Vulnerabilities (CVE)

Filtered by CWE-79
Total 38546 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-5809 1 Masdiblogs 1 Wp Ajax Contact Form 2025-05-28 N/A 6.1 MEDIUM
The WP Ajax Contact Form WordPress plugin through 2.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin users
CVE-2024-6884 1 Kadencewp 1 Gutenberg Blocks With Ai 2025-05-27 N/A 5.4 MEDIUM
The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.39 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
CVE-2022-32174 1 Gogs 1 Gogs 2025-05-27 N/A 9.0 CRITICAL
In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.
CVE-2024-6158 2 Tiptoppress, Zephyrwest 2 Term And Category Based Posts Widget, Category Posts Widget 2025-05-27 N/A 4.8 MEDIUM
The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Posts" widget settings before outputting them back in a page/post where the Widget is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-6843 1 Webdigit 1 Chatbot With Chatgpt 2025-05-27 N/A 6.1 MEDIUM
The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not sanitise and escape user inputs, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins
CVE-2022-28979 1 Liferay 3 Digital Experience Platform, Dxp, Liferay Portal 2025-05-27 N/A 6.1 MEDIUM
Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.
CVE-2023-7230 1 Evanliewer 1 Illi Link Party\! 2025-05-27 N/A 6.1 MEDIUM
The illi Link Party! WordPress plugin through 1.0 does not sanitize and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks.
CVE-2024-6718 1 Freebiesdownload 1 Pvn Auth Popup 2025-05-27 N/A 5.4 MEDIUM
The PVN Auth Popup WordPress plugin through 1.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
CVE-2024-8095 1 Ryanchristenson 1 Babeiz 2025-05-27 N/A 6.1 MEDIUM
The BabelZ WordPress plugin through 1.1.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
CVE-2024-8187 1 Shapedplugin 1 Smart Post Show 2025-05-27 N/A 4.8 MEDIUM
The Smart Post Show WordPress plugin before 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2024-8426 1 Pagelayer 1 Pagelayer 2025-05-27 N/A 4.8 MEDIUM
The Page Builder: Pagelayer WordPress plugin before 1.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
CVE-2024-8618 1 Pagelayer 1 Pagelayer 2025-05-27 N/A 4.8 MEDIUM
The Page Builder: Pagelayer WordPress plugin before 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2025-3201 1 Kaliforms 1 Kali Forms 2025-05-27 N/A 5.9 MEDIUM
The Contact Form builder with drag & drop for WordPress WordPress plugin before 2.4.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks.
CVE-2024-47378 1 Wpcom 1 Wpcom Member 2025-05-27 N/A 7.1 HIGH
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPCOM WPCOM Member allows Reflected XSS.This issue affects WPCOM Member: from n/a through 1.5.4.
CVE-2023-26771 1 Taskcafe Project 1 Taskcafe 2025-05-27 N/A 6.5 MEDIUM
Taskcafe 0.3.2 is vulnerable to Cross Site Scripting (XSS). There is a lack of validation in the filetype when uploading a SVG profile picture with a XSS payload on it. An authenticated attacker can exploit this vulnerability by uploading a malicious picture which will trigger the payload when the victim opens the file.
CVE-2022-37246 1 Craftcms 1 Craft Cms 2025-05-27 N/A 5.4 MEDIUM
Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.
CVE-2022-28978 1 Liferay 3 Digital Experience Platform, Dxp, Liferay Portal 2025-05-27 N/A 5.4 MEDIUM
Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name.
CVE-2024-46333 1 Piwigo 1 Piwigo 2025-05-27 N/A 4.8 MEDIUM
An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Album Name parameter under the Add Album function.
CVE-2024-43151 1 Brainstormforce 1 Ultimate Addons For Beaver Builder 2025-05-27 N/A 6.5 MEDIUM
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for Beaver Builder – Lite allows Stored XSS.This issue affects Ultimate Addons for Beaver Builder – Lite: from n/a through 1.5.9.
CVE-2024-43156 1 Addonmaster 1 Post Grid Master 2025-05-27 N/A 7.1 HIGH
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AddonMaster Post Grid Master allows Reflected XSS.This issue affects Post Grid Master: from n/a through 3.4.10.