ReportizFlow
Filtered by vendor
Subscriptions
Total
45049 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6712 | 1 Acugis | 1 Mapfig Studio | 2025-06-11 | 6.1 Medium |
| The MapFig Studio WordPress plugin through 0.2.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | ||||
| CVE-2024-6713 | 1 Freebiesdownload | 1 Pvn Auth Popup | 2025-06-11 | 4.8 Medium |
| The PVN Auth Popup WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-7556 | 1 Missionmike | 1 Simple Share | 2025-06-11 | 4.8 Medium |
| The Simple Share WordPress plugin through 0.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-7759 | 1 Magazine3 | 1 Pwa For Wp \& Amp | 2025-06-11 | 4.8 Medium |
| The PWA for WP WordPress plugin before 1.7.72 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-7761 | 1 Presstigers | 1 Simple Job Board | 2025-06-11 | 6.1 Medium |
| In the process of testing the Simple Job Board WordPress plugin before 2.12.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor | ||||
| CVE-2024-7769 | 1 Clicksold | 1 Clicksold Idx | 2025-06-11 | 4.8 Medium |
| The ClickSold IDX WordPress plugin through 1.90 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-5440 | 1 If-so | 1 Dynamic Content Personalization | 2025-06-11 | 5.4 Medium |
| The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2024-6335 | 1 Data443 | 1 Tracking Code Manager | 2025-06-11 | 4.8 Medium |
| The Tracking Code Manager WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-6462 | 1 Dyadyalesha | 1 Dl Yandex Metrika | 2025-06-11 | 4.8 Medium |
| The DL Yandex Metrika WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-6478 | 1 Thisfunctional | 1 Ctt Expresso Para Woocommerce | 2025-06-11 | 4.8 Medium |
| The CTT Expresso para WooCommerce WordPress plugin before 3.2.13 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-45194 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | 4.8 Medium |
| In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring an email account. This injected code is stored on the server and executed in the context of the victim's browser when interacting with specific elements in the web interface. (The vulnerability can be mitigated by properly sanitizing input parameters to prevent the injection of malicious code.) | ||||
| CVE-2025-22996 | 1 Linksys | 2 E5600, E5600 Firmware | 2025-06-11 | 4.8 Medium |
| A stored cross-site scripting (XSS) vulnerability in the spf_table_content component of Linksys E5600 Router Ver. 1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the desc parameter. | ||||
| CVE-2025-22997 | 1 Linksys | 2 E5600, E5600 Firmware | 2025-06-11 | 4.8 Medium |
| A stored cross-site scripting (XSS) vulnerability in the prf_table_content component of Linksys E5600 Router Ver. 1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the desc parameter. | ||||
| CVE-2024-13865 | 1 S3bubble | 1 S3player | 2025-06-11 | 6.1 Medium |
| The S3Player WordPress plugin through 4.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users. | ||||
| CVE-2024-1663 | 1 Texttheater | 1 Ultimate Noindex Nofollow Tool Ii | 2025-06-11 | 4.8 Medium |
| The Ultimate Noindex Nofollow Tool II WordPress plugin before 1.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-2643 | 1 Premio | 1 My Sticky Bar | 2025-06-11 | 4.8 Medium |
| The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.6.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-3931 | 1 Totara | 2 Enterprise Lms, Totara | 2025-06-10 | 3.5 Low |
| A vulnerability was found in Totara LMS up to 18.7. It has been rated as problematic. Affected by this issue is some unknown functionality of the file admin/roles/check.php of the component User Selector. The manipulation of the argument ID Number leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 13.46, 14.38, 15.33, 16.27, 17.21 and 18.8 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2024-28725 | 1 Yzmcms | 1 Yzmcms | 2025-06-10 | 7.1 High |
| Cross Site Scripting (XSS) vulnerability in YzmCMS 7.0 allows attackers to run arbitrary code via Ads Management, Carousel Management, and System Settings. | ||||
| CVE-2025-45755 | 1 Vtiger | 1 Vtiger Crm | 2025-06-10 | 6.1 Medium |
| A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution. | ||||
| CVE-2025-5726 | 1 Razormist | 1 Student Result Management System | 2025-06-10 | 2.4 Low |
| A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /script/academic/division-system of the component Division System Page. The manipulation of the argument Division leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||