Total
38585 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-47931 | 1 Librenms | 1 Librenms | 2025-05-28 | 6.1 Medium |
| LibreNMS is PHP/MySQL/SNMP based network monitoring software. LibreNMS v25.4.0 and prior suffers from a Stored Cross-Site Scripting (XSS) Vulnerability in the `group name` parameter of the `http://localhost/poller/groups` form. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. LibreNMS v25.5.0 contains a patch for the issue. | ||||
| CVE-2025-4939 | 1 Phpgurukul | 1 Credit Card Application Management System | 2025-05-28 | 4.3 Medium |
| A vulnerability classified as problematic was found in PHPGurukul Credit Card Application Management System 1.0. This vulnerability affects unknown code of the file /admin/new-ccapplication.php. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-51106 | 1 Anujk305 | 1 Medical Card Generation System | 2025-05-28 | 4.6 Medium |
| A cross-site scripting (XSS) vulnerability in the component mcgs/admin/aboutus.php of PHPGURUKUL Medical Card Generation System using PHP and MySQL v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the pagetitle parameter. | ||||
| CVE-2024-3669 | 1 Salephpscripts | 1 Web Directory Free | 2025-05-28 | 6.8 Medium |
| The Web Directory Free WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-4096 | 1 Wpdarko | 1 Responsive Tabs | 2025-05-28 | 5.9 Medium |
| The Responsive Tabs WordPress plugin through 4.0.8 does not sanitise and escape some of its Tab settings, which could allow high privilege users such as Contributors and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2024-5809 | 1 Masdiblogs | 1 Wp Ajax Contact Form | 2025-05-28 | 6.1 Medium |
| The WP Ajax Contact Form WordPress plugin through 2.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin users | ||||
| CVE-2024-6884 | 1 Kadencewp | 1 Gutenberg Blocks With Ai | 2025-05-27 | 5.4 Medium |
| The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.39 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2022-32174 | 1 Gogs | 1 Gogs | 2025-05-27 | 9 Critical |
| In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover. | ||||
| CVE-2024-6158 | 2 Tiptoppress, Zephyrwest | 4 Category Posts, Term-and-category-based-posts, Term And Category Based Posts Widget and 1 more | 2025-05-27 | 4.8 Medium |
| The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Posts" widget settings before outputting them back in a page/post where the Widget is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-6843 | 1 Webdigit | 2 Chatbot With Chatgpt, Chatbot With Chatgpt Wordpress | 2025-05-27 | 6.1 Medium |
| The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not sanitise and escape user inputs, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins | ||||
| CVE-2022-28979 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-27 | 6.1 Medium |
| Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field. | ||||
| CVE-2023-7230 | 1 Evanliewer | 1 Illi Link Party\! | 2025-05-27 | 6.1 Medium |
| The illi Link Party! WordPress plugin through 1.0 does not sanitize and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks. | ||||
| CVE-2024-6718 | 1 Freebiesdownload | 1 Pvn Auth Popup | 2025-05-27 | 5.4 Medium |
| The PVN Auth Popup WordPress plugin through 1.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2024-8095 | 1 Ryanchristenson | 1 Babeiz | 2025-05-27 | 6.1 Medium |
| The BabelZ WordPress plugin through 1.1.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | ||||
| CVE-2024-8187 | 1 Shapedplugin | 1 Smart Post Show | 2025-05-27 | 4.8 Medium |
| The Smart Post Show WordPress plugin before 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-8426 | 1 Pagelayer | 1 Pagelayer | 2025-05-27 | 4.8 Medium |
| The Page Builder: Pagelayer WordPress plugin before 1.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | ||||
| CVE-2024-8618 | 1 Pagelayer | 1 Pagelayer | 2025-05-27 | 4.8 Medium |
| The Page Builder: Pagelayer WordPress plugin before 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2025-3201 | 1 Kaliforms | 1 Kali Forms | 2025-05-27 | 5.9 Medium |
| The Contact Form builder with drag & drop for WordPress WordPress plugin before 2.4.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2024-47378 | 1 Wpcom | 1 Wpcom Member | 2025-05-27 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPCOM WPCOM Member allows Reflected XSS.This issue affects WPCOM Member: from n/a through 1.5.4. | ||||
| CVE-2023-26771 | 1 Taskcafe Project | 1 Taskcafe | 2025-05-27 | 6.5 Medium |
| Taskcafe 0.3.2 is vulnerable to Cross Site Scripting (XSS). There is a lack of validation in the filetype when uploading a SVG profile picture with a XSS payload on it. An authenticated attacker can exploit this vulnerability by uploading a malicious picture which will trigger the payload when the victim opens the file. | ||||