Cross-Site Scripting

GoDaddy CoBlocks through version 3.1.16 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages, potentially compromising other users who view the affected content. The vulnerability requires user interaction and can impact the confidentiality, integrity, and availability of affected systems. No patch is currently available.

Stored XSS in Shortcoder plugin version 6.5.1 and earlier enables authenticated attackers to inject malicious scripts into web pages, affecting all users who view the compromised content. An attacker with user-level privileges can execute arbitrary JavaScript in victims' browsers through improper input sanitization during page generation. No patch is currently available.

DOM-based cross-site scripting in PenciDesign Soledad through version 8.7.2 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or data theft. The vulnerability requires user interaction and impacts the confidentiality, integrity, and availability of affected installations. No patch is currently available.

DOM-based cross-site scripting in PenciDesign Penci Recipe plugin version 4.1 and earlier allows authenticated attackers to inject malicious scripts that execute in users' browsers, potentially stealing session data or performing actions on behalf of affected users. The vulnerability requires user interaction and affects installations using vulnerable versions of the Penci Recipe component.

DOM-based cross-site scripting in PenciDesign Penci Podcast through version 1.7 allows authenticated attackers to inject malicious scripts that execute in users' browsers with user interaction. An attacker with login credentials can exploit improper input sanitization during page generation to steal session tokens, redirect users, or perform actions on their behalf. No patch is currently available for this vulnerability.

PenciDesign Penci Filter Everything penci-filter-everything is affected by cross-site scripting (xss) (CVSS 6.5).

Stored cross-site scripting in ThemeFusion Fusion Builder through version 3.14.3 allows authenticated attackers to inject malicious scripts that execute in other users' browsers when viewing affected pages. An attacker with login credentials can leverage this vulnerability to steal session cookies, redirect users, or perform actions on their behalf. No patch is currently available for this vulnerability.

Stored cross-site scripting in WpEstate Wpresidence Core through version 5.4.0 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction to trigger the payload and affects the broader site context, making it a persistence risk for compromised WordPress installations. No patch is currently available.

DOM-based cross-site scripting in Advanced iFrame plugin through version 2025.10 allows authenticated attackers to inject malicious scripts that execute in users' browsers, potentially compromising session data and user interactions. The vulnerability requires user interaction and network access but can affect multiple security domains due to its scope impact. No patch is currently available.

Bold Page Builder through version 5.6.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages. An attacker with user privileges can craft malicious input that persists in the application and executes in the browsers of other users who view the affected pages, potentially leading to credential theft or unauthorized actions. No patch is currently available for this vulnerability.

Stored cross-site scripting in Omnipress versions 1.6.7 and earlier allows authenticated users to inject malicious scripts that execute in other users' browsers, potentially compromising session data and user interactions. The vulnerability requires user interaction to trigger but can affect any user viewing the affected content due to its stored nature. No patch is currently available.

Stored XSS in FooGallery through version 3.1.11 allows authenticated users with high privileges to inject malicious scripts that execute in other users' browsers when viewing gallery content. An attacker with administrative or elevated access could leverage this vulnerability to steal session tokens, modify gallery data, or redirect users to malicious sites. A patch is not currently available for affected installations.

DOM-based cross-site scripting in VeronaLabs WP SMS plugin version 7.1 and earlier for WordPress allows authenticated attackers with high privileges to execute arbitrary JavaScript in users' browsers through improper input handling. An attacker could exploit this vulnerability to steal session cookies, perform unauthorized actions on behalf of users, or deface web pages. No patch is currently available for this vulnerability.

Melapress WP Activity Log wp-security-audit-log is affected by cross-site scripting (xss) (CVSS 6.5).

DOM-based XSS in the 8theme XStore Core et-core-plugin versions below 5.7 enables authenticated attackers to inject malicious scripts that execute in users' browsers through improper input handling during page generation. An attacker with user-level privileges and ability to trigger user interaction can exploit this to steal session data, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for this medium-severity vulnerability.

DOM-based cross-site scripting in 8theme XStore through version 9.6.4 allows authenticated attackers to inject malicious scripts that execute in users' browsers, potentially stealing sensitive information or performing actions on behalf of victims. The vulnerability requires user interaction and affects the scope beyond the vulnerable component, with no patch currently available.

