Cross-Site Scripting

Stored cross-site scripting in thinkupthemes Consulting WordPress theme versions through 1.5.0 enables authenticated users or malicious admins to inject persistent JavaScript payloads that execute in the browsers of other site visitors or administrators. The vulnerability allows arbitrary script execution within the context of the affected WordPress installation, potentially leading to account compromise, malware distribution, or session hijacking. No public exploit code or active exploitation has been confirmed at time of analysis.

Stored cross-site scripting (XSS) in thinkupthemes Minamaze WordPress theme versions up to 1.10.1 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability has an EPSS score of 0.01% (3rd percentile), indicating minimal likelihood of exploitation in practice, though it represents a privilege-escalation pathway for authenticated attackers with contributor-level access or higher.

DOM-based cross-site scripting (XSS) in WebMan Amplifier WordPress plugin through version 1.5.12 allows attackers to inject malicious scripts that execute in users' browsers. The vulnerability stems from improper neutralization of user input during web page generation, enabling stored or reflected XSS attacks depending on the specific injection vector. With an EPSS score of 0.01% (3rd percentile) and no evidence of active exploitation, this represents a low real-world risk despite the XSS classification, though remediation is still recommended for all affected installations.

DOM-based cross-site scripting (XSS) in The Moneytizer WordPress plugin up to version 10.0.9 allows attackers to inject malicious scripts into web pages through improper input neutralization. The vulnerability affects WordPress sites running the vulnerable plugin versions and could enable session hijacking, credential theft, or malware distribution targeting site administrators and visitors. No public exploit code or active exploitation has been confirmed at this time, though the EPSS score of 0.01% suggests minimal real-world exploitation probability.

DOM-based cross-site scripting (XSS) in Kalender.digital WordPress plugin through version 1.0.13 allows unauthenticated attackers to inject malicious scripts via improper input neutralization during web page generation. The vulnerability affects all versions up to and including 1.0.13, with an EPSS score of 0.01% indicating very low exploitation likelihood in practice despite the high-severity CWE-79 classification.

DOM-based cross-site scripting (XSS) in Bainternet User Specific Content WordPress plugin versions 1.0.6 and earlier allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While no public exploit code or active exploitation has been confirmed, the extremely low EPSS score (0.01%) and lack of CVSS vector data suggest limited real-world exploitability or specificity to attack scenarios, despite the XSS classification.

DOM-based cross-site scripting (XSS) in Genetech Products Web and WooCommerce Addons for WPBakery Builder (vc-addons-by-bit14) plugin versions up to 1.5 allows unauthenticated attackers to inject malicious scripts that execute in the context of affected user sessions. The vulnerability stems from improper neutralization of user-supplied input during web page generation. EPSS scoring (0.01%, percentile 3%) indicates very low real-world exploitation probability despite the nature of the flaw, and no public exploit code or active exploitation has been confirmed.

DOM-based cross-site scripting (XSS) vulnerability in the Responsive Block Control WordPress plugin through version 1.3.0 allows attackers to inject malicious scripts that execute in users' browsers. Exploitation requires user interaction with a malicious link or form, but once triggered, the vulnerability enables session hijacking, credential theft, or defacement. The vulnerability has an exceptionally low EPSS score (0.01th percentile) suggesting minimal real-world exploitation likelihood despite public disclosure.

DOM-based cross-site scripting (XSS) vulnerability in Ruhul Amin Content Fetcher WordPress plugin versions 1.1 and earlier allows authenticated attackers to inject arbitrary JavaScript code into web pages, potentially compromising site integrity and user sessions. The vulnerability resides in improper input neutralization during web page generation, enabling malicious scripts to execute in the context of affected websites. EPSS exploitation probability is extremely low at 0.01% (3rd percentile), indicating minimal real-world attack likelihood despite the XSS vector.

