Total
37569 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3219 | 2025-04-07 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in CodeCanyon Perfex CRM 3.2.1. It has been classified as problematic. Affected is an unknown function of the file /perfex/clients/project/2 of the component Project Discussions Module. The manipulation of the argument description leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-32136 | 2025-04-07 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in activecampaign ActiveCampaign allows Stored XSS. This issue affects ActiveCampaign: from n/a through 8.1.16. | |||||
| CVE-2025-32195 | 2025-04-07 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart allows Stored XSS. This issue affects Ecwid Shopping Cart: from n/a through 7.0. | |||||
| CVE-2025-32193 | 2025-04-07 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMinds Simple WP Events allows Stored XSS. This issue affects Simple WP Events: from n/a through 1.8.17. | |||||
| CVE-2025-31389 | 2025-04-07 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sequel.Io Sequel allows Reflected XSS.This issue affects Sequel: from n/a through 1.0.11. | |||||
| CVE-2025-32129 | 2025-04-07 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Data443 Risk Migitation, Inc. Welcome Bar allows Stored XSS. This issue affects Welcome Bar: from n/a through 2.0.4. | |||||
| CVE-2025-32169 | 2025-04-07 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Suresh Prasad Showeblogin Social allows DOM-Based XSS. This issue affects Showeblogin Social: from n/a through 7.0. | |||||
| CVE-2025-2544 | 2025-04-07 | N/A | 6.4 MEDIUM | ||
| The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2025-2889 | 2025-04-07 | N/A | 6.4 MEDIUM | ||
| The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Link Additional Parameters in all versions up to, and including, 7.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-29839 | 1 Digitaldruid | 1 Hoteldruid | 2025-04-07 | N/A | 5.4 MEDIUM |
| A Stored Cross Site Scripting (XSS) vulnerability exists in multiple pages of Hotel Druid version 3.0.4, which allows arbitrary execution of commands. The vulnerable fields are Surname, Name, and Nickname in the Document function. | |||||
| CVE-2024-2200 | 1 Bestwebsoft | 1 Contact Form | 2025-04-07 | N/A | 6.1 MEDIUM |
| The Contact Form by BestWebSoft plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cntctfrm_contact_subject’ parameter in all versions up to, and including, 4.2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-6497 | 1 Squirrly | 1 Seo Plugin By Squirrly Seo | 2025-04-05 | N/A | 8.8 HIGH |
| The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 12.3.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-4455 | 1 Yithemes | 1 Yith Woocommerce Ajax Search | 2025-04-04 | N/A | 7.2 HIGH |
| The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘item’ parameter in versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-40704 | 1 Phoronix-media | 1 Phoronix Test Suite | 2025-04-04 | N/A | 6.1 MEDIUM |
| A XSS vulnerability was found in phoromatic_r_add_test_details.php in phoronix-test-suite. | |||||
| CVE-2024-51994 | 1 Combodo | 1 Itop | 2025-04-04 | N/A | 5.4 MEDIUM |
| Combodo iTop is a web based IT Service Management tool. In affected versions uploading a text file containing some java script in the portal will trigger an Cross-site Scripting (XSS) vulnerability. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-50991 | 1 Phpgurukul | 1 User Management System | 2025-04-04 | N/A | 4.8 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability was found in /ums-sp/admin/registered-users.php in PHPGurukul User Management System v1.0, which allows remote attackers to execute arbitrary code via the "fname" POST request parameter | |||||
| CVE-2020-11023 | 7 Debian, Drupal, Fedoraproject and 4 more | 60 Debian Linux, Drupal, Fedora and 57 more | 2025-04-04 | 4.3 MEDIUM | 6.9 MEDIUM |
| In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | |||||
| CVE-2022-4480 | 1 Holithemes | 1 Click To Chat | 2025-04-04 | N/A | 5.4 MEDIUM |
| The Click to Chat WordPress plugin before 3.18.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | |||||
| CVE-2024-1134 | 1 Seopress | 1 Seopress | 2025-04-04 | N/A | 6.4 MEDIUM |
| The SEOPress – On-site SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SEO title and description parameters as well as others in all versions up to, and including, 7.5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-23637 | 1 Unistra | 1 Impatient | 2025-04-04 | N/A | 7.6 HIGH |
| IMPatienT before 1.5.2 allows stored XSS via onmouseover in certain text fields within a PATCH /modify_onto request to the ontology builder. This may allow attackers to steal Protected Health Information. | |||||