CreativeMindsSolutions CM Business Directory cm-business-directory is affected by cross-site scripting (xss) (CVSS 4.8).

Stored XSS in HurryTimer through version 2.14.2 enables authenticated attackers with high privileges to inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. The vulnerability requires user interaction to trigger but can affect multiple users due to its persistent nature. No patch is currently available.

Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter.

Stored cross-site scripting in the WordPress XML-RPC Attacks Blocker plugin up to version 1.0 allows unauthenticated attackers to inject malicious scripts via the X-Forwarded-For HTTP header, which are then executed when administrators access the debug log page. The vulnerability stems from improper handling of untrusted header data without output escaping. No patch is currently available.

Stored XSS in WordPress Slidorion plugin through version 1.0.2 allows administrators to inject malicious scripts via insufficiently sanitized settings that execute when other users view affected pages. The vulnerability requires high privileges and only manifests in multisite WordPress installations or those with unfiltered HTML disabled. No patch is currently available.

Stored cross-site scripting in the Advance Block Extend WordPress plugin versions up to 1.0.4 allows authenticated contributors and above to inject malicious scripts through the TitleColor attribute in the Latest Posts block, which execute in the browsers of users viewing affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling persistent payload injection. No patch is currently available.

Stored XSS in WordPress Easy Author Image plugin up to version 1.7 allows authenticated subscribers and above to inject malicious scripts through the author_profile_picture_url parameter due to inadequate input sanitization. Attackers can embed arbitrary JavaScript that executes when other users view affected pages, potentially compromising user sessions and data. No patch is currently available for this vulnerability.

Stored XSS in the TalkJS WordPress plugin through version 0.1.15 permits high-privilege administrators to inject malicious scripts into admin settings that execute for all users viewing affected pages, restricted to multisite installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the plugin's settings handling. No patch is currently available.

Stored XSS in the Salavat Counter WordPress plugin up to version 0.9.5 allows authenticated administrators to inject malicious scripts through the 'image_url' parameter due to inadequate input sanitization and output escaping. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising site integrity and user sessions. A patch is not currently available.

Stored cross-site scripting in Tennis Court Bookings plugin for WordPress through version 1.2.7 allows administrators to inject malicious scripts into admin settings that execute when other users access affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

PostmarkApp Email Integrator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

Shield Security plugin for WordPress versions up to 21.0.8 contains a reflected XSS vulnerability in the 'message' parameter that allows unauthenticated attackers to inject malicious scripts through specially crafted links. Successful exploitation requires tricking users into clicking a malicious link, resulting in execution of arbitrary JavaScript in their browser context. No patch is currently available for this vulnerability.

Stored XSS in the XO Event Calendar WordPress plugin through version 3.2.10 allows authenticated contributors and above to inject malicious scripts into pages via the 'xo_event_field' shortcode due to improper input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.

Stored XSS in WordPress Groups plugin through the 'groups_group_info' shortcode allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via inadequate input validation. When other users access the compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking or account compromise. No patch is currently available for versions up to 3.10.0.

The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

The iXML - Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

The s2Member - Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

Apollo13 Framework Extensions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

Album and Image Gallery plus Lightbox (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

The StatCounter - Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

The Smartsupp - live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the dbstatus parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

Stored XSS in InvoicePlane's Sumex invoice view enables authenticated users with invoice management privileges to inject malicious JavaScript that executes in other users' browsers, potentially compromising sessions and enabling data theft. Public exploit code exists for this vulnerability. Version 1.7.1 and later contain the fix.

InvoicePlane 1.7.0 and earlier contains a stored XSS vulnerability in the Invoice Groups "Identifier Format" field that authenticated users can exploit to inject malicious scripts executed when other users access the invoice list or dashboard. An attacker with invoice group management permissions can inject arbitrary JavaScript that runs in the context of other users' browsers, potentially leading to session hijacking or credential theft. A patch is available in version 1.7.1.

InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Product Unit Name field that allows authenticated administrators to inject malicious scripts executed when other admins view affected invoices. Public exploit code exists for this vulnerability, though exploitation requires high-privilege administrator access and user interaction. Version 1.7.1 resolves the issue.

InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Invoice Number field that allows authenticated administrators to inject malicious JavaScript executing in other administrators' browsers when viewing invoices or the dashboard. Public exploit code exists for this vulnerability, which has a CVSS score of 4.8 and can result in data theft or unauthorized actions within the application. A patch is available in version 1.7.1.

InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Family Name field that executes malicious scripts in administrators' browsers when they access the product form. An authenticated administrator can inject payloads via the family dropdown to compromise other admin sessions. Public exploit code exists for this vulnerability, though a patch is available in version 1.7.1.

Stored XSS via SVG file upload in InvoicePlane 1.7.0 Login Logo functionality allows authenticated administrators to inject persistent malicious scripts, potentially compromising application integrity and enabling unauthorized data modification. Public exploit code exists for this vulnerability, which requires high-level privileges but can lead to persistent backdoors and full application compromise. InvoicePlane 1.7.1 addresses this issue.

MajorDomo's shoutbox feature is vulnerable to stored XSS due to unsanitized user input in the /objects/?method= endpoint, allowing unauthenticated attackers to inject malicious scripts that persist in the database. When administrators access the auto-refreshing dashboard, the stored payload executes automatically, enabling session hijacking and cookie theft. Public exploit code exists for this vulnerability, and no patch is currently available.

MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to inject stored XSS payloads that execute when administrators access the property editor, with public exploit code available. The vulnerability is compounded by session cookies lacking HttpOnly protection, enabling attackers to enumerate properties via the /api.php/data/ endpoint and hijack admin sessions through JavaScript exfiltration.

Reflected XSS in MajorDoMo's command.php allows remote attackers to inject arbitrary JavaScript through an unsanitized qry parameter, affecting users who click malicious links. Public exploit code exists for this vulnerability, and no patch is currently available.

Stored XSS in InvoicePlane 1.7.0's invoice editing function fails to sanitize the invoice_number parameter, allowing authenticated administrators to inject malicious scripts that persist in the application. Public exploit code exists for this vulnerability, enabling attackers with admin access to modify data, create backdoors, and compromise application integrity. Version 1.7.1 addresses this issue.

Stored XSS in InvoicePlane 1.7.0 via malicious SVG file upload in the Invoice Logo function allows authenticated administrators to inject persistent malicious scripts and compromise application integrity. Public exploit code exists for this vulnerability. Version 1.7.1 contains the patch.

IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp_name, remark, SRV_NAME, SRV_PORT, SRVGRP_NAME, SRVGRP_REMARK, and updatesrvgrp. [CVSS 5.4 MEDIUM]

IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. [CVSS 6.4 MEDIUM]

IPFire 2.21 Core Update 127 contains multiple cross-site scripting vulnerabilities in the ovpnmain.cgi script that allow attackers to inject malicious scripts through VPN configuration parameters. [CVSS 6.1 MEDIUM]

IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. [CVSS 6.1 MEDIUM]

IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. [CVSS 6.1 MEDIUM]

Bematech (formerly Logic Controls, now Elgin) MP-4200 TH printer contains a cross-site scripting vulnerability in the admin configuration page. [CVSS 6.1 MEDIUM]

Stored XSS in InvoicePlane 1.7.0's Edit Quotes function allows authenticated administrators to inject malicious scripts via the unvalidated quote_number parameter, enabling persistent code execution and data manipulation. Public exploit code exists for this vulnerability, which could lead to unauthorized modification of invoices, creation of backdoors, and complete compromise of application integrity. Version 1.7.1 addresses this flaw.

Jenkins versions 2.483-2.550 and LTS 2.492.1-2.541.1 contain a stored XSS vulnerability in the agent offline cause description field that fails to properly sanitize user input. Attackers with Agent/Configure or Agent/Disconnect permissions can inject malicious scripts that execute in the browsers of other users viewing the affected agent configuration. No patch is currently available for this vulnerability.

The Ultimate Member WordPress plugin through version 2.11.1 contains a reflected XSS vulnerability in filter parameters that lack proper input sanitization and output escaping. Unauthenticated attackers can inject malicious scripts into pages by crafting malicious links and convincing users to click them. Successful exploitation results in arbitrary JavaScript execution in the context of the affected user's browser session.

