Total
42029 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-29513 | 1 Nodebb | 1 Nodebb | 2025-04-23 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in the admin API Access token generator. | |||||
| CVE-2023-5243 | 1 Login Screen Manager Project | 1 Login Screen Manager | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Login Screen Manager WordPress plugin through 3.5.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-5229 | 1 E2pdf | 1 E2pdf | 2025-04-23 | N/A | 4.8 MEDIUM |
| The E2Pdf WordPress plugin before 1.20.20 does not sanitize and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2023-4823 | 1 Prasadkirpekar | 1 Wp Meta And Date Remover | 2025-04-23 | N/A | 5.4 MEDIUM |
| The WP Meta and Date Remover WordPress plugin before 2.2.0 provides an AJAX endpoint for configuring the plugin settings. This endpoint has no capability checks and does not sanitize the user input, which is then later output unescaped. Allowing any authenticated users, such as subscriber change them and perform Stored Cross-Site Scripting. | |||||
| CVE-2023-4390 | 1 Ays-pro | 1 Popup Box | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup). | |||||
| CVE-2023-3245 | 1 Premio | 1 Chaty | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Floating Chat Widget WordPress plugin before 3.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-37519 | 1 Hcltech | 1 Bigfix Platform | 2025-04-23 | N/A | 7.7 HIGH |
| Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. This XSS vulnerability is in the Download Status Report, which is served by the BigFix Server. | |||||
| CVE-2022-43369 | 1 Phpgurukul | 1 Auto\/taxi Stand Management System | 2025-04-23 | N/A | 6.1 MEDIUM |
| AutoTaxi Stand Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component search.php. | |||||
| CVE-2022-37406 | 1 Ricoh | 2 Aficio Sp 4210n, Aficio Sp 4210n Firmware | 2025-04-23 | N/A | 4.8 MEDIUM |
| Cross-site scripting vulnerability in Aficio SP 4210N firmware versions prior to Web Support 1.05 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script. | |||||
| CVE-2020-36656 | 1 Brainstormforce | 1 Spectra | 2025-04-23 | N/A | 5.4 MEDIUM |
| The Spectra WordPress plugin before 1.15.0 does not sanitize user input as it reaches its style HTML attribute, allowing contributors to conduct stored XSS attacks via the plugin's Gutenberg blocks. | |||||
| CVE-2025-3421 | 1 Wpeverest | 1 Everest Forms | 2025-04-23 | N/A | 6.1 MEDIUM |
| The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'form_id' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-4310 | 1 Ofofonobsdev | 1 Hubbank | 2025-04-23 | N/A | 6.3 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session takeover. | |||||
| CVE-2017-18591 | 1 Dev4press | 1 Gd Rating System | 2025-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The gd-rating-system plugin before 2.1 for WordPress has XSS in log.php. | |||||
| CVE-2025-29710 | 1 Torrahclef | 1 Company Website Cms | 2025-04-23 | N/A | 6.1 MEDIUM |
| SourceCodester Company Website CMS 1.0 is vulnerable to Cross Site Scripting (XSS) via /dashboard/Services. | |||||
| CVE-2023-24203 | 1 Oretnom23 | 1 Simple Customer Relationship Management System | 2025-04-23 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in SourceCodester Simple Customer Relationship Management System v1.0 allows attacker to execute arbitary code via the company or query parameter(s). | |||||
| CVE-2025-29471 | 1 Nagios | 1 Log Server | 2025-04-23 | N/A | 8.3 HIGH |
| Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field. | |||||
| CVE-2024-10680 | 1 10web | 1 Form Maker | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-50175 | 1 Weseek | 1 Growi | 2025-04-23 | N/A | 5.4 MEDIUM |
| Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product. | |||||
| CVE-2023-45740 | 1 Weseek | 1 Growi | 2025-04-23 | N/A | 5.4 MEDIUM |
| Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product. | |||||
| CVE-2022-46687 | 1 Jenkins | 1 Spring Config | 2025-04-23 | N/A | 5.4 MEDIUM |
| Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names. | |||||