Stored cross-site scripting (XSS) in Tomas WordPress Tooltips plugin versions 10.9.3 and earlier allows authenticated attackers to inject malicious scripts into tooltip content that execute in the browsers of site administrators and other users. The vulnerability affects WordPress Tooltips through version 10.9.3, and exploitation requires an authenticated user with permissions to create or modify tooltips. No public exploit code or active exploitation has been identified at time of analysis.

Stored cross-site scripting (XSS) in wpforchurch Sermon Manager WordPress plugin through version 2.30.0 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site administrators and other users. The vulnerability affects sermon content input validation, enabling attackers with contributor or editor privileges to compromise website integrity and steal sensitive data from higher-privileged users.

Stored cross-site scripting (XSS) vulnerability in BasePress Knowledge Base documentation & wiki plugin versions through 2.17.0.1 allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of other users viewing affected content. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise user sessions, steal credentials, or deface documentation within WordPress installations using BasePress. With EPSS exploitation probability at 0.04% (14th percentile), real-world exploitation risk is currently low, though the stored nature of the XSS makes it a persistence risk if discovered by threat actors.

Stored cross-site scripting (XSS) in BuddyDev BuddyPress Activity Shortcode plugin through version 1.1.8 allows attackers to inject and persist malicious scripts that execute in users' browsers. The vulnerability affects WordPress sites using this plugin, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and active exploitation has not been confirmed.

Stored cross-site scripting (XSS) in the Justin Tadlock Series WordPress plugin up to version 2.0.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage within the plugin's data structures. With an EPSS score of 0.04% and low exploitation probability, this represents a lower-priority but still exploitable vulnerability in a plugin with active distribution.

DOM-based cross-site scripting (XSS) in Funnelforms Free WordPress plugin version 3.8 and earlier allows authenticated attackers to inject malicious scripts through improper input neutralization during web page generation. The vulnerability has a low EPSS score (0.04%, 14th percentile) and no confirmed active exploitation, suggesting limited real-world attack probability despite the XSS classification.

Stored XSS vulnerability in MX Time Zone Clocks WordPress plugin versions up to 5.1.1 allows authenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input sanitization during web page generation, enabling persistent cross-site scripting attacks that could compromise site visitors, steal session tokens, or deface content. EPSS score of 0.04% indicates low real-world exploitation probability, though the stored nature of the XSS makes it a medium-priority remediation target for affected WordPress administrators.

Stored cross-site scripting (XSS) in Shuttle WordPress theme through version 1.5.0 allows authenticated users to inject malicious scripts that persist in the application and execute in the browsers of other users who view the affected content. The vulnerability has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the moderate attack surface typical of stored XSS flaws. No public exploit code or active exploitation has been confirmed.

Stored cross-site scripting (XSS) vulnerability in the Melos WordPress theme through version 1.6.0 allows attackers to inject and execute arbitrary JavaScript code that persists in the application and executes in the browsers of other users. The vulnerability affects all versions up to and including 1.6.0, and while no CVSS vector or EPSS exploitation probability is formally assigned, the low EPSS score (0.04th percentile) suggests minimal real-world exploitation likelihood despite the stored nature of the flaw.

Stored XSS vulnerability in Zoho ZeptoMail transmail WordPress plugin through version 3.3.1 can be triggered via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of all users who access affected pages. The vulnerability affects the transmail plugin for Zoho Mail integration and carries low exploitation probability (EPSS 0.02%) despite the high-impact nature of stored XSS.

Cross-site request forgery (CSRF) vulnerability in the WordPress Custom Post Status plugin up to version 1.1.0 enables attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The CSRF protection bypass allows unauthenticated attackers to craft malicious requests that, when clicked by an admin, result in persistent JavaScript injection into the WordPress database. This is a chained vulnerability where CSRF-enabled request forgery leads to XSS payload storage.

