ReportizFlow
Filtered by vendor
Subscriptions
Total
45092 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5473 | 1 Zitscher | 1 Simple Photoswipe | 2025-05-20 | 4.0 Medium |
| The Simple Photoswipe WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-3633 | 1 Rezakhan995 | 1 Webp \& Svg Support | 2025-05-20 | 5.4 Medium |
| The WebP & SVG Support WordPress plugin through 1.4.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | ||||
| CVE-2024-4759 | 1 Staude | 1 Mime Types Extended | 2025-05-20 | 5.5 Medium |
| The Mime Types Extended WordPress plugin through 0.11 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | ||||
| CVE-2024-5730 | 2 Mahype, Svenwagener | 2 Pagerank Tools, Pagerank Tools | 2025-05-19 | 6.1 Medium |
| The Pagerank tools WordPress plugin through 1.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-5729 | 1 Alexdtn | 1 Simple Al Slider | 2025-05-19 | 6.1 Medium |
| The Simple AL Slider WordPress plugin through 1.2.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-5728 | 1 Alexdtn | 1 Animated Al List | 2025-05-19 | 5.4 Medium |
| The Animated AL List WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-5727 | 1 Apidaze | 1 Widget4call | 2025-05-19 | 4.7 Medium |
| The Widget4Call WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-30316 | 1 Adobe | 1 Connect | 2025-05-19 | 5.4 Medium |
| Adobe Connect versions 12.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | ||||
| CVE-2025-30315 | 1 Adobe | 1 Connect | 2025-05-19 | 6.1 Medium |
| Adobe Connect versions 12.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | ||||
| CVE-2025-30314 | 1 Adobe | 1 Connect | 2025-05-19 | 6.1 Medium |
| Adobe Connect versions 12.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | ||||
| CVE-2024-6533 | 2 Directus, Monospace | 2 Directus, Directus | 2025-05-19 | 5.4 Medium |
| Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover. | ||||
| CVE-2024-2692 | 1 B3log | 1 Siyuan | 2025-05-19 | 9 Critical |
| SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS. | ||||
| CVE-2024-3851 | 1 Pribai | 1 Privategpt | 2025-05-19 | 5.4 Medium |
| A stored Cross-Site Scripting (XSS) vulnerability exists in the 'imartinez/privategpt' repository due to improper validation of file uploads. Attackers can exploit this vulnerability by uploading malicious HTML files, such as those containing JavaScript payloads, which are then executed in the context of the victim's session when accessed. This could lead to the execution of arbitrary JavaScript code in the context of the user's browser session, potentially resulting in phishing attacks or other malicious actions. The vulnerability affects the latest version of the repository. | ||||
| CVE-2024-5286 | 1 Tipsandtricks-hq | 1 Wp Affiliate Platform | 2025-05-19 | 4.8 Medium |
| The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-5283 | 1 Tipsandtricks-hq | 1 Wp Affiliate Platform | 2025-05-19 | 6.1 Medium |
| The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-5282 | 1 Tipsandtricks-hq | 1 Wp Affiliate Platform | 2025-05-19 | 6.1 Medium |
| The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-5281 | 1 Tipsandtricks-hq | 1 Wp Affiliate Platform | 2025-05-19 | 6.1 Medium |
| The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-3641 | 1 Mndpsingh287 | 1 Newsletter Popup | 2025-05-19 | 6.1 Medium |
| The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins | ||||
| CVE-2024-3644 | 1 Mndpsingh287 | 1 Newsletter Popup | 2025-05-19 | 4.8 Medium |
| The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2023-6142 | 1 Armanidrisi | 1 Dev Blog | 2025-05-19 | 5.4 Medium |
| Dev blog v1.0 allows to exploit an XSS through an unrestricted file upload, together with a bad entropy of filenames. With this an attacker can upload a malicious HTML file, then guess the filename of the uploaded file and send it to a potential victim. | ||||