Total
37595 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-12820 | 2025-02-28 | N/A | 6.4 MEDIUM | ||
| The MK Google Directions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'MKGD' shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-1171 | 1 Fabianros | 1 Real Estate Property Management System | 2025-02-28 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic was found in code-projects Real Estate Property Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /Admin/CustomerReport.php. The manipulation of the argument Address leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-1174 | 1 1000projects | 1 Bookstore Management System | 2025-02-28 | 3.3 LOW | 2.4 LOW |
| A vulnerability has been found in 1000 Projects Bookstore Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file process_book_add.php of the component Add Book Page. The manipulation of the argument Book Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | |||||
| CVE-2025-0560 | 1 Campcodes | 1 School Management Software | 2025-02-28 | 3.3 LOW | 2.4 LOW |
| A vulnerability, which was classified as problematic, was found in CampCodes School Management Software 1.0. Affected is an unknown function of the file /photo-gallery of the component Photo Gallery Page. The manipulation of the argument Description leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-0559 | 1 Campcodes | 1 School Management Software | 2025-02-28 | 3.3 LOW | 2.4 LOW |
| A vulnerability, which was classified as problematic, has been found in Campcodes School Management Software 1.0. This issue affects some unknown processing of the file /create-id-card of the component Create Id Card Page. The manipulation of the argument ID Card Title leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-27093 | 1 My-blog Project | 1 My-blog | 2025-02-27 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability found in My-Blog allows attackers to cause a denial of service via the Post function. | |||||
| CVE-2025-24438 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-02-27 | N/A | 8.7 HIGH |
| Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. | |||||
| CVE-2023-27069 | 1 Totaljs | 1 Openplatform | 2025-02-27 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the account name field. | |||||
| CVE-2023-0066 | 1 Codeermeneer | 1 Companion Sitemap Generator | 2025-02-27 | N/A | 5.4 MEDIUM |
| The Companion Sitemap Generator WordPress plugin through 4.5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2022-4652 | 1 Pushlabs | 1 Video Background | 2025-02-27 | N/A | 5.4 MEDIUM |
| The Video Background WordPress plugin before 2.7.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2021-27788 | 1 Hcltech | 1 Verse | 2025-02-27 | N/A | 8.3 HIGH |
| HCL Verse is susceptible to a Cross Site Scripting (XSS) vulnerability. By tricking a user into clicking a crafted URL, a remote unauthenticated attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information. | |||||
| CVE-2024-12232 | 1 Code-projects | 1 Simple Crud Functionality | 2025-02-27 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in code-projects Simple CRUD Functionality 1.0 and classified as problematic. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument newtitle/newdescr leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-8962 | 1 Wpbits | 1 Wpbits Addons For Elementor Page Builder | 2025-02-27 | N/A | 6.4 MEDIUM |
| The WPBITS Addons For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2025-27108 | 1 Ryansolid | 1 Dom Expressions | 2025-02-27 | N/A | 7.3 HIGH |
| dom-expressions is a Fine-Grained Runtime for Performant DOM Rendering. In affected versions the use of javascript's `.replace()` opens up to potential Cross-site Scripting (XSS) vulnerabilities with the special replacement patterns beginning with `$`. Particularly, when the attributes of `Meta` tag from solid-meta are user-defined, attackers can utilise the special replacement patterns, either `$'` or `$\`` to achieve XSS. The solid-meta package has this issue since it uses `useAffect` and context providers, which injects the used assets in the html header. "dom-expressions" uses `.replace()` to insert the assets, which is vulnerable to the special replacement patterns listed above. This effectively means that if the attributes of an asset tag contained user-controlled data, it would be vulnerable to XSS. For instance, there might be meta tags for the open graph protocol in a user profile page, but if attackers set the user query to some payload abusing `.replace()`, then they could execute arbitrary javascript in the victim's web browser. Moreover, it could be stored and cause more problems. This issue has been addressed in version 0.39.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-27070 | 1 Totaljs | 1 Openplatform | 2025-02-27 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field. | |||||
| CVE-2023-26912 | 1 S-mall-ssm Project | 1 S-mall-ssm | 2025-02-27 | N/A | 4.8 MEDIUM |
| Cross site scripting (XSS) vulnerability in xenv S-mall-ssm thru commit 3d9e77f7d80289a30f67aaba1ae73e375d33ef71 on Feb 17, 2020, allows local attackers to execute arbitrary code via the evaluate button. | |||||
| CVE-2022-48111 | 1 Siri-informatica | 1 Wi400 | 2025-02-27 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the check_login function of SIPE s.r.l WI400 between version 8 and 11 included allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the f parameter. | |||||
| CVE-2024-44042 | 1 Androidbubbles | 1 Wp Datepicker | 2025-02-27 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Fahad Mahmood WP Datepicker allows Stored XSS.This issue affects WP Datepicker: from n/a through 2.1.1. | |||||
| CVE-2024-44045 | 1 Kevonadonis | 1 Wp Abstracts | 2025-02-27 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kevon Adonis WP Abstracts allows Stored XSS.This issue affects WP Abstracts: from n/a through 2.6.5. | |||||
| CVE-2023-23326 | 1 Avantfax | 1 Avantfax | 2025-02-27 | N/A | 5.4 MEDIUM |
| A Stored Cross-Site Scripting (XSS) vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an administrator's session cookie and hijacking their session. | |||||