Stored XSS vulnerability in the Recent Posts From Each Category WordPress plugin through version 1.4 exploitable via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that execute in the context of site administrators and visitors. The vulnerability combines a CSRF flaw with inadequate input sanitization, enabling persistent payload storage that affects all users viewing affected plugin output.

Cross-site request forgery (CSRF) in the Marcin Kijak Noindex by Path WordPress plugin through version 1.0 allows unauthenticated attackers to perform unauthorized administrative actions such as modifying plugin settings via crafted HTML or JavaScript on attacker-controlled sites. The vulnerability chaining with stored XSS enables attackers to inject malicious scripts that persist in the plugin's data, affecting all users who access the compromised settings. No public exploit code has been identified, and real-world exploitation risk is minimal (EPSS 0.02%), indicating this is primarily a theoretical risk in low-traffic or neglected WordPress installations.

WP-EasyArchives WordPress plugin versions 3.1.2 and earlier contains a cross-site request forgery (CSRF) vulnerability that enables stored cross-site scripting (XSS) attacks. An unauthenticated attacker can craft a malicious request to trick authenticated administrators into performing unintended actions, potentially injecting persistent JavaScript payloads that execute in the browsers of all site visitors. With an EPSS score of 0.02% (5th percentile), this vulnerability represents minimal real-world exploitation probability despite the attack chain complexity.

Cross-site request forgery (CSRF) vulnerability in reneade SensitiveTagCloud WordPress plugin through version 1.4.1 allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially combined with stored XSS to inject malicious content. The vulnerability affects all versions up to and including 1.4.1, with no CVSS vector provided, but EPSS data suggests low real-world exploitation probability (0.02% percentile).

Cross-site request forgery (CSRF) vulnerability in the Social Profilr WordPress plugin version 1.0 and earlier allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The vulnerability affects the social-profilr-display-social-network-profile plugin and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or confirmed active exploitation identified at the time of analysis.

Cross-Site Request Forgery (CSRF) in the Custom Style WordPress plugin up to version 1.0 enables attackers to perform unauthorized administrative actions, potentially leading to stored cross-site scripting (XSS) injection. The vulnerability affects all versions from initial release through 1.0, with no CVSS score published but an EPSS score of 0.02% indicating minimal observed exploitation probability. No active KEV status or public exploit code has been identified.

Stored XSS via CSRF in eleopard Behance Portfolio Manager WordPress plugin versions up to 1.7.5 allows authenticated attackers to inject malicious scripts through cross-site request forgery mechanisms, potentially compromising site administrators and visitors. The EPSS score of 0.02% indicates low exploitation probability, though the vulnerability type suggests a chainable attack vector when combined with social engineering. No CVSS score was assigned, limiting quantification of attack complexity and privilege requirements.

Cross-site request forgery (CSRF) vulnerability in Simple Archive Generator WordPress plugin through version 5.2 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored XSS injection. The vulnerability requires tricking an administrator into visiting a malicious page but carries low exploitation probability (EPSS 0.02%) despite being simple to execute, suggesting limited real-world weaponization.

WP-CalDav2ICS WordPress plugin through version 1.3.4 contains a Cross-Site Request Forgery (CSRF) vulnerability that enables Stored XSS attacks. The vulnerability allows unauthenticated attackers to craft malicious requests that, when executed by a logged-in administrator or user, inject persistent malicious scripts into the plugin's stored data. This combined CSRF+XSS chain can lead to persistent compromise of the WordPress site through script injection.

DOM-based cross-site scripting (XSS) in WPCal.io WordPress plugin versions 0.9.5.9 and earlier allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation, enabling attackers to execute arbitrary JavaScript in the context of affected websites. No CVSS score is available, but the EPSS score of 0.04% (14th percentile) indicates low practical exploitation likelihood despite the XSS vector being a common attack class.

Stored cross-site scripting (XSS) in Yada Wiki WordPress plugin through version 3.5 allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling persistent XSS attacks that could compromise site integrity, steal credentials, or perform actions on behalf of administrators. EPSS exploitation probability is very low at 0.04%, but the stored nature of the vulnerability means injected payloads persist across sessions.

