Vulnerabilities (CVE)

Filtered by CWE-79
Total 36767 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-26061 1 Nokia 1 Netact 2025-02-04 N/A 6.8 MEDIUM
An issue was discovered in Nokia NetAct before 22 FP2211. On the Scheduled Search tab under the Alarm Reports Dashboard page, users can create a script to inject XSS. Input validation was missing during creation of a scheduled task. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.
CVE-2023-26059 1 Nokia 1 Netact 2025-02-04 N/A 6.8 MEDIUM
An issue was discovered in Nokia NetAct before 22 SP1037. On the Site Configuration Tool tab, attackers can upload a ZIP file which, when processed, exploits Stored XSS. The upload option of the Site Configuration tool does not validate the file contents. The application is in a demilitarised zone behind a perimeter firewall and without exposure to the internet. The attack can only be performed by an internal user.
CVE-2023-25347 1 Churchcrm 1 Churchcrm 2025-02-04 N/A 5.4 MEDIUM
A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields. These input fields are located in the "Title" Input Field in EventEditor.php.
CVE-2023-25314 1 Wwbn 1 Avideo 2025-02-04 N/A 6.1 MEDIUM
Cross Site Scripting (XSS) vulnerability in World Wide Broadcast Network AVideo before 12.4, allows attackers to gain sensitive information via the success parameter to /user.
CVE-2023-0424 1 Ms-reviews Project 1 Ms-reviews 2025-02-04 N/A 5.4 MEDIUM
The MS-Reviews WordPress plugin through 1.5 does not sanitise and escape reviews, which could allow users any authenticated users, such as Subscribers to perform Stored Cross-Site Scripting attacks
CVE-2023-0418 1 Video Central Project 1 Video Central 2025-02-04 N/A 5.4 MEDIUM
The Video Central for WordPress plugin through 1.3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
CVE-2022-28354 1 Mybb 1 Active Threads 2025-02-04 N/A 6.1 MEDIUM
In the Active Threads Plugin 1.3.0 for MyBB, the activethreads.php date parameter is vulnerable to XSS when setting a time period.
CVE-2024-12624 1 Sinaextra 1 Sina Extension For Elementor 2025-02-04 N/A 6.4 MEDIUM
The Sina Extension for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sina Image Differ widget in all versions up to, and including, 3.5.91 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-5036 1 Sinaextra 1 Sina Extension For Elementor 2025-02-04 N/A 6.4 MEDIUM
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-3550 1 Getshortcodes 1 Shortcodes Ultimate 2025-02-04 N/A 6.4 MEDIUM
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 7.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-5260 1 Sinaextra 1 Sina Extension For Elementor 2025-02-04 N/A 6.4 MEDIUM
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘read_more_text’ parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-4373 1 Sinaextra 1 Sina Extension For Elementor 2025-02-04 N/A 6.4 MEDIUM
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sina Particle Layer widget in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-4333 1 Sinaextra 1 Sina Extension For Elementor 2025-02-04 N/A 6.4 MEDIUM
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via several parameters in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-13642 1 Motopress 1 Stratum 2025-02-04 N/A 6.4 MEDIUM
The Stratum – Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Hotspot widget in all versions up to, and including, 1.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-24686 1 Metagauss 1 Registrationmagic 2025-02-04 N/A 7.1 HIGH
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss User Registration Forms RegistrationMagic allows Reflected XSS. This issue affects RegistrationMagic: from n/a through 6.0.3.3.
CVE-2024-3747 1 Creativethemes 1 Blocksy 2025-02-04 N/A 6.4 MEDIUM
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the className parameter in the About Me block in all versions up to, and including, 2.0.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-30186 1 Bdthemes 1 Prime Slider 2025-02-04 N/A 6.5 MEDIUM
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BdThemes Prime Slider – Addons For Elementor allows Stored XSS.This issue affects Prime Slider – Addons For Elementor: from n/a through 3.13.1.
CVE-2024-1767 1 Creativethemes 1 Blocksy 2025-02-04 N/A 6.4 MEDIUM
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 2.0.26 due to insufficient input sanitization and output escaping on user supplied attributes like 'className' and 'radius'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-43317 1 Metagauss 1 Registrationmagic 2025-02-04 N/A 4.3 MEDIUM
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Metagauss User Registration Team RegistrationMagic allows Cross-Site Scripting (XSS).This issue affects RegistrationMagic: from n/a through 6.0.1.0.
CVE-2025-24602 2025-02-04 N/A 7.1 HIGH
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP24 WP24 Domain Check allows Reflected XSS. This issue affects WP24 Domain Check: from n/a through 1.10.14.