Cross-Site Scripting

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.03 could be susceptible to cross-site scripting due to no validation of URIs. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A vulnerability, which was classified as problematic, was found in atjiu pybbs up to 6.0.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

A vulnerability, which was classified as problematic, has been found in atjiu pybbs up to 6.0.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

A vulnerability classified as problematic was found in atjiu pybbs up to 6.0.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

A vulnerability classified as problematic has been found in atjiu pybbs up to 6.0.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

A vulnerability was found in atjiu pybbs up to 6.0.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.5.1 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 1.3 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A vulnerability was found in atjiu pybbs up to 6.0.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

The WP Easy Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.0.1 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The Campus Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 1.9.1 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The Use-your-Drive | Google Drive plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in file metadata in all versions up to, and. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.10. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability classified as problematic was found in Portabilis i-Educar 2.10. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability classified as problematic has been found in Portabilis i-Educar 2.10. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability was found in Portabilis i-Educar 2.10. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability was found in Portabilis i-Educar 2.10. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability was found in Portabilis i-Educar 2.10. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability was found in Portabilis i-Educar 2.10 and classified as problematic. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability has been found in Portabilis i-Educar 2.10 and classified as problematic. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability, which was classified as problematic, has been found in cronoh NanoVault up to 1.2.1.js of the component xrb URL Handler. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

The vulnerable code can bypass the Captcha check in Liferay Portal 7.4.3.80 through 7.4.3.132, and Liferay DXP 2024.Q1.1 through 2024.Q1.19, 2024.Q2.0 through 2024.Q2.13, 2024.Q3.0 through. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable. No vendor patch available.

The fragment preview functionality in Liferay Portal 7.4.3.61 through 7.4.3.132, and Liferay DXP 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Unisite CMS version 5.0 contains a stored Cross-Site Scripting (XSS) vulnerability in the "Report" functionality. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability, which was classified as problematic, has been found in givanz Vvveb up to 1.0.5.php?module=settings/post-types of the component Add Type Handler. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

A cross-site scripting (XSS) vulnerability in Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A cross-site scripting (XSS) vulnerability in Intelbras RX1500 v2.2.9 and RX3000 v1.0.11 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name of a. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the CWE-79: Improper Neutralization of Input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A vulnerability classified as problematic was found in Portabilis i-Diario 1.5.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability classified as problematic has been found in Portabilis i-Educar 2.10. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

A vulnerability was found in Portabilis i-Educar 2.9. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability was found in Portabilis i-Educar 2.9. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability was found in Portabilis i-Educar 2.9. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.12.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability was found in 495300897 wx-shop up to de1b66331368695779cfc6e4d11a64caddf8716e and classified as problematic. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A vulnerability classified as problematic has been found in code-projects Human Resource Integrated System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

The Mocca Calendar application before 2.15 for XWiki allows XSS via a title upon calendar import. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The Mocca Calendar application before 2.15 for XWiki allows XSS via a title to the view event page. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The Mocca Calendar application before 2.15 for XWiki allows XSS via the background or text color field. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The Ocean Social Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via social icon titles in all versions up to, and including, 2.2.1 due to insufficient input sanitization. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The Image Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The Mmm Unity Loader plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘attributes’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The Magic Edge - Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘height’ parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The All in One Time Clock Lite - Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The Custom Word Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘angle’ parameter in all versions up to, and including, 0.3 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The Medical Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter widget in all versions up to, and including, 1.6.3 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The ShortPixel Adaptive Images - WebP, AVIF, CDN, Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the API URL Setting in all versions up to, and including,. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

The 360 Photo Spheres plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sphere' shortcode in all versions up to, and including, 1.3 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's TypeOut Text widget in all versions up to, and including, 1.9.2 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Partner Software's Partner Software application and Partner Web application allows an authenticated user to add notes on the 'Notes' page when viewing a job but does not completely sanitize input,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Files is a module for managing files inside spaces and user profiles. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity.

A stored Cross-Site Scripting (XSS) vulnerability exists in the qureydetails.php page of Institute-of-Current-Students 1.0, where the input fields for Query and Answer do not properly sanitize user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 12 is vulnerable to stored cross-site scripting. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS)in the /projects/profile, homepage endpoint via the last name field. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

A stored cross-site scripting (XSS) vulnerability in The Language Sloth Web Application v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) plugin for WordPress is. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites - Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed plugin for WordPress. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The The Plus Addons for Elementor - Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom script parameter. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

The Stratum - Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Advanced Google Maps and Image Hotspot widgets in all versions up to, and including,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery - Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Universal cross-site scripting (XSS) in Safari and macOS allows remote attackers to execute arbitrary JavaScript in the context of visited websites by processing maliciously crafted web content. The vulnerability affects Safari 18.5 and earlier, and macOS Sequoia 15.5 and earlier, and is fixed in Safari 18.6 and macOS Sequoia 15.6. Attack requires user interaction (clicking a malicious link or visiting a compromised site) but carries no authentication requirement. EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

Stored Cross-Site Scripting in the Educenter WordPress theme Circle Counter Block allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages, executing when users visit affected content. The vulnerability stems from insufficient input sanitization in the circle-counter.php block component (versions up to 1.6.2) and affects all users viewing injected pages. CVSS 6.4 (medium) reflects the requirement for authenticated access and limited scope; no public exploit code or active exploitation has been confirmed at time of analysis.

Stored Cross-Site Scripting in Mine CloudVod WordPress plugin versions up to 2.1.10 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript through the 'audio' parameter due to insufficient input sanitization and output escaping. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site security and user data. No public exploit code or active exploitation has been confirmed at analysis time.

Reflected cross-site scripting (XSS) in the FunnelCockpit WordPress plugin up to version 1.4.3 allows unauthenticated attackers to inject arbitrary JavaScript through the 'error' parameter due to insufficient input sanitization and output escaping. Exploitation requires social engineering an administrative user to click a malicious link, enabling attackers to steal session cookies, perform administrative actions, or redirect users to phishing sites. No public exploit code or active exploitation has been confirmed at time of analysis.

Stored Cross-Site Scripting in WP Get The Table WordPress plugin versions up to 1.5 allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the 'url' parameter due to insufficient input sanitization and output escaping. Injected scripts execute whenever any user accesses the affected pages, potentially compromising site visitors and enabling account hijacking, malware distribution, or data theft. No public exploit code or active exploitation has been confirmed at time of analysis, but the vulnerability requires only contributor-level access and has a moderate CVSS score of 6.4 reflecting limited technical complexity and network-based attack vector.

Stored Cross-Site Scripting in Taeggie Feed plugin for WordPress (all versions up to 0.1.10) allows authenticated attackers with contributor-level access or above to inject arbitrary JavaScript via the taeggie-feed shortcode's name attribute, which is rendered unsanitized in both a script tag ID and jQuery.getScript() call. The vulnerability has a CVSS score of 6.4 with cross-site impact; no public exploit code or active exploitation has been confirmed at this time.

Stored Cross-Site Scripting in muse.ai WordPress plugin versions up to 0.4 allows authenticated attackers with contributor-level access to inject malicious scripts via insufficiently sanitized shortcode attributes, enabling arbitrary code execution in the context of any user viewing affected pages. The vulnerability requires authentication and user interaction (page access by victims), resulting in a CVSS 6.4 score; no public exploit code or active exploitation has been identified at time of analysis.

Reflected cross-site scripting in Post Grid Master WordPress plugin versions up to 3.4.13 allows unauthenticated attackers to inject arbitrary JavaScript through the 'argsArray[read_more_text]' parameter due to insufficient input sanitization and output escaping. An attacker can craft a malicious link and trick users into clicking it, causing the injected script to execute in their browser with the victim's privileges. Publicly available exploit code exists, and the vulnerability affects all installations of the plugin through version 3.4.13.

Stored Cross-Site Scripting in Structured Content plugin for WordPress up to version 1.6.4 allows authenticated contributors and above to inject arbitrary JavaScript via the sc_fs_local_business shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, potentially enabling account compromise, malware distribution, or defacement. No public exploit code or active exploitation has been confirmed at this time.

Stored cross-site scripting in Fleetwire Fleet Management WordPress plugin versions up to 1.0.19 allows authenticated contributors and above to inject malicious scripts via the fleetwire_list shortcode due to insufficient input sanitization and output escaping. When site visitors access pages containing the injected shortcode, the attacker's scripts execute in their browsers with access to session cookies and site functionality, enabling credential theft, malware distribution, or defacement. No public exploit code or active exploitation has been confirmed at time of analysis.

Stored Cross-Site Scripting in the Valuation Calculator WordPress plugin (all versions up to 1.3.2) allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript through the 'link' parameter due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, potentially compromising site visitors and enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at time of analysis.

Mozilla Firefox and Thunderbird execute JavaScript via crafted object/embed tags, enabling remote attackers to achieve high-impact XSS without authentication. Affects Firefox <141, Firefox ESR <128.13/<140.1, and Thunderbird <141/128.13/140.1. Users must visit a malicious page (UI:R), but attack complexity is low (AC:L) and no privileges required (PR:N). Vendor-released patches available across all affected product lines. No public exploit identified at time of analysis, though the attack surface is broad given browser/email client ubiquity.

Stored Cross-Site Scripting in WP Shortcodes Plugin - Shortcodes Ultimate allows authenticated attackers with Author-level access to inject arbitrary JavaScript through insufficiently sanitized 'Title' and 'Slide link' fields in image uploads, affecting all versions up to 7.4.2. The injected scripts execute in the context of any user viewing affected pages, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified at time of analysis, but the vulnerability requires only standard WordPress Author privileges and network access to exploit.

Execute arbitrary shortcodes in WordPress sites running WP Shortcodes Plugin - Shortcodes Ultimate through version 7.4.2 via Cross-Site Request Forgery targeting site administrators. Unauthenticated attackers can forge requests that bypass nonce validation in the preview function, allowing execution of arbitrary shortcodes if an admin clicks a malicious link. When combined with CVE-2025-7354, this enables Reflected Cross-Site Scripting. EPSS score of 6.1 (moderate CVSS) reflects the UI requirement and need for admin interaction, though real-world risk is elevated due to the attack surface in WordPress admin workflows. No public exploit code or CISA KEV confirmation identified at time of analysis.

Reflected cross-site scripting (XSS) in EZiHosting Tennis Court Bookings WordPress plugin through version 1.2.7 allows unauthenticated attackers to inject malicious scripts into web pages viewed by administrators and users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of victims through crafted URLs. No public exploit code or active exploitation has been confirmed at time of analysis.

Reflected cross-site scripting (XSS) in Kingdom Creation Media Folder WordPress plugin versions through 1.0.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability exists in input handling during page generation and can be exploited by crafting specially-formed URLs, enabling session hijacking, credential theft, or malware distribution without requiring authentication or user interaction beyond visiting a malicious link.

Reflected cross-site scripting (XSS) in the WordPress plugin Dot html,php,xml etc pages version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers. While a public advisory exists, the EPSS score of 0.04% indicates low exploitation probability, and no active exploitation or public proof-of-concept has been confirmed.

Reflected cross-site scripting (XSS) in cmsMinds Pay with Contact Form 7 WordPress plugin through version 1.0.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by victims. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. No public exploit code or active exploitation has been confirmed at time of analysis, and the 0.04% EPSS score indicates very low exploitation probability.

Reflected cross-site scripting (XSS) in Stefan M. SMu Manual DoFollow WordPress plugin through version 1.8.1 allows unauthenticated attackers to inject malicious scripts into web pages viewed by site visitors. An attacker can craft a malicious URL and trick users into clicking it, executing arbitrary JavaScript in their browsers within the context of the vulnerable site. No public exploit code has been identified at the time of analysis, and the EPSS score of 0.04% indicates low likelihood of exploitation in the wild, though the vulnerability remains a valid security concern for WordPress administrators.

Reflected cross-site scripting (XSS) in Contact Form 7 Editor Button WordPress plugin version 1.0.0 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability exists in the plugin's input handling during web page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the vulnerability is readily exploitable given the low complexity of XSS attacks.

Stored cross-site scripting (XSS) in Contest Gallery WordPress plugin version 26.0.6 and earlier allows authenticated or unauthenticated attackers to inject malicious scripts that execute in other users' browsers when viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage in the plugin's database. No public exploit code has been identified, and real-world exploitation risk is considered low based on EPSS scoring (0.04% probability).

Reflected cross-site scripting (XSS) in Infility Global WordPress plugin through version 2.13.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, perform actions on behalf of users, or redirect victims to malicious sites. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%) suggests limited practical exploitation likelihood despite the XSS attack vector.

Reflected cross-site scripting (XSS) in the CSS3 Compare Pricing Tables for WordPress plugin through version 11.6 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through specially crafted URLs. No public exploit code or active exploitation has been confirmed, and the low EPSS score (0.04%, 13th percentile) suggests limited real-world attack likelihood despite the XSS vector.

Reflected cross-site scripting (XSS) in ValvePress WordPress Auto Spinner plugin versions up to 3.26.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability exploits improper input neutralization during page generation, enabling attackers to steal session tokens, deface content, or redirect users to phishing sites through crafted URLs. No public exploit code has been identified, and exploitation likelihood is assessed as very low (EPSS 0.04%), suggesting this is a low-priority vulnerability despite the XSS classification.

Reflected cross-site scripting (XSS) vulnerability in designthemes Invico WordPress theme version 1.9 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session tokens, perform unauthorized actions, or redirect users to malicious sites by crafting specially crafted URLs. No CVSS score has been assigned, but the EPSS exploitation probability is very low at 0.04% (13th percentile), and no public exploit code or active exploitation has been confirmed at time of analysis.

Reflected cross-site scripting (XSS) in the Ofiz WordPress Business Consulting Theme through version 2.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers when clicked. No public exploit code or active exploitation has been confirmed; the low EPSS score (0.04%) suggests limited real-world attack probability despite the vector's potential for user interaction.