Total
41951 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4172 | 2025-05-05 | N/A | 6.4 MEDIUM | ||
| The VerticalResponse Newsletter Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'verticalresponse' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-46734 | 2025-05-05 | N/A | 6.4 MEDIUM | ||
| league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as `html_input: 'strip'` and `allow_unsafe_links: false` to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with `on` are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added `href` and `src` attributes now respect the existing `allow_unsafe_links` configuration option. If upgrading is not feasible, please consider disabling the `AttributesExtension` for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier. | |||||
| CVE-2024-31868 | 1 Apache | 1 Zeppelin | 2025-05-05 | N/A | 6.1 MEDIUM |
| Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | |||||
| CVE-2017-6511 | 1 Finecms Project | 1 Finecms | 2025-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in index.php because of missing validation of the action parameter in application/classes/application.php. | |||||
| CVE-2024-0973 | 1 Patelmilap | 1 Widget For Social Page Feeds | 2025-05-05 | N/A | 6.1 MEDIUM |
| The Widget for Social Page Feeds WordPress plugin before 6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-1401 | 1 Awplife | 1 Profile Box Shortcode And Widget | 2025-05-05 | N/A | 4.8 MEDIUM |
| The Profile Box Shortcode And Widget WordPress plugin before 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-7246 | 1 Bowo | 1 System Dashboard | 2025-05-05 | N/A | 5.4 MEDIUM |
| The System Dashboard WordPress plugin before 2.8.10 does not sanitize and escape some parameters, which could allow administrators in multisite WordPress configurations to perform Cross-Site Scripting attacks | |||||
| CVE-2022-43046 | 1 Oretnom23 | 1 Food Ordering Management System | 2025-05-05 | N/A | 4.8 MEDIUM |
| Food Ordering Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /foms/place-order.php. | |||||
| CVE-2024-32206 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | N/A | 4.6 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the component \affiche\admin\index.php of WUZHICMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $formdata parameter. | |||||
| CVE-2024-27757 | 1 Flusity | 1 Flusity | 2025-05-05 | N/A | 6.1 MEDIUM |
| flusity CMS through 2.45 allows tools/addons_model.php Gallery Name XSS. The reporter indicates that this product "ceased its development as of February 2024." | |||||
| CVE-2018-14512 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[nickname] parameter to the index.php?m=core&f=set&v=sendmail URI. When the administrator accesses the "system settings - mail server" screen, the XSS payload is triggered. | |||||
| CVE-2019-9107 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in WUZHI CMS 4.1.0 via index.php?m=attachment&f=imagecut&v=init&imgurl=[XSS] to coreframe/app/attachment/imagecut.php. | |||||
| CVE-2018-10391 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WUZHI CMS 4.1.0. There is XSS via the email parameter to the index.php?m=member&v=register URI. | |||||
| CVE-2018-10367 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WUZHI CMS 4.1.0. The content-management feature has Stored XSS via the title or content section. | |||||
| CVE-2019-9109 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in WUZHI CMS 4.1.0 via index.php?m=message&f=message&v=add&username=[XSS] to coreframe/app/message/message.php. | |||||
| CVE-2018-10368 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WUZHI CMS 4.1.0. The "Extension Module -> System Announcement" feature has Stored XSS via an announcement. | |||||
| CVE-2020-19770 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the system bulletin component of WUZHI CMS v4.1.0 allows attackers to steal the admin's cookie. | |||||
| CVE-2018-10311 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the tag[pinyin] parameter to the /index.php?m=tags&f=index&v=add URI. | |||||
| CVE-2023-31860 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | N/A | 5.4 MEDIUM |
| Wuzhi CMS v3.1.2 has a storage type XSS vulnerability in the backend of the Five Finger CMS b2b system. | |||||
| CVE-2018-17426 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 3.5 LOW | 5.4 MEDIUM |
| WUZHI CMS 4.1.0 has stored XSS via the "Extension module" "SMS in station" field under the index.php?m=core URI. | |||||