Total
36767 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-13572 | 1 Nfusionsolutions | 1 Precious Metals Charts And Widgets | 2025-02-05 | N/A | 6.4 MEDIUM |
The Precious Metals Charts and Widgets for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nfusion-widget' shortcode in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
CVE-2024-53266 | 2025-02-04 | N/A | 4.3 MEDIUM | ||
Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled. | |||||
CVE-2025-22602 | 2025-02-04 | N/A | 6.5 MEDIUM | ||
Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should enable CSP. | |||||
CVE-2024-56328 | 2025-02-04 | N/A | 6.5 MEDIUM | ||
Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should enable CSP, disable inline Oneboxes globally, or allow specific domains for Oneboxing. | |||||
CVE-2024-40700 | 2025-02-04 | N/A | 6.1 MEDIUM | ||
IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
CVE-2023-0542 | 1 Blackbirdi | 1 Custom Post Type List Shortcode | 2025-02-04 | N/A | 5.4 MEDIUM |
The Custom Post Type List Shortcode WordPress plugin through 1.4.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
CVE-2023-0514 | 1 Membership Database Project | 1 Membership Database | 2025-02-04 | N/A | 6.1 MEDIUM |
The Membership Database WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
CVE-2023-0280 | 1 Topdigitaltrends | 1 Ultimate Carousel For Elementor | 2025-02-04 | N/A | 5.4 MEDIUM |
The Ultimate Carousel For Elementor WordPress plugin through 2.1.7 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
CVE-2020-35730 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2025-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. | |||||
CVE-2024-1510 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2025-02-04 | N/A | 6.4 MEDIUM |
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's su_tooltip shortcode in all versions up to, and including, 7.0.2 due to insufficient input sanitization and output escaping on user supplied attributes and user supplied tags. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
CVE-2024-1081 | 1 3dflipbook | 1 3d Flipbook | 2025-02-04 | N/A | 6.4 MEDIUM |
The 3D FlipBook – PDF Flipbook WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bookmark feature in all versions up to, and including, 1.15.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
CVE-2024-29113 | 1 Metagauss | 1 Registrationmagic | 2025-02-04 | N/A | 7.1 HIGH |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic allows Reflected XSS.This issue affects RegistrationMagic: from n/a through 5.2.5.9. | |||||
CVE-2025-0350 | 1 Elegantthemes | 1 Carousel Maker For Divi | 2025-02-04 | N/A | 6.4 MEDIUM |
The Divi Carousel Maker – Image, Logo, Testimonial, Post Carousel & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Carousel and Logo Carousel in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
CVE-2024-57498 | 2025-02-04 | N/A | 4.8 MEDIUM | ||
Cross Site Scripting vulnerability in sayski ForestBlog 20241223 allows a remote attacker to escalate privileges via the article editing function. | |||||
CVE-2023-0948 | 1 Artisanworkshop | 1 Japanized For Woocommerce | 2025-02-04 | N/A | 6.1 MEDIUM |
The Japanized For WooCommerce WordPress plugin before 2.5.8 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting | |||||
CVE-2024-13441 | 1 Ylefebvre | 1 Bilingual Linker | 2025-02-04 | N/A | 6.4 MEDIUM |
The Bilingual Linker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bl_otherlang_link_1 parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
CVE-2024-13458 | 1 Notice | 1 Notice Faq | 2025-02-04 | N/A | 6.4 MEDIUM |
The WordPress SEO Friendly Accordion FAQ with AI assisted content generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'noticefaq' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
CVE-2024-13467 | 1 Mr-kalathiya | 1 Wp Contect Form7 Email Spam Blocker | 2025-02-04 | N/A | 6.1 MEDIUM |
The WP Contact Form7 Email Spam Blocker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
CVE-2024-12334 | 1 Codexpert | 1 Wc Affiliate | 2025-02-04 | N/A | 6.1 MEDIUM |
The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
CVE-2024-13548 | 1 Wppug | 1 Power Ups For Elementor | 2025-02-04 | N/A | 6.4 MEDIUM |
The Power Ups for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |