVSS scope change (S:C) means successful exploitation extends beyond the n8n component itself, enabling session hijacking or theft of API credentials stored in workflows. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor-released patch is confirmed in n8n 2.24.0.

Microsoft XSS
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.3%
CVE-2026-48788 Go HIGH POC PATCH GHSA This Week

Stored/reflected XSS in Remark42 self-hosted comment engine versions 1.6.0 through 1.15.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of a Remark42 origin by abusing a Content-Type inconsistency in the image proxy. The proxy trusts the upstream Content-Type header during the download check but re-sniffs bytes when serving, letting an HTML/JS payload advertised as image/png be re-served as text/html from the victim instance's own origin. No public exploit identified at time of analysis; fixed in 1.16.0.

XSS Remark42
NVD GitHub
CVSS 3.0
8.2
EPSS
0.3%
CVE-2026-52846 Go MEDIUM PATCH GHSA This Month

The `stripHTML` template function in Caddy web server can be bypassed with malformed HTML input such as `<<>img src=x onerror=alert()>`, allowing injected HTML tags to survive sanitization and reach the browser as executable markup, resulting in client-side XSS. Affected versions are Caddy v2 <= 2.11.3 and Caddy v1 <= 1.0.5; exploitation requires the templates middleware to be active and untrusted input to be processed via `stripHTML` and rendered without further escaping. A publicly available proof-of-concept exists per the GitHub security advisory GHSA-vcc4-2c75-vc9v; no active exploitation is confirmed in CISA KEV at time of analysis.

XSS
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-48869 HIGH This Week

Reflected cross-site scripting in the Enfold WordPress theme versions up to and including 7.1.4 allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into clicking a crafted link. The CVSS scope change (S:C) and Low impact across C/I/A indicate the injected script can affect components beyond the vulnerable theme component, typically the authenticated WordPress session. No public exploit identified at time of analysis, though Patchstack's disclosure provides enough detail for skilled researchers to reproduce.

XSS Enfold
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39548 HIGH This Week

Reflected cross-site scripting in the MagOne WordPress theme versions 9.0 and earlier allows remote unauthenticated attackers to inject arbitrary script into a victim's browser session when the victim is lured to a crafted link. CVSS rates this 7.1 with a scope change (S:C), reflecting the ability to affect resources beyond the vulnerable component such as the authenticated WordPress session. No public exploit identified at time of analysis, but Patchstack has published the advisory in their WordPress vulnerability database.

XSS Magone
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-69151 HIGH This Week

Reflected/unauthenticated cross-site scripting in the ThemeGoods Grand Car Rental WordPress theme versions 3.7 and earlier lets remote attackers execute arbitrary JavaScript in a victim's browser session after the victim follows a crafted link or visits a malicious page. The flaw carries a CVSS 3.1 base score of 7.1 with scope change, indicating impact beyond the vulnerable component, and no public exploit identified at time of analysis. Disclosure is coordinated through Patchstack and tracked as EUVD-2025-210174.

XSS Grand Car Rental
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2025-69104 HIGH This Week

Reflected/stored cross-site scripting in the Qreatix WordPress theme (versions 1.9.4 and earlier) allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after the victim interacts with a crafted link or page. The flaw is reported by Patchstack and tracked as EUVD-2025-210188; no public exploit identified at time of analysis and no CISA KEV listing. CVSS scope-change rating (7.1) reflects impact on a separate security authority - typically the WordPress admin session of a logged-in user lured to the payload.

XSS Qreatix
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48294 HIGH This Week

Universal cross-site scripting (UXSS) in Adobe Acrobat PDF Extension for Chrome (versions 26.5.2.2 and earlier) allows remote attackers to disclose cross-origin session data when a victim visits a malicious URL or interacts with a compromised page. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N indicates high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. The flaw is browser-extension scoped, so impact is limited to users who have installed this Chrome extension.

Google XSS Adobe Adobe Acrobat Pdf Extension Chrome
NVD VulDB
CVSS 3.1
7.4
EPSS
1.0%
CVE-2026-12348 HIGH This Week

Address bar spoofing in The Browser Company's Arc Search for Android allows remote attackers to render attacker-controlled content beneath a legitimate-looking URL in the address bar, enabling high-fidelity phishing against mobile users. The flaw maps to CWE-1021 (improper restriction of rendered UI layers) and carries a CVSS 7.4 due to the integrity impact on user trust decisions, though successful exploitation requires user interaction. No public exploit identified at time of analysis, but a HackerOne report (#3705306) suggests reproducible POC details exist within the disclosure program.

Google XSS Arc Search
NVD
CVSS 3.1
7.4
EPSS
0.4%
CVE-2026-46955 HIGH This Week

Takeover of Oracle Human Resources in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible when a remote unauthenticated attacker tricks a separate user into interacting with a crafted HTTP request targeting the Person component. Despite high attack complexity, successful exploitation yields full confidentiality, integrity, and availability impact on the HR module. No public exploit identified at time of analysis.

Oracle Oracle Human Resources XSS
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-46856 CRITICAL Act Now

Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker over HTTP coerces a victim user into interacting with a crafted request targeting the Metadata Plugin component. The flaw is scope-changing and yields full confidentiality, integrity, and availability impact on the platform and potentially adjacent products. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Enterprise Manager Base Platform XSS
NVD
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-46853 CRITICAL Act Now

Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to fully compromise the management platform - and potentially additional managed products - by tricking an authenticated user into interacting with a malicious HTTP-delivered payload targeting the Metadata Plugin component. The CVSS 3.1 base score is 9.6 with a scope change reflecting impact beyond the vulnerable component, and at time of analysis no public exploit identified at time of analysis. Because Oracle Enterprise Manager centrally controls fleets of Oracle databases, middleware, and infrastructure, successful exploitation has outsized blast-radius implications for downstream Oracle estates.

Oracle Oracle Enterprise Manager Base Platform XSS
NVD
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-50133 Go MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Hugo's content pipeline affects all versions prior to v0.162.0 when the site ingests HTML content from untrusted sources. Hugo emitted the body of any content file mapped to the text/html media type verbatim into the rendered output, making sites backed by CMS editors, external content adapters, or automated import pipelines potential XSS delivery vehicles to end users. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the risk is material for any Hugo deployment that does not fully trust every source populating the /content directory or content adapter pipeline.

XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-54301 npm HIGH PATCH GHSA This Week

Same-origin cross-site scripting in n8n workflow automation platform allows an authenticated user with workflow edit privileges to weaponize the Respond to Webhook node and execute JavaScript in another authenticated user's session. The binary response path bypassed the central Content-Security-Policy sandbox header, letting attacker-controlled Content-Type serve executable content from the n8n origin. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.4%
CVE-2026-12425 MEDIUM This Month

Reflected cross-site scripting in PowerSchool Employee Access Center 23.10 allows unauthenticated remote attackers to execute arbitrary JavaScript in the browser context of any user who clicks a crafted login URL, with injected code evaluated directly via eval(). Reported by Palo Alto Networks Unit 42 (PANW-2026-0002), exploit code has been publicly released (CVSS 4.0 E:P), meaningfully lowering the barrier to exploitation. No active exploitation has been confirmed in CISA KEV at time of analysis, but the low-barrier phishing delivery path targeting an education-sector HR authentication page - with high subsequent-system impact - warrants treatment above the Medium CVSS 4.0 score of 5.7 implies.

XSS Employee Access Center
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.3%
CVE-2026-53841 npm LOW PATCH GHSA Monitor

Stored cross-site scripting in OpenClaw's session HTML export feature allows unsafe javascript: and data: URI schemes to survive into generated output files. All OpenClaw versions before 2026.5.12 are affected; exploitation requires a trusted operator to open an exported session HTML file and actively click a crafted link, at which point arbitrary JavaScript executes in their browser context. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 2.1 reflects the narrow attack prerequisites and limited subsequent-system impact.

XSS Openclaw
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2024-30476 MEDIUM PATCH This Month

PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Powerstore
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-54298 npm MEDIUM PATCH GHSA This Month

Cross-site scripting in Astro's server-side rendering pipeline allows injection of arbitrary HTML attributes and event handlers when the spread syntax `{...props}` is used with untrusted object keys. All Astro deployments — SSR, SSG, and hybrid — are affected when application code spreads props sourced from external APIs, CMS responses, or URL parameters onto HTML elements. A functional public proof-of-concept demonstrates session cookie theft via injected `onmousemove` event handlers; no active exploitation has been confirmed in CISA KEV at time of analysis.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-50146 npm MEDIUM PATCH GHSA This Month

Reflected cross-site scripting in Astro framework (versions prior to 6.3.3) allows remote attackers to inject arbitrary HTML and execute JavaScript in victim browsers when an SSR-rendered page passes user-controlled input as a slot name to a component using a client:* directive. The flaw lives in the server renderer, which interpolates the slot name into a data-astro-template attribute without HTML escaping, enabling attribute-context breakout. No public exploit identified at time of analysis beyond the reporter's PoC in the GHSA advisory, and the issue is not listed in CISA KEV.

XSS Node.js
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-12323 MEDIUM PATCH This Month

Spoofing via CWE-1021 (UI layer restriction failure) in Mozilla Firefox's DOM Core & HTML component allows remote unauthenticated attackers to render deceptive UI content in a victim's browser when they interact with a malicious web page. All Firefox versions prior to 152 are affected. No public exploit has been identified at time of analysis, and CISA SSVC assessment classifies exploitation status as none with partial technical impact, placing real-world urgency below the moderate CVSS score suggests.

Mozilla XSS Suse Red Hat
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-12322 MEDIUM PATCH This Month

Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152.

Mozilla XSS Suse Red Hat
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-54198 HIGH This Week

Reflected cross-site scripting in the Media Library Assistant WordPress plugin (versions up to and including 3.35) allows unauthenticated remote attackers to inject script that executes in a victim's browser after a user-interaction event (clicking a crafted link). Per Patchstack, the issue affects David Lingren's plugin and currently has no public exploit identified at time of analysis, but the CVSS 7.1 (scope-changed) reflects that successful execution can pivot into authenticated admin contexts.

XSS Media Library Assistant
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-54191 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Pods WordPress plugin (versions 3.3.8 and earlier) allows remote attackers to inject malicious script that executes in a victim's browser when they visit a crafted page or link. The flaw requires user interaction (UI:R) and carries a scope change (S:C), letting injected payloads steal session data or perform privileged actions in the WordPress admin context. No public exploit identified at time of analysis, but the unauthenticated nature and broad WordPress plugin install base make this a meaningful risk for site operators.

XSS Pods
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-39437 HIGH This Week

Reflected cross-site scripting in the WPFactory 'Min Max Step Quantity Limits Manager for WooCommerce' WordPress plugin (versions 5.2.2 and earlier) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser after the victim clicks a crafted link. The CVSS 3.1 score of 7.1 is elevated by a scope change (S:C), reflecting that script execution can affect the WordPress admin context, but exploitation requires user interaction (UI:R). No public exploit was identified at time of analysis and the issue is not listed in CISA KEV.

WordPress XSS Min Max Step Quantity Limits Manager For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-10093 MEDIUM This Month

Stored Cross-Site Scripting in the WordPress 'File Sharing & Download Manager - User Private Files' plugin (all versions through 2.1.6) allows authenticated attackers with subscriber-level access to persistently inject malicious JavaScript via the 'fldr_ttl' (folder title) parameter. The payload is stored server-side and executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing exists at time of analysis, but low privilege requirements (subscriber-level) expand the attacker pool significantly on sites with open registration.

WordPress XSS Secure Client Portal And Private File Sharing Plugin User Private Files
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-48157 PHP MEDIUM PATCH GHSA This Month

Reflected XSS in Slim PHP framework (versions 4.4.0 through 4.15.1) allows attackers to inject arbitrary HTML and JavaScript into HTML error pages when application code passes request-derived data into HttpException::setTitle() or setDescription(). The payload executes in a victim's browser upon rendering the crafted error page, and critically this occurs even when displayErrorDetails is set to false, since the unescaped values are rendered on a separate code path. No public exploit code or CISA KEV listing has been identified; exploitation is scoped to applications that explicitly feed untrusted input into these specific exception setter methods.

PHP XSS Slim
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-52702 HIGH This Week

Cross-site scripting in the SEO Redirection WordPress plugin (versions <= 9.17) allows remote unauthenticated attackers to inject malicious scripts that execute in a victim's browser after user interaction such as clicking a crafted link. The flaw has a CVSS 3.1 score of 7.1 with scope-changed impact, indicating injected scripts can affect resources beyond the vulnerable component. There is no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Seo Redirection
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-49773 MEDIUM PATCH This Month

Stored Cross-Site Scripting in the FV Flowplayer Video Player WordPress plugin (versions below 7.5.51.7212) allows low-privileged authenticated users - specifically those with subscriber-level access - to inject persistent malicious JavaScript that executes in the browsers of other site visitors or administrators who view affected content. The Scope:Changed CVSS metric confirms the payload escapes the plugin's trust boundary and can target higher-privileged sessions. No public exploit identified at time of analysis, and SSVC signals no confirmed exploitation; a vendor-released patch is available at version 7.5.51.7212.

XSS Fv Flowplayer Video Player
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49055 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Drag and Drop Multiple File Upload - Contact Form 7 versions 1.3.9.7 and earlier allows remote attackers to inject script that executes in a victim's browser after user interaction, leading to session theft, account takeover, or pivoting against authenticated administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. CVSS 3.1 base score is 7.1 with a changed scope reflecting impact across the WordPress admin trust boundary.

File Upload XSS Drag And Drop Multiple File Upload Contact Form 7
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48966 HIGH This Week

Unauthenticated stored/reflected cross-site scripting in the Funnel Builder by FunnelKit WordPress plugin (versions <= 3.15.0.2) allows remote attackers to inject malicious scripts that execute in a victim's browser when they visit a crafted page or link. The CVSS 3.1 score of 7.1 reflects a scope-changing impact with low confidentiality, integrity, and availability impact and required user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Funnel Builder By Funnelkit
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48885 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the HollerBox WordPress plugin (versions 2.3.10.1 and earlier) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 due to the scope change (S:C) reflecting the WordPress site context being affected from injected content; no public exploit identified at time of analysis and no CISA KEV listing exists.

XSS Hollerbox
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48880 MEDIUM This Month

Stored Cross-Site Scripting in WP Job Portal WordPress plugin versions up to and including 2.5.2 allows authenticated Subscriber-level users to inject persistent malicious JavaScript payloads that execute in other users' browsers, including administrators. The CVSS S:C scope change confirms the injected script crosses the security boundary into victims' browser sessions, enabling session hijacking or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege requirement makes this realistic on open-registration WordPress job-board deployments.

XSS Wp Job Portal
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48876 HIGH This Week

Reflected/stored cross-site scripting in the WordPress plugin Stop Spammers (versions 2026.3 and earlier) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser when they interact with crafted content. The flaw carries a CVSS 3.1 base score of 7.1 due to scope change (S:C), and no public exploit identified at time of analysis, though Patchstack has catalogued the issue in its WordPress vulnerability database.

XSS Stop Spammers
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48871 HIGH This Week

Reflected or stored Cross-Site Scripting in the MW WP Form WordPress plugin (versions <= 5.1.3) allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with crafted plugin content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates network-reachable exploitation with no privileges but requiring user interaction, and the scope change reflects the cross-origin impact typical of XSS in browser contexts. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

XSS Mw Wp Form
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48870 MEDIUM This Month

Stored Cross-Site Scripting in the King Addons for Elementor WordPress plugin (versions up to and including 51.1.62) allows authenticated subscribers to inject and persist malicious JavaScript payloads within plugin-rendered content. The scope-changed CVSS vector (S:C) reflects that injected scripts execute in the browsers of other site users - including administrators - enabling session hijacking and privilege escalation via social engineering. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the moderate-priority tier despite the network-reachable attack surface.

XSS King Addons For Elementor Elementor
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48867 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Quiz And Survey Master WordPress plugin (versions through 11.1.2) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. Exploitation is reflected in the CVSS 7.1 (High) score with a scope change, meaning injected script can impact resources beyond the vulnerable component. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

XSS Quiz And Survey Master
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48838 HIGH This Week

Reflected or stored cross-site scripting in the Post SMTP WordPress plugin (versions 3.6.2 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after user interaction. The CVSS 7.1 score with scope change reflects potential session theft or administrative action hijacking against WordPress sites running the plugin. No public exploit identified at time of analysis, and the issue is tracked by Patchstack but not listed in CISA KEV.

XSS Post Smtp
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-45437 HIGH This Week

Reflected/stored cross-site scripting in the Product Filter Widget for Elementor WordPress plugin (versions <= 1.0.6) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after user interaction. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 with scope change due to script execution in the browser context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Product Filter Widget For Elementor Elementor
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-42775 HIGH This Week

Reflected/stored Cross-Site Scripting in the WordPress plugin AutomatorWP versions 5.7.2 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they visit a crafted link or page. The CVSS 3.1 score of 7.1 reflects a scope change (S:C), meaning script execution affects components beyond the vulnerable one - typically authenticated WordPress administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Automatorwp
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-42688 MEDIUM This Month

Subscriber-level stored Cross-Site Scripting in the Modula Image Gallery WordPress plugin (versions up to and including 2.14.23) allows authenticated users with subscriber privileges to inject persistent malicious JavaScript into gallery content. When a higher-privileged user such as an administrator views the affected gallery, the injected script executes in their browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low authentication barrier and scope change to admin sessions make this a meaningful risk for multi-user WordPress environments.

XSS Modula Image Gallery
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-42686 HIGH This Week

Stored or reflected cross-site scripting in the EventPrime WordPress plugin (versions <= 4.3.2.1) allows authenticated users with Subscriber-level privileges to inject malicious JavaScript that executes in other users' browsers. The flaw was disclosed by Patchstack and currently has no public exploit identified at time of analysis, but the low privilege bar makes it attractive for opportunistic attackers on multi-user WordPress sites. No CISA KEV listing or EPSS data was supplied with this report.

XSS Eventprime
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2026-42663 MEDIUM This Month

Cross-site scripting in the Simple Membership WordPress plugin (versions up to and including 4.7.2) allows injection of malicious scripts that execute in the context of other users' browsers. The official CVSS vector assigns PR:L (low privileges required), which directly contradicts the CVE description's claim of 'unauthenticated' exploitation - this discrepancy must be resolved with the vendor before accurate risk tiering. With a scope-changed impact (S:C), the primary concern is an attacker inducing a privileged user such as a WordPress administrator to trigger the payload, enabling session hijacking or unauthorized administrative actions. No public exploit code or active exploitation in CISA KEV has been identified at time of analysis.

XSS Simple Membership
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-42658 HIGH This Week

Unauthenticated reflected/stored Cross-Site Scripting in the Classified Listing WordPress plugin versions 5.3.8 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and carries CVSS 7.1 due to the scope change affecting the broader WordPress site context, though no public exploit identified at time of analysis. Risk is elevated for sites running the plugin in publicly accessible classified/marketplace deployments where untrusted visitor input is processed.

XSS Classified Listing
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-42656 MEDIUM This Month

Cross-site scripting in the Contest Gallery WordPress plugin (versions <= 28.1.6) can be triggered by a subscriber-level authenticated user, injecting malicious scripts that execute in the browsers of higher-privileged users such as administrators. The CVSS Scope:Changed metric confirms the payload escapes the subscriber's privilege boundary and impacts other user sessions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and broad WordPress ecosystem deployment surface make this a meaningful risk for any site accepting subscriber registrations.

XSS Contest Gallery
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-42650 HIGH This Week

Unauthenticated stored/reflected cross-site scripting in the AutomatorWP WordPress plugin (versions <= 5.6.7) allows remote attackers to inject malicious JavaScript that executes in the context of victim browsers, including site administrators. No public exploit identified at time of analysis, but the CVSS scope-change rating (7.2 High) reflects the cross-origin impact typical of XSS where attacker-supplied script crosses a trust boundary into the WordPress admin session. Patchstack reported the issue and tracks it in their WordPress vulnerability database.

XSS Automatorwp
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-42649 HIGH This Week

Reflected/stored cross-site scripting in the Favicon Rotator WordPress plugin (versions 1.2.11 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The CVSS scope-changed vector (S:C) indicates the injected script can impact resources beyond the vulnerable plugin component, typically the entire WordPress site context. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the unauthenticated nature combined with WordPress's broad install base elevates real-world concern.

XSS Favicon Rotator
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-41556 MEDIUM This Month

Cross-site scripting in ProfilePress WordPress plugin versions up to and including 4.16.13 allows authenticated subscribers to inject malicious JavaScript payloads that execute in the browsers of other users - including administrators - who view affected content. The CVSS scope change (S:C) indicator confirms this is a stored or reflected XSS that crosses privilege boundaries, enabling low-privilege users to target higher-privilege accounts. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

XSS Profilepress
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-40791 HIGH This Week

Reflected/stored cross-site scripting in the WP Time Slots Booking Form WordPress plugin (versions up to and including 1.2.46) lets remote unauthenticated attackers inject script that executes in a victim's browser after user interaction. The flaw, reported by Patchstack and tracked as EUVD-2026-36994, carries a CVSS 7.1 due to the scope change against the WordPress origin, and no public exploit identified at time of analysis.

XSS Wp Time Slots Booking Form
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-40787 HIGH This Week

Stored or reflected cross-site scripting in the Quiz And Survey Master WordPress plugin (versions up to and including 11.0.0) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser after a single user interaction. Patchstack reports the issue under EUVD-2026-36990 with a CVSS 3.1 base score of 7.1 reflecting scope change and partial impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Quiz And Survey Master
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-40770 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Coupon Affiliates WordPress plugin (versions up to and including 7.5.3) allows remote attackers to inject malicious script that executes in a victim's browser after user interaction. The CVSS 3.1 score of 7.1 with scope change (S:C) indicates impact beyond the vulnerable component, typical of XSS reaching the WordPress admin or affiliate context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Coupon Affiliates
NVD
CVSS 3.1
7.1
EPSS
0.2%
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored XSS in Shaarli's tag filtering functionality permits an authenticated user to inject persistent JavaScript payloads via the bookmark tags field, which execute in the browsers of any user who subsequently interacts with the 'Filter by tag' search feature on the homepage. All Shaarli deployments running version 0.16.1 or earlier are affected, including instances where administrators use the tag-filter feature. The vulnerability enables session hijacking or credential exfiltration against any user who triggers the tag search, with no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch v0.16.2 (2026-05-23) resolves the issue.

XSS Shaarli
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM This Month

Stored XSS in Shaarli's Markdown rendering pipeline (versions 0.16.1 and prior) allows an authenticated user to inject malicious javascript: URIs via Markdown reference-style links in bookmark descriptions, bypassing the filterProtocols sanitization method in BookmarkMarkdownFormatter.php. When any user or guest visitor views the crafted bookmark, arbitrary JavaScript executes in their browser context, enabling session theft or unauthorized actions. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV; vendor-released patch v0.16.2 is available as of 2026-05-23.

PHP XSS Shaarli
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Stored XSS in Filament v3 PHP admin panel framework occurs when a RichEditor form field is rendered in disabled mode, because the disabled view binds raw state via Alpine's x-html directive without HTML sanitization. Authenticated attackers who can write into the underlying field state can plant HTML or JavaScript that executes in the browser of any user later viewing the form, with no public exploit identified at time of analysis and no KEV listing.

XSS
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a crafted .gltf file with an unsupported extension name in extensionsRequired is rendered into the DOM via innerHTML without sanitization. Any low-privileged user who can push a file to a repository (including a public fork) can compromise the session of any user who later views the file, enabling token theft and full account takeover. Publicly available exploit code exists (a working PoC is included in the GHSA-9cpj-qc93-vw8v advisory); no public exploit identified at time of analysis in CISA KEV.

Gitea CSRF XSS +1
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting in earmark (the Elixir Markdown-to-HTML library by pragdave) allows any attacker who can submit markdown content to inject arbitrary JavaScript that executes in the browsers of users who view the rendered output. The root cause is a code path in `_make_att1/2` (`lib/earmark/transform.ex`) that splices HTML attribute values verbatim without encoding double-quote characters, enabling a crafted link URL or title to break out of the `href` attribute and inject additional HTML event handlers. Critically, no patched version will be released - the library has been officially retired from Hex - making migration to a maintained alternative the only complete fix. No public exploit identified at time of analysis, though the CVE description itself contains a working proof-of-concept payload.

XSS Earmark
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Stored cross-site scripting in Plane CE 1.3.1 allows an authenticated low-privileged project member to inject arbitrary HTML and JavaScript via the `description_html` field through the API v1 intake endpoint, with payloads persisting in the database and executing in the browsers of any user who views the affected intake item. The CVSS 4.0 vector rates confidentiality impact on the vulnerable system as High (VC:H), reflecting the realistic threat of session token exfiltration from higher-privileged users such as project administrators. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis.

XSS Plane
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Stored cross-site scripting in Open WebUI versions up to and including 0.9.5 allows any authenticated user holding the default workspace.models permission to embed an SVG payload in a model's profile_image_url and hijack the session of anyone who opens that image URL as a top-level document. The flaw is an incomplete-patch bypass of GHSA-3wgj-c2hg-vm6q and GHSA-3856-3vxq-m6fc - the input validator and the MIME allowlist plus X-Content-Type-Options:nosniff added to the user and webhook endpoints were never applied to ModelMeta or the model image serving endpoint. No public exploit identified at time of analysis beyond the working PoC included in the advisory, and CVSS 7.6 reflects the cross-origin scope change leading to JWT theft and account takeover.

Python XSS
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in Open WebUI up to and including v0.9.5 allows authenticated users to execute arbitrary JavaScript in another user's browser under the application origin by uploading a malicious Markdown file containing a crafted Mermaid diagram. The flaw stems from Mermaid being initialized with securityLevel:'loose' and its SVG output being injected via innerHTML in the file preview panel. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis beyond the PoC, and the issue is not listed in CISA KEV.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

{event_id}/update` endpoint validates write access only on the source calendar, silently omitting the destination `calendar_id` authorization check that `create_event` correctly enforces - a classic IDOR pattern. A verified public proof-of-concept exists against v0.9.4 (the official Docker image); the fix is available in v0.9.6. No CISA KEV listing was present in the input data, so widespread in-the-wild exploitation is unconfirmed.

Python Authentication Bypass XSS +1
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored Cross-Site Scripting in NocoDB (npm package, versions <= 0.301.3) allows an authenticated user with upload permissions to deliver malicious `.html` or `.svg` attachments that the victim's browser renders inline from the NocoDB origin, bypassing the intended forced-download behavior. The root cause is a header-key case mismatch in the secure attachment handler: the signed URL generator wrote overrides as PascalCase keys while the Express controller read them as lowercase-hyphen keys, silently dropping `Content-Disposition: attachment` and enabling inline rendering. When exploited, script executing in the victim's browser can exfiltrate the auth JWT stored in `localStorage`, leading to full session compromise. No public exploit code has been identified at time of analysis, and no patched version has been confirmed released.

XSS
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in Royal Elementor Addons Pro WordPress plugin versions prior to 1.7.1041 allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with the popularity of Elementor-ecosystem plugins makes this a credible threat to WordPress sites running the Pro variant. Patchstack disclosure indicates a fixed version is available.

XSS Royal Elementor Addons Pro Elementor
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the SweetDate Core WordPress plugin versions prior to 1.1.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim is lured into clicking a crafted link. The CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects unauthenticated network reach with required user interaction and a scope change typical of stored/reflected XSS in browser contexts. No public exploit identified at time of analysis and no EPSS or KEV signal was provided.

XSS Sweetdate Core
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Avante WordPress theme versions prior to 3.0.5 allows unauthenticated remote attackers to inject script that executes in a victim's browser when the victim clicks a crafted link. Reported by Patchstack with CVSS 7.1 (scope-changed), no public exploit identified at time of analysis, but the unauthenticated nature and prevalence of WordPress themes makes this a practical phishing/account-takeover lure against site visitors and logged-in administrators.