Graylog Web Interface 2.2.3 contains a reflected XSS vulnerability in the /system/index_sets/ endpoint where unsanitized URL parameters are echoed into HTML responses, enabling attackers to execute arbitrary JavaScript in users' browsers. An attacker can craft a malicious URL to steal session cookies, hijack user sessions, or perform unauthorized actions within the victim's Graylog interface. No patch is currently available for this vulnerability.

Reflected XSS in Graylog Web Interface version 2.2.3 fails to properly sanitize user-supplied input in the /system/pipelines/ endpoint, enabling attackers to inject malicious JavaScript through specially crafted URLs. An attacker can execute arbitrary scripts in a victim's browser and potentially hijack user sessions when the victim visits a malicious link. No patch is currently available for this vulnerability.

Graylog Web Interface 2.2.3 contains a reflected XSS vulnerability in the /alerts/ endpoint where unencoded URL parameters are reflected in HTML responses, enabling attackers to execute arbitrary JavaScript in a victim's browser through malicious links. Successful exploitation allows session hijacking and limited account manipulation when users click crafted URLs. No patch is currently available for this vulnerability.

Graylog Web Interface 2.2.3 contains a reflected XSS vulnerability in the /system/nodes/ endpoint where unescaped URL parameters are reflected in HTML responses, enabling attackers to execute arbitrary JavaScript in a victim's browser. An attacker can craft a malicious URL to steal session credentials or manipulate user actions within the affected Graylog instance when a user clicks the link. No patch is currently available for this vulnerability.

Reflected XSS in Graylog 2.2.3's web interface allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting malicious URLs that bypass HTML output sanitization, particularly through the user edit endpoint. An attacker can exploit this to perform session hijacking or manipulate user context with no user interaction required beyond visiting a crafted link. No patch is currently available for this vulnerability.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Key Software Solutions Inc. [CVSS 6.3 MEDIUM]

Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.

The Video Share VOD - Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cmplz-accept-link shortcode in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

Stored cross-site scripting in WP Event Aggregator plugin through version 1.8.7 allows authenticated contributors and above to inject malicious scripts via the wp_events shortcode due to inadequate input sanitization. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially compromising user sessions and data. No patch is currently available, leaving affected WordPress installations vulnerable.

Stored XSS in WordPress Community Events plugin through the 'ce_venue_name' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.5.7 due to inadequate input sanitization and output escaping, with no patch currently available.

Stored XSS in YayMail plugin for WordPress (versions up to 4.3.2) allows authenticated Shop Manager-level users to inject malicious scripts through inadequately sanitized settings, affecting multi-site installations or those with disabled unfiltered_html. Attackers can execute arbitrary JavaScript in pages viewed by other users, though exploitation requires elevated privileges and specific WordPress configurations. No patch is currently available.

Stored XSS in WordPress Private Comment plugin up to version 0.0.4 allows authenticated administrators to inject malicious scripts via the label text setting due to inadequate input sanitization and output escaping. The injected scripts execute in the browsers of users viewing affected pages, impacting multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

InteractiveCalculator for WordPress (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

The Download Manager plugin for WordPress through version 3.3.46 contains a reflected XSS vulnerability in the 'redirect_to' parameter that allows unauthenticated attackers to inject malicious scripts. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.

Stored Cross-Site Scripting in the Membership Plugin for WordPress versions up to 3.2.18 allows authenticated administrators to inject malicious scripts into invoice settings fields due to inadequate input sanitization. When other users access pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. Exploitation requires administrator-level access and no patch is currently available.

The Popup Box - Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

VK All in One Expansion Unit (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

Stored cross-site scripting in the Rent Fetch WordPress plugin through version 0.32.4 allows unauthenticated attackers to inject malicious scripts via inadequately sanitized keyword parameters. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

Display During Conditional Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WP 404 Auto Redirect to Similar Post (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.

IBM Financial Transaction Manager for ACH Services and Check Services for Multi-Platform 3.0.0.0 versions up to 3.0.5.4 is affected by cross-site scripting (xss) (CVSS 6.1).

A vulnerability was detected in Blossom up to 1.17.1. This vulnerability affects the function content of the file blossom-backend/backend/src/main/java/com/blossom/backend/server/article/draft/ArticleController.java of the component Article Title Handler. [CVSS 3.5 LOW]