DOM-based cross-site scripting (XSS) in 8theme XStore Core plugin (et-core-plugin) versions below 5.6 allows attackers to inject malicious scripts that execute in users' browsers during web page generation. The vulnerability affects WordPress installations using the vulnerable plugin, and while no CVSS score was assigned, the extremely low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the XSS classification.

Stored cross-site scripting (XSS) in webcreations907 WBC907 Core WordPress plugin versions up to 3.4.1 allows attackers to inject and execute malicious JavaScript that persists in the application, potentially compromising users who view affected pages. The vulnerability stems from improper input neutralization during web page generation. No public exploit code or active exploitation has been identified at the time of analysis, though the attack vector and complexity depend on the specific injection point within the plugin.

Stored cross-site scripting (XSS) in CodeFlavors Featured Video for WordPress (VideographyWP) plugin version 1.0.18 and earlier allows authenticated attackers to inject malicious scripts that execute in the browsers of other site users, potentially compromising administrator accounts and site integrity. The vulnerability stems from improper input sanitization during web page generation, and no public exploit code has been identified at the time of analysis.

Stored Cross-Site Scripting (XSS) in Magnigenie RestroPress WordPress plugin through version 3.2.8.4 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or defacing content. The vulnerability requires user interaction (UI:R) and affects only authenticated attackers (PR:L), limiting immediate exploitation risk despite the moderate CVSS score of 6.5. No public exploit code or active exploitation has been confirmed at time of analysis.

DOM-based cross-site scripting (XSS) in Crocoblock JetTabs WordPress plugin versions up to 2.2.12 allows attackers to inject malicious scripts that execute in users' browsers when viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling stored or reflected XSS attacks without requiring authentication. With an EPSS score of 0.04% (14th percentile), exploitation likelihood is very low despite the publicly documented vulnerability.

Reflected cross-site scripting (XSS) in the Off Page SEO WordPress plugin through version 3.0.3 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, redirect users, or perform actions on behalf of victims through crafted URLs. No public exploit code has been identified, and the low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the moderate theoretical attack surface.

Reflected cross-site scripting (XSS) in the Product Puller WordPress plugin through version 1.5.1 allows unauthenticated attackers to inject malicious JavaScript into web pages viewed by other users. The vulnerability stems from improper input sanitization in the plugin's request handling, enabling attackers to craft malicious URLs that execute arbitrary scripts in victim browsers. No public exploit code has been identified, and the EPSS score of 0.04% indicates low exploitation probability in the wild, though the vulnerability remains remotely exploitable without authentication.

Reflected XSS in Sleekplan WordPress plugin through version 0.2.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability exists in the plugin's input handling during web page generation, enabling attackers to steal session cookies, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. No active exploitation has been confirmed, but the attack vector is network-based with low complexity.

Reflected cross-site scripting (XSS) in the Rakessh Ads24 Lite WordPress plugin (wp-ad-management) up to version 1.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers when visited, potentially compromising user sessions, stealing credentials, or defacing content. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the straightforward attack vector.

Stored cross-site scripting (XSS) in WordPress Custom Field Template plugin through version 2.7.7 allows authenticated users to inject malicious scripts that execute in the browsers of other users who view affected content, potentially compromising site security and user data. The vulnerability has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the high-impact nature of stored XSS on WordPress sites.

DOM-based cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin through version 3.5.16 allows attackers to inject malicious scripts into the search interface that execute in users' browsers. The vulnerability affects the plugin's web page generation when processing search input, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of authenticated users without requiring authentication themselves. No CVSS score was available at analysis time, but the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the XSS vector.

Stored cross-site scripting (XSS) in codeaffairs Wp Text Slider Widget plugin for WordPress versions 1.0 and earlier enables authenticated attackers to inject malicious scripts that execute in the browsers of site administrators and other users. The vulnerability arises from improper input sanitization during widget configuration, allowing persistent code injection through the plugin's admin interface.

Reflected cross-site scripting (XSS) in the Content Grid Slider WordPress plugin through version 1.5 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a malicious URL containing script payloads that execute in the victim's browser when the page is rendered, potentially enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; the EPSS score of 0.04% indicates minimal real-world exploitation likelihood despite the vulnerability's technical severity.

Reflected cross-site scripting (XSS) in Advanced Custom CSS WordPress plugin versions through 1.1.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session tokens, credentials, or perform actions on behalf of victims through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04th percentile) suggests limited real-world exploitation risk despite the straightforward attack vector.

Reflected cross-site scripting (XSS) in INVELITY Invelity SPS connect WordPress plugin through version 1.0.8 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation and carries an extremely low exploitation probability (EPSS 0.04th percentile), suggesting minimal real-world attack motivation despite the CVSS scoring absence.

Stored XSS in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions <= 2.3.23) allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user data. The vulnerability requires user interaction (viewing a page with the injected content) and affects the site's security context (SameSite:Changed per CVSS:3.1/S:C). EPSS score of 0.04% indicates low real-world exploitation probability despite CVE publication.

Stored cross-site scripting (XSS) in Live Composer page builder plugin for WordPress (versions through 2.1.11) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages. An attacker with contributor or editor access can store XSS payloads that persist in the database and execute when administrators or other site visitors interact with the affected content, potentially leading to session hijacking, credential theft, or malware distribution.

Stored cross-site scripting (XSS) in BlueGlass Interactive AG Jobs for WordPress plugin versions 2.8.1 and earlier allows authenticated users with low privileges to inject malicious scripts into job postings that execute in the browsers of other site visitors. The vulnerability requires user interaction (clicking a crafted link) and affects website visitors with cross-site request forgery capabilities, resulting in limited confidentiality and integrity impact but no availability impact. The issue has a low exploitation probability (EPSS 0.04%) despite publicly disclosed details.

Stored cross-site scripting (XSS) in WordPress plugin My auctions allegro (versions up to 3.6.35) allows authenticated users to inject malicious scripts that execute in other users' browsers when viewing auction content. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected WordPress installations, though with limited scope within the plugin context. No public exploit code or active exploitation has been identified; real-world risk is moderate given the requirement for authenticated access and user interaction.

Cross-site scripting (XSS) vulnerability in CodexThemes TheGem Theme Elements (for Elementor) plugin through version 5.10.5.1 allows improper neutralization of input during web page generation. Attackers can inject malicious scripts that execute in the context of other users' browsers, potentially compromising WordPress site visitors and administrators. No active exploitation has been confirmed at time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the vulnerability's presence in a widely-used Elementor theme plugin.

Stored cross-site scripting (XSS) in WebCodingPlace Responsive Posts Carousel Pro WordPress plugin versions 15.2 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise site integrity and steal sensitive user data. EPSS exploitation probability is notably low (0.04%, 14th percentile), suggesting limited real-world attack incentive despite the stored nature of the flaw.

Stored cross-site scripting (XSS) in Void Elementor WHMCS Elements for Elementor Page Builder through version 2.0.1.2 allows authenticated attackers to inject malicious scripts into web pages generated by the plugin, potentially compromising site visitors and administrators. The vulnerability stems from improper input sanitization in page generation functions. No public exploit code or active exploitation has been identified, but the low EPSS score (0.04%) reflects limited real-world attack probability despite the high-impact nature of XSS vulnerabilities.

Stored cross-site scripting (XSS) in HappyDevs TempTool WordPress plugin version 1.3.1 and earlier allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of other users who view affected pages. The vulnerability exists in the [Show Current Template Info] functionality and affects the current-template-name component; exploitation requires an authenticated user with appropriate plugin permissions but can compromise all site visitors who interact with the injected content.

Stored cross-site scripting (XSS) in WP Microdata WordPress plugin version 1.0 and earlier allows authenticated users or lower-privileged administrators to inject malicious scripts that execute in the browsers of site visitors, potentially leading to credential theft, session hijacking, or malware distribution. The vulnerability stems from improper input sanitization during web page generation. EPSS score of 0.04% indicates low exploitation probability in real-world conditions.

Stored XSS in SlimStat Analytics for WordPress allows unauthenticated attackers to inject malicious scripts via unsanitized 'outbound_resource' parameter in slimtrack AJAX action (versions ≤5.3.2). Injected scripts execute when any user accesses the compromised page, enabling session hijacking, credential theft, or privilege escalation. Affects all installations with publicly accessible AJAX endpoints. No public exploit identified at time of analysis.

DOM-based cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin versions up to 2.7.12 allows attackers to inject malicious scripts into web pages through improper input neutralization during page generation. The vulnerability affects WordPress sites using this Elementor page builder extension and can enable session hijacking, credential theft, or malware distribution against site visitors. EPSS exploitation probability is low at 0.04%, but the attack vector is likely network-based requiring no authentication.

Stored HTML injection in Nozomi Networks CMC and Guardian Asset List functionality allows unauthenticated remote attackers to inject malicious HTML tags into asset attributes via crafted network packets, enabling phishing and open redirect attacks when victims view affected assets. CVSS 5.3 (medium severity) with user interaction required; exploitation is bounded by existing Content Security Policy and input validation that prevent full XSS and direct information disclosure.

Stored cross-site scripting in Nozomi Networks CMC and Guardian allows authenticated users with report privileges to inject malicious JavaScript payloads into report definitions. When victims view or import these weaponized reports, the XSS executes in their browser context, enabling attackers to modify application data, disrupt availability, and access sensitive information. The vulnerability requires low-privilege authentication and user interaction (CVSS:4.0 score 7.1, PR:L/UI:P), with high integrity and availability impacts but limited confidentiality exposure. No public exploit identified at time of analysis, though the attack technique is well-understood and straightforward given the stored XSS nature.

Stored HTML injection in Nozomi Networks CMC and Guardian Time Machine Snapshot Diff feature allows unauthenticated attackers to inject HTML tags into asset attributes across snapshots via specially crafted network packets. When a victim uses the Snapshot Diff feature and performs specific GUI actions, the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is mitigated by input validation and Content Security Policy. This vulnerability has not been confirmed as actively exploited, requires high attack complexity (multiple preconditions), and results in low integrity impact with limited scope.

Stored cross-site scripting (XSS) in VK Google Job Posting Manager WordPress plugin versions up to 1.2.22 allows authenticated users with low privileges to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators. The vulnerability requires user interaction (clicking a link or viewing a malicious page) to trigger payload execution and affects the plugin's web page generation functionality. EPSS probability of exploitation is notably low at 0.04%, suggesting this is primarily a theoretical risk without documented active exploitation.

Stored cross-site scripting (XSS) in Premio Stars Testimonials WordPress plugin versions 3.3.4 and below allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators or visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate risk, but the stored nature means injected payloads persist and affect multiple users. No public exploit code or active KEV status is documented, though the 6.5 CVSS score reflects moderate severity when considering cross-site impact.

Reflected cross-site scripting (XSS) in WPS Visitor Counter WordPress plugin through version 1.4.8 allows remote attackers to inject malicious scripts via the REQUEST_URI parameter, which is output without sanitization in HTML attributes. The vulnerability has a CVSS score of 5.8 and requires user interaction (clicking a crafted link), with exploitation limited primarily to older web browsers due to modern XSS protections. No public exploit code or active exploitation has been identified at the time of analysis.

