Total
37727 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-48470 | 1 Advantech | 6 Wise-4010lan, Wise-4010lan Firmware, Wise-4050lan and 3 more | 2025-07-09 | N/A | 4.1 MEDIUM |
| Successful exploitation of the stored cross-site scripting vulnerability could allow an attacker to inject malicious scripts into device fields and executed in other users’ browser, potentially leading to session hijacking, defacement, credential theft, or privilege escalation. | |||||
| CVE-2024-4869 | 1 Wpeka | 1 Wp Cookie Consent | 2025-07-09 | N/A | 7.2 HIGH |
| The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Client-IP’ header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-57605 | 1 Thedaylightstudio | 1 Fuel Cms | 2025-07-09 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Daylight Studio Fuel CMS v.1.5.2 allows an attacker to escalate privileges via the /fuel/blocks/ and /fuel/pages components. | |||||
| CVE-2024-32568 | 1 Melapress | 1 Wp 2fa | 2025-07-09 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP 2FA allows Reflected XSS.This issue affects WP 2FA: from n/a through 2.6.2. | |||||
| CVE-2025-25957 | 1 Xunruicms | 1 Xunruicms | 2025-07-09 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerabilities in Xunruicms v.4.6.3 and before allows a remote attacker to escalate privileges via a crafted script. | |||||
| CVE-2024-2299 | 1 Lollms | 1 Lollms Web Ui | 2025-07-09 | N/A | 6.1 MEDIUM |
| A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is executed when the file is accessed. This vulnerability is remotely exploitable via Cross-Site Request Forgery (CSRF), allowing attackers to perform actions on behalf of authenticated users and potentially leading to unauthorized access to sensitive information within the Lollms-webui application. | |||||
| CVE-2025-26877 | 1 Etoilewebdesign | 1 Front End Users | 2025-07-09 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Front End Users allows Stored XSS. This issue affects Front End Users: from n/a through 3.2.30. | |||||
| CVE-2024-1602 | 1 Lollms | 1 Lollms Web Ui | 2025-07-09 | N/A | 6.1 MEDIUM |
| parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within the user's browser context, enabling the attacker to send a request to the `/execute_code` endpoint and establish a reverse shell to the attacker's host. The issue affects various components of the application, including the handling of user input and model output. | |||||
| CVE-2024-2457 | 1 Wow-company | 1 Modal Window | 2025-07-09 | N/A | 6.4 MEDIUM |
| The Modal Window – create popup modal window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 5.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-11252 | 1 Heateor | 1 Sassy Social Share | 2025-07-09 | N/A | 6.1 MEDIUM |
| The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.69 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-6244 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2025-07-09 | N/A | 6.4 MEDIUM |
| The Essential Addons for Elementor – Popular Elementor Templates and Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the via `Calendar` And `Business Reviews` Widgets attributes in all versions up to, and including, 6.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-11453 | 1 Gsplugins | 1 Gs Pinterest Portfolio | 2025-07-09 | N/A | 6.4 MEDIUM |
| The WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gs_pin_widget' shortcode in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-6743 | 1 Xtemos | 1 Woodmart | 2025-07-09 | N/A | 6.4 MEDIUM |
| The Woodmart theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'multiple_markers' attribute in all versions up to, and including, 8.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-7182 | 1 Itsourcecode | 1 Student Transcript Processing System | 2025-07-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in itsourcecode Student Transcript Processing System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/modules/subject/edit.php. The manipulation of the argument pre leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-11897 | 1 Mightyforms | 1 Mightyforms | 2025-07-09 | N/A | 6.4 MEDIUM |
| The Contact Form, Survey & Form Builder – MightyForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mightyforms' shortcode in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-6978 | 1 Astoundify | 1 Wp Job Manager | 2025-07-09 | N/A | 6.1 MEDIUM |
| The WP Job Manager – Company Profiles plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'company' parameter in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-10178 | 1 Gutentor | 1 Gutentor | 2025-07-09 | N/A | 6.4 MEDIUM |
| The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-9769 | 1 Total-soft | 1 Video Gallery | 2025-07-09 | N/A | 4.4 MEDIUM |
| The Video Gallery – Best WordPress YouTube Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2025-48270 | 1 Sktthemes | 1 Skt Blocks | 2025-07-09 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks allows DOM-Based XSS. This issue affects SKT Blocks: from n/a through 2.2. | |||||
| CVE-2025-48263 | 1 Multivendorx | 1 Multivendorx | 2025-07-09 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MultiVendorX MultiVendorX allows Stored XSS. This issue affects MultiVendorX: from n/a through 4.2.22. | |||||