Vulnerabilities (CVE)

Filtered by CWE-79
Total 36537 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-2305 1 Brainstormforce 1 Cards For Beaver Builder 2025-01-31 N/A 6.4 MEDIUM
The Cards for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BootstrapCard link in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-2226 1 Themeisle 1 Otter Blocks 2025-01-31 N/A 6.4 MEDIUM
The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the id parameter in the google-map block in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access and higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-2138 1 Crocoblock 1 Jetwidgets For Elementor 2025-01-31 N/A 6.4 MEDIUM
The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Animated Box widget in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-2117 1 Elementor 1 Website Builder 2025-01-31 N/A 6.4 MEDIUM
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Path Widget in all versions up to, and including, 3.20.2 due to insufficient output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-24885 2025-01-30 N/A 7.6 HIGH
pwn.college is an education platform to learn about, and practice, core cybersecurity concepts in a hands-on fashion. Missing access control on rendering custom (unprivileged) dojo pages causes ability for users to create stored XSS.
CVE-2024-13308 2025-01-30 N/A 3.8 LOW
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Browser Back Button allows Cross-Site Scripting (XSS).This issue affects Browser Back Button: from 1.0.0 before 2.0.2.
CVE-2025-24459 1 Jetbrains 1 Teamcity 2025-01-30 N/A 4.6 MEDIUM
In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page
CVE-2023-30454 1 Ebankit 1 Ebankit 2025-01-30 N/A 6.1 MEDIUM
An issue was discovered in ebankIT before 7. Document Object Model based XSS exists within the /Security/Transactions/Transactions.aspx endpoint. Users can supply their own JavaScript within the ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray POST parameter that will be passed to an eval() function and executed upon pressing the continue button.
CVE-2023-30405 1 Aigital 2 Wireless-n Repeater Mini Router, Wireless-n Repeater Mini Router Firmware 2025-01-30 N/A 5.4 MEDIUM
A cross-site scripting (XSS) vulnerability in Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the wl_ssid parameter at /boafrm/formHomeWlanSetup.
CVE-2023-30205 1 Douphp 1 Douphp 2025-01-30 N/A 4.8 MEDIUM
A stored cross-site scripting (XSS) vulnerability in DouPHP v1.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the unique_id parameter in /admin/article.php.
CVE-2023-30123 1 Wuzhicms 1 Wuzhicms 2025-01-30 N/A 5.4 MEDIUM
wuzhicms v4.1.0 is vulnerable to Cross Site Scripting (XSS) in the Member Center, Account Settings.
CVE-2024-4697 1 Codeless 1 Cowidgets Elementor Addons 2025-01-30 N/A 6.4 MEDIUM
The Cowidgets – Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘heading_tag’ parameter in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2023-29643 1 Perfree 1 Perfreeblog 2025-01-30 N/A 5.4 MEDIUM
Cross Site Scripting (XSS) vulnerability in PerfreeBlog 3.1.2 allows attackers to execute arbitrary code via the Post function.
CVE-2023-29641 1 Ipandao 1 Editor.md 2025-01-30 N/A 6.1 MEDIUM
Cross Site Scripting (XSS) vulnerability in pandao editor.md thru 1.5.0 allows attackers to inject arbitrary web script or HTML via crafted markdown text.
CVE-2023-29639 1 Zhenfeng13 My-blog Project 1 Zhenfeng13 My-blog 2025-01-30 N/A 5.4 MEDIUM
Cross site scripting (XSS) vulnerability in ZHENFENG13 My-Blog, allows attackers to inject arbitrary web script or HTML via editing an article in the "blog article" page due to the default configuration not utilizing MyBlogUtils.cleanString.
CVE-2024-13509 1 Westguardsolutions 1 Ws Form 2025-01-30 N/A 7.2 HIGH
The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14.
CVE-2025-0321 1 Wpmet 1 Elementskit 2025-01-30 N/A 6.4 MEDIUM
The ElementsKit Pro plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.7.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-13527 1 Philantro 1 Philantro 2025-01-30 N/A 6.4 MEDIUM
The Philantro – Donations and Donor Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'donate' in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2023-31434 1 Evasys 1 Evasys 2025-01-30 N/A 5.4 MEDIUM
The parameters nutzer_titel, nutzer_vn, and nutzer_nn in the user profile, and langID and ONLINEID in direct links, in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 do not validate input, which allows authenticated attackers to inject HTML Code and XSS payloads in multiple locations.
CVE-2023-30792 1 Facebook 1 Lexical 2025-01-30 N/A 6.1 MEDIUM
Anchor tag hrefs in Lexical prior to v0.10.0 would render javascript: URLs, allowing for cross-site scripting on link clicks in cases where input was being parsed from untrusted sources.