Stored Cross-Site Scripting in WP Job Portal plugin for WordPress up to version 2.4.4 allows authenticated attackers with Editor-level access or higher to inject arbitrary JavaScript into job description fields by exploiting explicit whitelisting of the `<script>` tag in the WPJOBPORTAL_ALLOWED_TAGS configuration. The injected scripts execute when users view affected job listings, enabling session hijacking, credential theft, and other malicious activities. Impact is limited to multi-site installations or sites with unfiltered_html disabled. CVSS score of 4.4 reflects the high privilege requirement (PR:H) and high attack complexity (AC:H), though the vulnerability affects a potentially large number of WordPress installations.

Stored Cross-Site Scripting in Bold Timeline Lite WordPress plugin up to version 1.2.7 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'bold_timeline_group' shortcode, executing malicious scripts whenever users view affected pages. CVSS 6.4 reflects moderate impact (confidentiality and integrity compromise across trust boundaries); EPSS 0.04% indicates low real-world exploitation probability. No public exploit code or active exploitation confirmed.

Stored Cross-Site Scripting in BUKAZU Search widget plugin for WordPress allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript through the 'shortcode' parameter of the 'bukazu_search' shortcode. The vulnerability affects all versions up to and including 3.3.2 and results from insufficient input sanitization and output escaping. Malicious scripts execute in the context of any user accessing affected pages. EPSS score of 0.04% indicates low real-world exploitation probability despite moderate CVSS 6.4 severity.

Stored Cross-Site Scripting in NewStatPress WordPress plugin versions up to 1.4.3 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript into pages via a regex bypass in the nsp_shortcode function. When site visitors access pages containing the injected malicious shortcode attribute, the attacker's script executes in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified; EPSS score of 0.04% reflects the requirement for authenticated access and user interaction.

Reflected cross-site scripting (XSS) in Accept Stripe Payments Using Contact Form 7 WordPress plugin versions up to 3.1 allows unauthenticated attackers to inject arbitrary JavaScript via the 'failure_message' parameter due to insufficient input sanitization and output escaping. An attacker can craft a malicious link that, when clicked by a victim, executes JavaScript in the victim's browser session with access to sensitive data or session tokens. No public exploit code or active exploitation has been confirmed at the time of analysis.

Stored cross-site scripting in Better Elementor Addons plugin for WordPress up to version 1.5.5 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript through insufficiently sanitized Slider widget attributes, which executes when any user views the affected page. This is a stored XSS vulnerability affecting a widely-deployed WordPress plugin; no public exploit code or active exploitation has been confirmed at time of analysis, but the low CVSS complexity (AC:L) and moderate EPSS exploitation probability make this a practical concern for any WordPress site running the vulnerable plugin versions with user roles permitted to edit pages.

Shopware, an open commerce platform, contains a reflected cross-site scripting (XSS) vulnerability in its authentication controller where the 'waitTime' URL parameter from the login page is rendered directly into the Twig template without validation or sanitization. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 are affected, allowing attackers to inject malicious JavaScript code through crafted URLs. With an EPSS score of only 0.04% (11th percentile), active exploitation appears low despite the availability of patches and public advisories.

DOM-based cross-site scripting (XSS) in muffingroup Betheme WordPress theme versions up to 28.2 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects the confidentiality, integrity, and availability of affected installations; EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been confirmed.

DOM-based cross-site scripting in Dream-Theme The7 WordPress theme versions before 12.9.0 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers via improperly sanitized input during web page generation. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting real-world exploitability despite a moderate CVSS score of 6.5. EPSS exploitation probability is low at 0.04th percentile, and no public exploit code or active exploitation has been reported.

Improper HTML tag neutralization in sevenspark Contact Form 7 - Dynamic Text Extension through version 5.0.5 allows unauthenticated remote attackers to inject malicious scripts via a network-based attack with no user interaction required, resulting in confidentiality compromise through information disclosure. The vulnerability is classified as cross-site scripting (XSS) with low exploitability probability (EPSS 0.06%, percentile 18%), suggesting limited real-world attack incentive despite the network-accessible attack vector.

Stored cross-site scripting (XSS) in Porto Theme - Functionality plugin for WordPress allows authenticated users with low privileges to inject malicious scripts into web pages that execute in the browsers of other site visitors. The vulnerability affects Porto Theme - Functionality versions below 3.7.3 and has a low exploitation probability (EPSS 0.01%), but requires user interaction and authenticated access to exploit, limiting immediate risk to well-managed WordPress installations with access controls.

DOM-Based Cross-Site Scripting (XSS) in KALLYAS WordPress theme versions below 4.25.0 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users, potentially stealing session cookies, credentials, or performing unauthorized actions on their behalf. The vulnerability requires user interaction (clicking a malicious link) and affects the theme's web page generation routines. EPSS probability is 0.01% (very low), suggesting minimal real-world exploitation likelihood despite the moderate CVSS score of 6.5.

DOM-based cross-site scripting in WordPress plugin WP Ultimate Review versions ≤2.3.7 allows remote attackers to execute malicious JavaScript in victims' browsers via crafted input that is improperly sanitized during client-side page rendering. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling attacks via social engineering or malicious links. Exploitation probability is low (EPSS 0.04%, 14th percentile), with no public exploit identified at time of analysis and no confirmed active exploitation (not in CISA KEV).

Stored cross-site scripting (XSS) in Master Addons for Elementor through version 2.0.9.9.4 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or stealing sensitive data. The vulnerability requires user interaction (UI:R) and affects the plugin's input sanitization during web page generation. With an EPSS score of 0.04% and no confirmed active exploitation, this represents a lower real-world risk despite the moderate CVSS base score of 6.5.

Stored cross-site scripting (XSS) in SimpLy Gallery WordPress plugin (versions up to 3.3.2.1) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially leading to session hijacking, credential theft, or site defacement. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

Stored XSS in Make Section & Column Clickable For Elementor WordPress plugin (versions through 2.4) allows authenticated users with high privileges to inject malicious scripts that execute in other users' browsers. The vulnerability requires user interaction (UI:R) and affects site confidentiality, integrity, and availability with limited scope. EPSS score of 0.04% indicates low exploitation probability despite the presence of a public vulnerability disclosure.

DOM-based cross-site scripting (XSS) in ThimPress WP Hotel Booking plugin versions up to 2.2.8 allows authenticated users with high privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and high administrator privileges (PR:H), limiting its real-world impact despite a moderate CVSS score of 5.9. EPSS exploitation probability is very low at 0.04%, indicating minimal practical attack likelihood.

Stored cross-site scripting (XSS) in Generic Elements for Elementor plugin versions 1.2.9 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (clicking a malicious link) and affects WordPress installations using this plugin. EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been identified.

IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using a specially crafted URL to redirect the user to a malicious site.

A stored cross-site scripting vulnerability exists in the web management interface of the R.V.R. Elettronica TLK302T telemetry controller (firmware 1.5.1799).

Barix Instreamer v04.06 and v04.05 contains a stored cross-site scripting (XSS) vulnerability in the Web UI Configuration Streaming Destination input.

A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. An authenticated user with access to Settings Player can save arbitrary HTML/JavaScript in the Player name field. That value is stored by the server and later rendered without proper output encoding on the Information (Player Info) tab, causing the script to execute in the context of any user viewing that page.

Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting (XSS) in the Web UI I/O & Serial configuration page, specifically the CTS close command user-input field which is stored and later rendered on the Status page.

In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS). On the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and innerHTML. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (user.html).  This issue affects Vulnerability-Lookup: before 2.18.0.

A flaw has been found in GreenCMS 2.3.0603. Affected by this issue is some unknown functionality of the file /Admin/Controller/CustomController.class.php of the component Menu Management Page. This manipulation of the argument Link causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer.