Total
37630 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27093 | 1 My-blog Project | 1 My-blog | 2025-02-27 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability found in My-Blog allows attackers to cause a denial of service via the Post function. | |||||
| CVE-2025-24438 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-02-27 | N/A | 8.7 HIGH |
| Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. | |||||
| CVE-2023-27069 | 1 Totaljs | 1 Openplatform | 2025-02-27 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the account name field. | |||||
| CVE-2023-0066 | 1 Codeermeneer | 1 Companion Sitemap Generator | 2025-02-27 | N/A | 5.4 MEDIUM |
| The Companion Sitemap Generator WordPress plugin through 4.5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2022-4652 | 1 Pushlabs | 1 Video Background | 2025-02-27 | N/A | 5.4 MEDIUM |
| The Video Background WordPress plugin before 2.7.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2021-27788 | 1 Hcltech | 1 Verse | 2025-02-27 | N/A | 8.3 HIGH |
| HCL Verse is susceptible to a Cross Site Scripting (XSS) vulnerability. By tricking a user into clicking a crafted URL, a remote unauthenticated attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information. | |||||
| CVE-2024-12232 | 1 Code-projects | 1 Simple Crud Functionality | 2025-02-27 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in code-projects Simple CRUD Functionality 1.0 and classified as problematic. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument newtitle/newdescr leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-8962 | 1 Wpbits | 1 Wpbits Addons For Elementor Page Builder | 2025-02-27 | N/A | 6.4 MEDIUM |
| The WPBITS Addons For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2025-27108 | 1 Ryansolid | 1 Dom Expressions | 2025-02-27 | N/A | 7.3 HIGH |
| dom-expressions is a Fine-Grained Runtime for Performant DOM Rendering. In affected versions the use of javascript's `.replace()` opens up to potential Cross-site Scripting (XSS) vulnerabilities with the special replacement patterns beginning with `$`. Particularly, when the attributes of `Meta` tag from solid-meta are user-defined, attackers can utilise the special replacement patterns, either `$'` or `$\`` to achieve XSS. The solid-meta package has this issue since it uses `useAffect` and context providers, which injects the used assets in the html header. "dom-expressions" uses `.replace()` to insert the assets, which is vulnerable to the special replacement patterns listed above. This effectively means that if the attributes of an asset tag contained user-controlled data, it would be vulnerable to XSS. For instance, there might be meta tags for the open graph protocol in a user profile page, but if attackers set the user query to some payload abusing `.replace()`, then they could execute arbitrary javascript in the victim's web browser. Moreover, it could be stored and cause more problems. This issue has been addressed in version 0.39.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-27070 | 1 Totaljs | 1 Openplatform | 2025-02-27 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field. | |||||
| CVE-2023-26912 | 1 S-mall-ssm Project | 1 S-mall-ssm | 2025-02-27 | N/A | 4.8 MEDIUM |
| Cross site scripting (XSS) vulnerability in xenv S-mall-ssm thru commit 3d9e77f7d80289a30f67aaba1ae73e375d33ef71 on Feb 17, 2020, allows local attackers to execute arbitrary code via the evaluate button. | |||||
| CVE-2022-48111 | 1 Siri-informatica | 1 Wi400 | 2025-02-27 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the check_login function of SIPE s.r.l WI400 between version 8 and 11 included allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the f parameter. | |||||
| CVE-2024-44042 | 1 Androidbubbles | 1 Wp Datepicker | 2025-02-27 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Fahad Mahmood WP Datepicker allows Stored XSS.This issue affects WP Datepicker: from n/a through 2.1.1. | |||||
| CVE-2024-44045 | 1 Kevonadonis | 1 Wp Abstracts | 2025-02-27 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kevon Adonis WP Abstracts allows Stored XSS.This issue affects WP Abstracts: from n/a through 2.6.5. | |||||
| CVE-2023-23326 | 1 Avantfax | 1 Avantfax | 2025-02-27 | N/A | 5.4 MEDIUM |
| A Stored Cross-Site Scripting (XSS) vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an administrator's session cookie and hijacking their session. | |||||
| CVE-2025-23687 | 2025-02-27 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in simonhunter Woo Store Mode allows Reflected XSS. This issue affects Woo Store Mode: from n/a through 1.0.1. | |||||
| CVE-2024-9285 | 2025-02-27 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in Tu Yafeng Via Browser up to 5.9.0 on Android. It has been rated as problematic. This issue affects some unknown processing of the component Javascript Bridge. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2024-2765 | 1 Ultimatemember | 1 Ultimate Member | 2025-02-27 | N/A | 5.4 MEDIUM |
| The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and Spotify URL parameters in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-3490 | 1 Bootstrapped | 1 Wp Recipe Maker | 2025-02-27 | N/A | 6.4 MEDIUM |
| The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wprm-recipe-roundup-item shortcode in all versions up to, and including, 9.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-4293 | 1 Phpgurukul | 1 Doctor Appointment Management System | 2025-02-27 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic was found in PHPGurukul Doctor Appointment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file appointment-bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-262225 was assigned to this vulnerability. | |||||