Total
37554 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1439 | 1 Tinywebgallery | 1 Advanced Iframe | 2025-07-14 | N/A | 6.4 MEDIUM |
| The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and output escaping on user supplied attributes through the 'src' attribute when the src supplied returns a header with an injected value . This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-25247 | 1 Apache | 1 Felix Webconsole | 2025-07-14 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole. This issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8. Users are recommended to upgrade to version 4.9.10 or 5.0.10 or higher, which fixes the issue. | |||||
| CVE-2025-27888 | 1 Apache | 1 Druid | 2025-07-14 | N/A | 5.4 MEDIUM |
| Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid. This issue affects all previous Druid versions. When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for this exploit. The management proxy is enabled in Druid's out-of-box configuration. It may be disabled to mitigate this vulnerability. If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected. Users are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue. | |||||
| CVE-2025-6050 | 2025-07-14 | N/A | N/A | ||
| Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting (XSS) vulnerability in the admin interface. The vulnerability exists in the "displayable_links_js" function, which fails to properly sanitize blog post titles before including them in JSON responses served via "/admin/displayable_links.js". An authenticated admin user can create a blog post with a malicious JavaScript payload in the title field, then trick another admin user into clicking a direct link to the "/admin/displayable_links.js" endpoint, causing the malicious script to execute in their browser. | |||||
| CVE-2025-41393 | 2025-07-14 | N/A | 6.1 MEDIUM | ||
| Reflected cross-site scripting vulnerability exists in the laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor. If exploited, an arbitrary script may be executed on the web browser of the user who accessed Web Image Monitor. As for the details of affected product names and versions, refer to the information provided by the vendors under [References]. | |||||
| CVE-2024-10880 | 1 Ultimatemember | 1 Jobboardwp | 2025-07-12 | N/A | 6.1 MEDIUM |
| The JobBoardWP – Job Board Listings and Submissions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-11188 | 1 Strategy11 | 1 Formidable Forms | 2025-07-12 | N/A | 6.1 MEDIUM |
| The Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to POST-Based Reflected Cross-Site Scripting via the Custom HTML Form parameters in all versions up to, and including, 6.16.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-10519 | 1 Wpfactory | 1 Wishlist For Woocommerce | 2025-07-12 | N/A | 6.1 MEDIUM |
| The Wishlist for WooCommerce: Multi Wishlists Per Customer PRO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wtab' parameter in versions 3.0.8 to 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Note: Only WordPress installations with versions of PHP <=7.4 are affected by this vulnerability. | |||||
| CVE-2024-10101 | 1 Binary-husky | 1 Gpt Academic | 2025-07-11 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in binary-husky/gpt_academic version 3.83. The vulnerability occurs at the /file endpoint, which renders HTML files. Malicious HTML files containing XSS payloads can be uploaded and stored in the backend, leading to the execution of the payload in the victim's browser when the file is accessed. This can result in the theft of session cookies or other sensitive information. | |||||
| CVE-2024-8179 | 1 Gitlab | 1 Gitlab | 2025-07-11 | N/A | 5.4 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled. | |||||
| CVE-2024-13576 | 1 Gumlet | 1 Video | 2025-07-11 | N/A | 6.4 MEDIUM |
| The Gumlet Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gumlet' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5260 | 1 Sinaextra | 1 Sina Extension For Elementor | 2025-07-11 | N/A | 6.4 MEDIUM |
| The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘read_more_text’ parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1529 | 1 Cmsmadesimple | 1 Cms Made Simple | 2025-07-11 | N/A | 7.4 HIGH |
| Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially take over their browser session. | |||||
| CVE-2024-22854 | 1 Darktrace | 1 Threat Visualizer | 2025-07-11 | N/A | 6.1 MEDIUM |
| DOM-based HTML injection vulnerability in the main page of Darktrace Threat Visualizer version 6.1.27 (bundle version 61050) and before has been identified. A URL, crafted by a remote attacker and visited by an authenticated user, allows open redirect and potential credential stealing using an injected HTML form. | |||||
| CVE-2024-7606 | 1 Etoilewebdesign | 1 Front End Users | 2025-07-11 | N/A | 6.4 MEDIUM |
| The Front End Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'user-search' shortcode in all versions up to, and including, 3.2.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-5062 | 1 Woocommerce | 1 Woocommerce | 2025-07-11 | N/A | 6.1 MEDIUM |
| The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-4594 | 1 Tournamatch | 1 Tournamatch | 2025-07-11 | N/A | 6.4 MEDIUM |
| The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-5096 | 1 Tablepress | 1 Tablepress | 2025-07-11 | N/A | 6.4 MEDIUM |
| The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-44998 | 1 Tinyfilemanager Project | 1 Tinyfilemanager | 2025-07-11 | N/A | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the component /tinyfilemanager.php of TinyFileManager v2.4.7 allows attackers to execute arbitrary JavaScript or HTML via injecting a crafted payload into the js-theme-3 parameter. | |||||
| CVE-2025-3813 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-07-11 | N/A | 6.4 MEDIUM |
| The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||