XSS Avante
NVD VulDB
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Stored XSS in SimplCommerce's news module allows an authenticated administrator to persist arbitrary JavaScript via the ShortContent and FullContent fields of NewsItemApiController, which are stored without HTML sanitization and rendered unencoded through Razor's @Html.Raw() method. Any site visitor who subsequently loads an affected news page will execute the injected script in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing exists at time of analysis; an upstream fix is available at commit 6142d3b5 per Checkmarx's disclosure.

XSS Simplcommerce
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Themify Folo WordPress theme (versions up to and including 1.9.6) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw is reported by Patchstack with a CVSS 3.1 base score of 7.1 driven by scope change and user interaction; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Themify Folo
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the JetFormBuilder WordPress plugin versions 3.6.0.1 and earlier allows remote attackers to inject script into pages rendered to victims. Exploitation requires a victim to interact with a crafted link or form (UI:R), and successful payload execution can hijack sessions or perform actions in the victim's browser context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Jetformbuilder
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Ays Pro Popup Box WordPress plugin versions 6.2.9 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The CVSS 7.1 score reflects scope change (S:C) typical of XSS escaping the plugin context into the broader WordPress session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Popup Box
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected or stored cross-site scripting in the JetEngine WordPress plugin (versions 3.8.10 and earlier) allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after the user is lured to a crafted link or page. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 with scope change, reflecting impact on the WordPress session context beyond the vulnerable component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Jetengine
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated cross-site scripting in the JetEngine WordPress plugin versions 3.8.10 and earlier allows remote attackers to inject malicious scripts that execute in the browser of any user who interacts with a crafted link or page. The CVSS 7.1 score reflects the scope change inherent to XSS (attacker-supplied JavaScript runs in the victim's site origin), and no public exploit has been identified at time of analysis. Successful exploitation can lead to session hijacking, credential theft, or administrative account takeover on affected WordPress sites.

XSS Jetengine
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Stored or reflected cross-site scripting in WPFunnels Pro WordPress plugin versions 2.9.4 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they interact with crafted content. The CVSS 3.1 score of 7.1 reflects the scope-changed impact (S:C) on the WordPress site, including potential session hijacking of administrators. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Wpfunnels Pro
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the JetEngine WordPress plugin (versions <= 3.8.9.1) allows remote attackers to inject malicious script into pages rendered by the plugin, which then executes in the browser of any visitor who interacts with the crafted content. Successful exploitation enables session hijacking, credential theft, or administrative actions performed against logged-in WordPress users including site administrators. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Jetengine
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Cozmoslabs Profile Builder Pro WordPress plugin (versions 3.15.0 and earlier) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw carries a CVSS 3.1 score of 7.1 with scope change, meaning the injected script can affect resources beyond the vulnerable component (typically the WordPress admin session). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Profile Builder Pro
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Reflected/stored cross-site scripting in the Kapee WordPress theme versions prior to 1.7.1 allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after user interaction, with a scope change that can impact other components beyond the vulnerable theme. No public exploit identified at time of analysis, but the vulnerability was disclosed via Patchstack with a CVSS of 7.1, reflecting the unauthenticated nature combined with required user interaction.

XSS Kapee
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Collectchat WordPress plugin versions 2.4.9 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with scope change (S:C) makes this attractive for opportunistic attacks against WordPress sites running the plugin.

XSS Collectchat
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the WPZOOM Addons for Elementor WordPress plugin (versions 1.3.4 and earlier) allows unauthenticated remote attackers to inject arbitrary script into a victim's browser session by tricking them into following a crafted link. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.1 with scope change, reflecting potential impact on the broader WordPress site context; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Wpzoom Addons For Elementor
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the WPJobster WordPress theme through version 6.3.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw carries a CVSS 3.1 score of 7.1 with a scope change (S:C), reflecting impact on browser-side resources beyond the vulnerable application. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Patchstack has catalogued it as a confirmed reflected XSS.

XSS Wpjobster
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Skillate WordPress theme versions 1.2.10 and below allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link. The flaw carries a CVSS 3.1 score of 7.1 with scope change (S:C), reflecting that the injected script runs in the WordPress site context and can pivot against authenticated users including administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Skillate
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the VamTam Auto Repair WordPress theme versions 22.6 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser after tricking them into clicking a crafted link. The flaw was disclosed via Patchstack and carries a CVSS 7.1 due to scope change impact on the WordPress admin context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Auto Repair
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected or stored cross-site scripting in the Sonaar WordPress theme versions 4.27.4 and earlier allows remote unauthenticated attackers to inject malicious script into pages rendered to victims who follow a crafted link or interact with attacker-controlled content. The CVSS scope-change vector (S:C) indicates the injected script can impact resources beyond the vulnerable component, such as the WordPress admin session of a logged-in user. No public exploit identified at time of analysis, and the issue is not on CISA's KEV list.

XSS Sonaar
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated Cross Site Scripting (XSS) in my flatonica <= 0.0.8 versions. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS My Flatonica
NVD
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

Stored cross-site scripting in Teldat's Regesta Smart HD-PLC (TLDPH16D2, firmware 11.02.05.10.02) allows a privileged, authenticated attacker to inject arbitrary JavaScript into the device's 'Hostname' configuration field, which executes in the browser of any user who subsequently loads the `/upgrade/query.php?cmd=p+3%3Bversion` endpoint. The CVSS 4.0 score of 4.8 reflects meaningful constraints: high-privilege access (PR:H) is required to write the malicious configuration, and victim user interaction (UI:P) is needed to trigger execution. No public exploit identified at time of analysis and not listed in CISA KEV; a vendor patch is available.

PHP XSS Regesta Smart Hd Plc Tldph16D2
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Permalink Manager Lite WordPress plugin (all versions through 2.5.3.3) allows authenticated contributors to inject persistent JavaScript into the admin URI Editor interface via crafted post titles. The payload executes in the browser of any administrator who subsequently visits the Permalink Manager page, enabling session hijacking or unauthorized admin-level actions. No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; vendor-released patch 2.5.3.4 is available.

WordPress XSS Permalink Manager Lite
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the myCred WordPress plugin (versions up to and including 3.1) allows authenticated attackers holding contributor-level access or above to inject persistent JavaScript payloads via the unsanitized 'wrap' shortcode attribute in the leaderboard shortcode handler. When any user - including administrators - visits a page containing the injected shortcode, the payload executes in their browser, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis; fix is available in version 3.1.1 as confirmed by WordPress plugin trac changeset 3572451.

WordPress XSS Points Management System For Gamification Ranks Badges And Loyalty Rewards Program Mycred
NVD VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.

XSS WordPress Taskbuilder
NVD WPScan VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.

XSS WordPress Wemail
NVD WPScan
EPSS 0% CVSS 5.9
MEDIUM POC This Month

The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.

XSS WordPress Wp Magnific Popup
NVD WPScan VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in the Views component of Google Chrome on Linux (prior to 149.0.7827.155) enables an attacker who has already compromised the renderer process to inject arbitrary scripts or HTML across security origins via a crafted HTML page, breaking Chrome's same-origin policy isolation. This is a post-renderer-compromise escalation step in a multi-stage attack chain, Linux-platform specific, requiring prior renderer RCE as a prerequisite. No public exploit code has been identified at time of analysis; EPSS sits at 0.29% (21st percentile), and CISA SSVC assesses exploitation status as none with partial technical impact.

Google XSS Red Hat +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)

Google Chrome XSS +2
NVD VulDB
EPSS 0% CVSS 2.5
LOW PATCH Monitor

Stored XSS in the HTML session export feature of pi-coding-agent allows script execution in an exported document when a user clicks a crafted Markdown link. Affected npm packages (@mariozechner/pi-coding-agent 0.27.5–0.73.1 and @earendil-works/pi-coding-agent 0.74.0–0.78.0) either omitted URL scheme validation entirely or implemented a blocklist that could be defeated by prepending C0 control characters (bytes 0x00–0x1F), which browsers silently strip before navigation. No public exploit is identified at time of analysis and this vulnerability is not in CISA KEV; the CVSS score of 2.5 and local attack vector reflect the multi-step, user-dependent exploitation chain discovered and responsibly disclosed by CrowdStrike researchers.

Crowdstrike XSS
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Stored cross-site scripting in n8n workflow automation platform allows authenticated users with workflow edit permissions to inject arbitrary JavaScript via the Chat Trigger node's webhookId parameter. When a logged-in user visits the chat URL, the injected code executes in the n8n origin with the victim's session privileges, enabling account takeover. No public exploit identified at time of analysis, but a vendor-released patch is available.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Reflected XSS in n8n's Facebook (Meta), WhatsApp, and Microsoft Teams webhook trigger nodes allows an attacker to execute arbitrary JavaScript in an authenticated user's browser by luring them to a crafted URL targeting the vulnerable webhook verification endpoints. Affected are all n8n deployments running version < 2.24.0 with any of the four vulnerable trigger nodes active; the CVSS scope change (S:C) means successful exploitation extends beyond the n8n component itself, enabling session hijacking or theft of API credentials stored in workflows. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor-released patch is confirmed in n8n 2.24.0.

Microsoft XSS
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Stored/reflected XSS in Remark42 self-hosted comment engine versions 1.6.0 through 1.15.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of a Remark42 origin by abusing a Content-Type inconsistency in the image proxy. The proxy trusts the upstream Content-Type header during the download check but re-sniffs bytes when serving, letting an HTML/JS payload advertised as image/png be re-served as text/html from the victim instance's own origin. No public exploit identified at time of analysis; fixed in 1.16.0.

XSS Remark42
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

The `stripHTML` template function in Caddy web server can be bypassed with malformed HTML input such as `<<>img src=x onerror=alert()>`, allowing injected HTML tags to survive sanitization and reach the browser as executable markup, resulting in client-side XSS. Affected versions are Caddy v2 <= 2.11.3 and Caddy v1 <= 1.0.5; exploitation requires the templates middleware to be active and untrusted input to be processed via `stripHTML` and rendered without further escaping. A publicly available proof-of-concept exists per the GitHub security advisory GHSA-vcc4-2c75-vc9v; no active exploitation is confirmed in CISA KEV at time of analysis.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Enfold WordPress theme versions up to and including 7.1.4 allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into clicking a crafted link. The CVSS scope change (S:C) and Low impact across C/I/A indicate the injected script can affect components beyond the vulnerable theme component, typically the authenticated WordPress session. No public exploit identified at time of analysis, though Patchstack's disclosure provides enough detail for skilled researchers to reproduce.

XSS Enfold
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the MagOne WordPress theme versions 9.0 and earlier allows remote unauthenticated attackers to inject arbitrary script into a victim's browser session when the victim is lured to a crafted link. CVSS rates this 7.1 with a scope change (S:C), reflecting the ability to affect resources beyond the vulnerable component such as the authenticated WordPress session. No public exploit identified at time of analysis, but Patchstack has published the advisory in their WordPress vulnerability database.

XSS Magone
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/unauthenticated cross-site scripting in the ThemeGoods Grand Car Rental WordPress theme versions 3.7 and earlier lets remote attackers execute arbitrary JavaScript in a victim's browser session after the victim follows a crafted link or visits a malicious page. The flaw carries a CVSS 3.1 base score of 7.1 with scope change, indicating impact beyond the vulnerable component, and no public exploit identified at time of analysis. Disclosure is coordinated through Patchstack and tracked as EUVD-2025-210174.

XSS Grand Car Rental
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the Qreatix WordPress theme (versions 1.9.4 and earlier) allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after the victim interacts with a crafted link or page. The flaw is reported by Patchstack and tracked as EUVD-2025-210188; no public exploit identified at time of analysis and no CISA KEV listing. CVSS scope-change rating (7.1) reflects impact on a separate security authority - typically the WordPress admin session of a logged-in user lured to the payload.

XSS Qreatix
NVD
EPSS 1% CVSS 7.4
HIGH This Week

Universal cross-site scripting (UXSS) in Adobe Acrobat PDF Extension for Chrome (versions 26.5.2.2 and earlier) allows remote attackers to disclose cross-origin session data when a victim visits a malicious URL or interacts with a compromised page. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N indicates high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. The flaw is browser-extension scoped, so impact is limited to users who have installed this Chrome extension.

Google XSS Adobe +1
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Address bar spoofing in The Browser Company's Arc Search for Android allows remote attackers to render attacker-controlled content beneath a legitimate-looking URL in the address bar, enabling high-fidelity phishing against mobile users. The flaw maps to CWE-1021 (improper restriction of rendered UI layers) and carries a CVSS 7.4 due to the integrity impact on user trust decisions, though successful exploitation requires user interaction. No public exploit identified at time of analysis, but a HackerOne report (#3705306) suggests reproducible POC details exist within the disclosure program.

Google XSS Arc Search
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Takeover of Oracle Human Resources in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible when a remote unauthenticated attacker tricks a separate user into interacting with a crafted HTTP request targeting the Person component. Despite high attack complexity, successful exploitation yields full confidentiality, integrity, and availability impact on the HR module. No public exploit identified at time of analysis.

Oracle Oracle Human Resources XSS
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker over HTTP coerces a victim user into interacting with a crafted request targeting the Metadata Plugin component. The flaw is scope-changing and yields full confidentiality, integrity, and availability impact on the platform and potentially adjacent products. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Enterprise Manager Base Platform XSS
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to fully compromise the management platform - and potentially additional managed products - by tricking an authenticated user into interacting with a malicious HTTP-delivered payload targeting the Metadata Plugin component. The CVSS 3.1 base score is 9.6 with a scope change reflecting impact beyond the vulnerable component, and at time of analysis no public exploit identified at time of analysis. Because Oracle Enterprise Manager centrally controls fleets of Oracle databases, middleware, and infrastructure, successful exploitation has outsized blast-radius implications for downstream Oracle estates.

Oracle Oracle Enterprise Manager Base Platform XSS
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in Hugo's content pipeline affects all versions prior to v0.162.0 when the site ingests HTML content from untrusted sources. Hugo emitted the body of any content file mapped to the text/html media type verbatim into the rendered output, making sites backed by CMS editors, external content adapters, or automated import pipelines potential XSS delivery vehicles to end users. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the risk is material for any Hugo deployment that does not fully trust every source populating the /content directory or content adapter pipeline.

XSS
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Same-origin cross-site scripting in n8n workflow automation platform allows an authenticated user with workflow edit privileges to weaponize the Respond to Webhook node and execute JavaScript in another authenticated user's session. The binary response path bypassed the central Content-Security-Policy sandbox header, letting attacker-controlled Content-Type serve executable content from the n8n origin. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM This Month

Reflected cross-site scripting in PowerSchool Employee Access Center 23.10 allows unauthenticated remote attackers to execute arbitrary JavaScript in the browser context of any user who clicks a crafted login URL, with injected code evaluated directly via eval(). Reported by Palo Alto Networks Unit 42 (PANW-2026-0002), exploit code has been publicly released (CVSS 4.0 E:P), meaningfully lowering the barrier to exploitation. No active exploitation has been confirmed in CISA KEV at time of analysis, but the low-barrier phishing delivery path targeting an education-sector HR authentication page - with high subsequent-system impact - warrants treatment above the Medium CVSS 4.0 score of 5.7 implies.

XSS Employee Access Center
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Stored cross-site scripting in OpenClaw's session HTML export feature allows unsafe javascript: and data: URI schemes to survive into generated output files. All OpenClaw versions before 2026.5.12 are affected; exploitation requires a trusted operator to open an exported session HTML file and actively click a crafted link, at which point arbitrary JavaScript executes in their browser context. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 2.1 reflects the narrow attack prerequisites and limited subsequent-system impact.

XSS Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Powerstore
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Astro's server-side rendering pipeline allows injection of arbitrary HTML attributes and event handlers when the spread syntax `{...props}` is used with untrusted object keys. All Astro deployments — SSR, SSG, and hybrid — are affected when application code spreads props sourced from external APIs, CMS responses, or URL parameters onto HTML elements. A functional public proof-of-concept demonstrates session cookie theft via injected `onmousemove` event handlers; no active exploitation has been confirmed in CISA KEV at time of analysis.

XSS
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected cross-site scripting in Astro framework (versions prior to 6.3.3) allows remote attackers to inject arbitrary HTML and execute JavaScript in victim browsers when an SSR-rendered page passes user-controlled input as a slot name to a component using a client:* directive. The flaw lives in the server renderer, which interpolates the slot name into a data-astro-template attribute without HTML escaping, enabling attribute-context breakout. No public exploit identified at time of analysis beyond the reporter's PoC in the GHSA advisory, and the issue is not listed in CISA KEV.

XSS Node.js
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Spoofing via CWE-1021 (UI layer restriction failure) in Mozilla Firefox's DOM Core & HTML component allows remote unauthenticated attackers to render deceptive UI content in a victim's browser when they interact with a malicious web page. All Firefox versions prior to 152 are affected. No public exploit has been identified at time of analysis, and CISA SSVC assessment classifies exploitation status as none with partial technical impact, placing real-world urgency below the moderate CVSS score suggests.

Mozilla XSS Suse +1
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152.

Mozilla XSS Suse +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Media Library Assistant WordPress plugin (versions up to and including 3.35) allows unauthenticated remote attackers to inject script that executes in a victim's browser after a user-interaction event (clicking a crafted link). Per Patchstack, the issue affects David Lingren's plugin and currently has no public exploit identified at time of analysis, but the CVSS 7.1 (scope-changed) reflects that successful execution can pivot into authenticated admin contexts.

XSS Media Library Assistant
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Pods WordPress plugin (versions 3.3.8 and earlier) allows remote attackers to inject malicious script that executes in a victim's browser when they visit a crafted page or link. The flaw requires user interaction (UI:R) and carries a scope change (S:C), letting injected payloads steal session data or perform privileged actions in the WordPress admin context. No public exploit identified at time of analysis, but the unauthenticated nature and broad WordPress plugin install base make this a meaningful risk for site operators.

XSS Pods
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the WPFactory 'Min Max Step Quantity Limits Manager for WooCommerce' WordPress plugin (versions 5.2.2 and earlier) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser after the victim clicks a crafted link. The CVSS 3.1 score of 7.1 is elevated by a scope change (S:C), reflecting that script execution can affect the WordPress admin context, but exploitation requires user interaction (UI:R). No public exploit was identified at time of analysis and the issue is not listed in CISA KEV.

WordPress XSS Min Max Step Quantity Limits Manager For Woocommerce
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WordPress 'File Sharing & Download Manager - User Private Files' plugin (all versions through 2.1.6) allows authenticated attackers with subscriber-level access to persistently inject malicious JavaScript via the 'fldr_ttl' (folder title) parameter. The payload is stored server-side and executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing exists at time of analysis, but low privilege requirements (subscriber-level) expand the attacker pool significantly on sites with open registration.

WordPress XSS Secure Client Portal And Private File Sharing Plugin User Private Files
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in Slim PHP framework (versions 4.4.0 through 4.15.1) allows attackers to inject arbitrary HTML and JavaScript into HTML error pages when application code passes request-derived data into HttpException::setTitle() or setDescription(). The payload executes in a victim's browser upon rendering the crafted error page, and critically this occurs even when displayErrorDetails is set to false, since the unescaped values are rendered on a separate code path. No public exploit code or CISA KEV listing has been identified; exploitation is scoped to applications that explicitly feed untrusted input into these specific exception setter methods.

PHP XSS Slim
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the SEO Redirection WordPress plugin (versions <= 9.17) allows remote unauthenticated attackers to inject malicious scripts that execute in a victim's browser after user interaction such as clicking a crafted link. The flaw has a CVSS 3.1 score of 7.1 with scope-changed impact, indicating injected scripts can affect resources beyond the vulnerable component. There is no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Seo Redirection
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Stored Cross-Site Scripting in the FV Flowplayer Video Player WordPress plugin (versions below 7.5.51.7212) allows low-privileged authenticated users - specifically those with subscriber-level access - to inject persistent malicious JavaScript that executes in the browsers of other site visitors or administrators who view affected content. The Scope:Changed CVSS metric confirms the payload escapes the plugin's trust boundary and can target higher-privileged sessions. No public exploit identified at time of analysis, and SSVC signals no confirmed exploitation; a vendor-released patch is available at version 7.5.51.7212.

XSS Fv Flowplayer Video Player
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Drag and Drop Multiple File Upload - Contact Form 7 versions 1.3.9.7 and earlier allows remote attackers to inject script that executes in a victim's browser after user interaction, leading to session theft, account takeover, or pivoting against authenticated administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. CVSS 3.1 base score is 7.1 with a changed scope reflecting impact across the WordPress admin trust boundary.

File Upload XSS Drag And Drop Multiple File Upload Contact Form 7
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated stored/reflected cross-site scripting in the Funnel Builder by FunnelKit WordPress plugin (versions <= 3.15.0.2) allows remote attackers to inject malicious scripts that execute in a victim's browser when they visit a crafted page or link. The CVSS 3.1 score of 7.1 reflects a scope-changing impact with low confidentiality, integrity, and availability impact and required user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Funnel Builder By Funnelkit
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the HollerBox WordPress plugin (versions 2.3.10.1 and earlier) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 due to the scope change (S:C) reflecting the WordPress site context being affected from injected content; no public exploit identified at time of analysis and no CISA KEV listing exists.

XSS Hollerbox
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in WP Job Portal WordPress plugin versions up to and including 2.5.2 allows authenticated Subscriber-level users to inject persistent malicious JavaScript payloads that execute in other users' browsers, including administrators. The CVSS S:C scope change confirms the injected script crosses the security boundary into victims' browser sessions, enabling session hijacking or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege requirement makes this realistic on open-registration WordPress job-board deployments.

XSS Wp Job Portal
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the WordPress plugin Stop Spammers (versions 2026.3 and earlier) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser when they interact with crafted content. The flaw carries a CVSS 3.1 base score of 7.1 due to scope change (S:C), and no public exploit identified at time of analysis, though Patchstack has catalogued the issue in its WordPress vulnerability database.

XSS Stop Spammers
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected or stored Cross-Site Scripting in the MW WP Form WordPress plugin (versions <= 5.1.3) allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with crafted plugin content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates network-reachable exploitation with no privileges but requiring user interaction, and the scope change reflects the cross-origin impact typical of XSS in browser contexts. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

XSS Mw Wp Form
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the King Addons for Elementor WordPress plugin (versions up to and including 51.1.62) allows authenticated subscribers to inject and persist malicious JavaScript payloads within plugin-rendered content. The scope-changed CVSS vector (S:C) reflects that injected scripts execute in the browsers of other site users - including administrators - enabling session hijacking and privilege escalation via social engineering. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the moderate-priority tier despite the network-reachable attack surface.

XSS King Addons For Elementor Elementor
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Quiz And Survey Master WordPress plugin (versions through 11.1.2) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. Exploitation is reflected in the CVSS 7.1 (High) score with a scope change, meaning injected script can impact resources beyond the vulnerable component. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

XSS Quiz And Survey Master
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected or stored cross-site scripting in the Post SMTP WordPress plugin (versions 3.6.2 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after user interaction. The CVSS 7.1 score with scope change reflects potential session theft or administrative action hijacking against WordPress sites running the plugin. No public exploit identified at time of analysis, and the issue is tracked by Patchstack but not listed in CISA KEV.

XSS Post Smtp
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the Product Filter Widget for Elementor WordPress plugin (versions <= 1.0.6) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after user interaction. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 with scope change due to script execution in the browser context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Product Filter Widget For Elementor Elementor
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored Cross-Site Scripting in the WordPress plugin AutomatorWP versions 5.7.2 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they visit a crafted link or page. The CVSS 3.1 score of 7.1 reflects a scope change (S:C), meaning script execution affects components beyond the vulnerable one - typically authenticated WordPress administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Automatorwp
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Subscriber-level stored Cross-Site Scripting in the Modula Image Gallery WordPress plugin (versions up to and including 2.14.23) allows authenticated users with subscriber privileges to inject persistent malicious JavaScript into gallery content. When a higher-privileged user such as an administrator views the affected gallery, the injected script executes in their browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low authentication barrier and scope change to admin sessions make this a meaningful risk for multi-user WordPress environments.

XSS Modula Image Gallery
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored or reflected cross-site scripting in the EventPrime WordPress plugin (versions <= 4.3.2.1) allows authenticated users with Subscriber-level privileges to inject malicious JavaScript that executes in other users' browsers. The flaw was disclosed by Patchstack and currently has no public exploit identified at time of analysis, but the low privilege bar makes it attractive for opportunistic attackers on multi-user WordPress sites. No CISA KEV listing or EPSS data was supplied with this report.

XSS Eventprime
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site scripting in the Simple Membership WordPress plugin (versions up to and including 4.7.2) allows injection of malicious scripts that execute in the context of other users' browsers. The official CVSS vector assigns PR:L (low privileges required), which directly contradicts the CVE description's claim of 'unauthenticated' exploitation - this discrepancy must be resolved with the vendor before accurate risk tiering. With a scope-changed impact (S:C), the primary concern is an attacker inducing a privileged user such as a WordPress administrator to trigger the payload, enabling session hijacking or unauthorized administrative actions. No public exploit code or active exploitation in CISA KEV has been identified at time of analysis.

XSS Simple Membership
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored Cross-Site Scripting in the Classified Listing WordPress plugin versions 5.3.8 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and carries CVSS 7.1 due to the scope change affecting the broader WordPress site context, though no public exploit identified at time of analysis. Risk is elevated for sites running the plugin in publicly accessible classified/marketplace deployments where untrusted visitor input is processed.

XSS Classified Listing
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site scripting in the Contest Gallery WordPress plugin (versions <= 28.1.6) can be triggered by a subscriber-level authenticated user, injecting malicious scripts that execute in the browsers of higher-privileged users such as administrators. The CVSS Scope:Changed metric confirms the payload escapes the subscriber's privilege boundary and impacts other user sessions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and broad WordPress ecosystem deployment surface make this a meaningful risk for any site accepting subscriber registrations.

XSS Contest Gallery
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated stored/reflected cross-site scripting in the AutomatorWP WordPress plugin (versions <= 5.6.7) allows remote attackers to inject malicious JavaScript that executes in the context of victim browsers, including site administrators. No public exploit identified at time of analysis, but the CVSS scope-change rating (7.2 High) reflects the cross-origin impact typical of XSS where attacker-supplied script crosses a trust boundary into the WordPress admin session. Patchstack reported the issue and tracks it in their WordPress vulnerability database.

XSS Automatorwp
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the Favicon Rotator WordPress plugin (versions 1.2.11 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The CVSS scope-changed vector (S:C) indicates the injected script can impact resources beyond the vulnerable plugin component, typically the entire WordPress site context. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the unauthenticated nature combined with WordPress's broad install base elevates real-world concern.

XSS Favicon Rotator
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site scripting in ProfilePress WordPress plugin versions up to and including 4.16.13 allows authenticated subscribers to inject malicious JavaScript payloads that execute in the browsers of other users - including administrators - who view affected content. The CVSS scope change (S:C) indicator confirms this is a stored or reflected XSS that crosses privilege boundaries, enabling low-privilege users to target higher-privilege accounts. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

XSS Profilepress
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the WP Time Slots Booking Form WordPress plugin (versions up to and including 1.2.46) lets remote unauthenticated attackers inject script that executes in a victim's browser after user interaction. The flaw, reported by Patchstack and tracked as EUVD-2026-36994, carries a CVSS 7.1 due to the scope change against the WordPress origin, and no public exploit identified at time of analysis.

XSS Wp Time Slots Booking Form
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Stored or reflected cross-site scripting in the Quiz And Survey Master WordPress plugin (versions up to and including 11.0.0) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser after a single user interaction. Patchstack reports the issue under EUVD-2026-36990 with a CVSS 3.1 base score of 7.1 reflecting scope change and partial impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Quiz And Survey Master
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Coupon Affiliates WordPress plugin (versions up to and including 7.5.3) allows remote attackers to inject malicious script that executes in a victim's browser after user interaction. The CVSS 3.1 score of 7.1 with scope change (S:C) indicates impact beyond the vulnerable component, typical of XSS reaching the WordPress admin or affiliate context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Coupon Affiliates
NVD
Prev Page 9 of 432 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy