Total
38585 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-10076 | 1 Automattic | 2 Jetpack, Jetpack Boost | 2025-06-04 | 5.9 Medium |
| The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and above users to perform Stored XSS attacks | ||||
| CVE-2024-13238 | 1 Typogrify Project | 1 Typogrify | 2025-06-04 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Typogrify allows Cross-Site Scripting (XSS).This issue affects Typogrify: from 0.0.0 before 1.3.0. | ||||
| CVE-2024-13237 | 1 File Entity Project | 1 File Entity | 2025-06-04 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal File Entity (fieldable files) allows Cross-Site Scripting (XSS).This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.38. | ||||
| CVE-2024-8854 | 1 Codepeople | 1 Polls Cp | 2025-06-04 | 5.4 Medium |
| The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multi site setup). | ||||
| CVE-2024-8851 | 1 Codepeople | 1 Polls Cp | 2025-06-04 | 5.4 Medium |
| The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multi site setup). | ||||
| CVE-2023-5932 | 1 Travelpayouts | 1 Travelpayouts | 2025-06-04 | 4.8 Medium |
| The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2023-5529 | 1 Pagevisitcounter | 1 Advanced Page Visit Counter | 2025-06-04 | 4.8 Medium |
| The Advanced Page Visit Counter WordPress plugin before 8.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2025-3742 | 1 Dfactory | 1 Responsive Lightbox | 2025-06-04 | 6.8 Medium |
| The Responsive Lightbox & Gallery WordPress plugin before 2.5.1 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2024-2870 | 1 Swiftideas | 1 Swift Framework | 2025-06-04 | 6.1 Medium |
| The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-2696 | 1 Swiftideas | 1 Swift Framework | 2025-06-04 | 4.8 Medium |
| The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-23941 | 1 Group-office | 1 Group Office | 2025-06-04 | 5.4 Medium |
| Cross-site scripting vulnerability exists in Group Office prior to v6.6.182, prior to v6.7.64 and prior to v6.8.31, which may allow a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product. | ||||
| CVE-2024-23172 | 1 Mediawiki | 1 Mediawiki | 2025-06-04 | 5.4 Medium |
| An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCheckUserLog. | ||||
| CVE-2024-23031 | 1 Eyoucms | 1 Eyoucms | 2025-06-04 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in is_water parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL. | ||||
| CVE-2022-37137 | 1 Techvill | 1 Paymoney | 2025-06-04 | 5.4 Medium |
| PayMoney 3.3 is vulnerable to Stored Cross-Site Scripting (XSS) during replying the ticket. The XSS can be obtain from injecting under "Message" field with "description" parameter with the specially crafted payload to gain Stored XSS. The XSS then will prompt after that or can be access from the view ticket function. | ||||
| CVE-2024-13252 | 1 Tacjs Project | 1 Tacjs | 2025-06-04 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal TacJS allows Cross-Site Scripting (XSS).This issue affects TacJS: from 0.0.0 before 6.5.0. | ||||
| CVE-2025-48483 | 1 Freescout | 1 Freescout | 2025-06-04 | 5.4 Medium |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data during mail signature sanitization. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. Additionally, if an administrator accesses one of these emails with a modified signature, it could result in a subsequent Cross-Site Request Forgery (CSRF) vulnerability. This issue has been patched in version 1.8.180. | ||||
| CVE-2025-48484 | 1 Freescout | 1 Freescout | 2025-06-04 | 5.4 Medium |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data in the conversation POST data body. This issue has been patched in version 1.8.178. | ||||
| CVE-2024-13247 | 1 Coffee Project | 1 Coffee | 2025-06-04 | 4.8 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Coffee allows Cross-Site Scripting (XSS).This issue affects Coffee: from 0.0.0 before 1.4.0. | ||||
| CVE-2025-31679 | 1 Ignition Error Pages Project | 1 Ignition Error Pages | 2025-06-04 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Ignition Error Pages allows Cross-Site Scripting (XSS).This issue affects Ignition Error Pages: from 0.0.0 before 1.0.4. | ||||
| CVE-2023-5958 | 1 Wpexperts | 1 Post Smtp | 2025-06-04 | 6.1 Medium |
| The POST SMTP Mailer WordPress plugin before 2.7.1 does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users. | ||||