Total
38585 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-22714 | 1 Codelyfe | 1 Stupid Simple Cms | 2025-06-20 | 6.1 Medium |
| Stupid Simple CMS <=1.2.4 is vulnerable to Cross Site Scripting (XSS) in the editing section of the article content. | ||||
| CVE-2024-0233 | 1 Myeventon | 1 Eventon | 2025-06-20 | 6.1 Medium |
| The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not properly sanitise and escape a parameter before outputting it back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2023-7084 | 1 Davidjmiller | 1 Voting Record | 2025-06-20 | 5.4 Medium |
| The Voting Record WordPress plugin through 2.0 is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks | ||||
| CVE-2023-6005 | 1 Myeventon | 1 Eventon | 2025-06-20 | 4.8 Medium |
| The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2023-51807 | 1 Ofcms Project | 1 Ofcms | 2025-06-20 | 5.4 Medium |
| Cross Site Scripting vulnerability in OFCMS v.1.14 allows a remote attacker to obtain sensitive information via a crafted payload to the title addition component. | ||||
| CVE-2023-48104 | 1 Alinto | 1 Sogo | 2025-06-20 | 6.1 Medium |
| Alinto SOGo before 5.9.1 is vulnerable to HTML Injection. | ||||
| CVE-2025-21616 | 1 Plane | 1 Plane | 2025-06-20 | 5.4 Medium |
| Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image. | ||||
| CVE-2024-50659 | 1 Ipublishmedia | 1 Adportal | 2025-06-20 | 6.1 Medium |
| Cross Site Scripting vulnerability iPublish Media Solutions AdPortal 3.0.39 allows a remote attacker to escalate privileges via the shippingAsBilling parameter in updateuserinfo.html. | ||||
| CVE-2024-23174 | 1 Mediawiki | 1 Mediawiki | 2025-06-20 | 5.4 Medium |
| An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via the rev-deleted-user, pagetriage-tags-quickfilter-label, pagetriage-triage, pagetriage-filter-date-range-format-placeholder, pagetriage-filter-date-range-to, pagetriage-filter-date-range-from, pagetriage-filter-date-range-heading, pagetriage-filter-set-button, or pagetriage-filter-reset-button message. | ||||
| CVE-2024-23171 | 1 Mediawiki | 1 Mediawiki | 2025-06-20 | 5.4 Medium |
| An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:EventDetails page allows XSS via the x-xss language setting for internationalization (i18n). | ||||
| CVE-2023-6941 | 1 Keap | 1 Official Opt-in Forms | 2025-06-20 | 4.8 Medium |
| The Keap Official Opt-in Forms WordPress plugin through 1.0.11 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup). | ||||
| CVE-2023-51064 | 1 Qstar | 1 Archive Storage Manager | 2025-06-20 | 6.1 Medium |
| QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 was discovered to contain a DOM Based reflected XSS vulnerability within the component qnme-ajax?method=tree_table. | ||||
| CVE-2023-4757 | 1 Miniorange | 1 Staff \/ Employee Business Directory For Active Directory | 2025-06-20 | 5.4 Medium |
| The Staff / Employee Business Directory for Active Directory WordPress plugin before 1.2.3 does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin. | ||||
| CVE-2023-3647 | 1 Indigitall | 1 Iurny | 2025-06-20 | 4.8 Medium |
| The IURNY by INDIGITALL WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2023-3372 | 1 Lana | 1 Lana Shortcodes | 2025-06-20 | 5.4 Medium |
| The Lana Shortcodes WordPress plugin before 1.2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2023-0479 | 1 Tychesoftwares | 1 Print Invoice \& Delivery Notes For Woocommerce | 2025-06-20 | 6.1 Medium |
| The Print Invoice & Delivery Notes for WooCommerce WordPress plugin before 4.7.2 is vulnerable to reflected XSS by echoing a GET value in an admin note within the WooCommerce orders page. This means that this vulnerability can be exploited for users with the edit_others_shop_orders capability. WooCommerce must be installed and active. This vulnerability is caused by a urldecode() after cleanup with esc_url_raw(), allowing double encoding. | ||||
| CVE-2022-3829 | 1 Newnine | 1 Font Awesome 4 Menus | 2025-06-20 | 4.8 Medium |
| The Font Awesome 4 Menus WordPress plugin through 4.7.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2022-3739 | 1 Subina | 1 Wp Best Quiz | 2025-06-20 | 5.4 Medium |
| The WP Best Quiz WordPress plugin through 1.0 does not sanitize and escape some parameters, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks. | ||||
| CVE-2022-0402 | 1 Super-forms | 1 Super Forms | 2025-06-20 | 6.1 Medium |
| The Super Forms - Drag & Drop Form Builder WordPress plugin before 6.0.4 does not escape the bob_czy_panstwa_sprawa_zostala_rozwiazana parameter before outputting it back in an attribute via the super_language_switcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking CSRF, making the attack easier to perform against any user. | ||||
| CVE-2021-24559 | 1 Patrickposner | 1 Qyrr | 2025-06-20 | 5.4 Medium |
| The Qyrr WordPress plugin before 0.7 does not escape the data-uri of the QR Code when outputting it in a src attribute, allowing for Cross-Site Scripting attacks. Furthermore, the data_uri_to_meta AJAX action, available to all authenticated users, only had a CSRF check in place, with the nonce available to users with a role as low as Contributor allowing any user with such role (and above) to set a malicious data-uri in arbitrary QR Code posts, leading to a Stored Cross-Site Scripting issue. | ||||