ReportizFlow
Filtered by vendor
Subscriptions
Total
35586 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-4220 | 2025-05-07 | 6.4 Medium | ||
| The Xavin's List Subpages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xls' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-4055 | 2025-05-07 | 6.4 Medium | ||
| The Multiple Post Type Order plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mpto' shortcode in all versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-4054 | 2025-05-07 | 6.1 Medium | ||
| The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the highlights functionality in all versions up to, and including, 4.24.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the search results. | ||||
| CVE-2025-3860 | 2025-05-07 | 6.4 Medium | ||
| The CarDealerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘saleclass' parameter in all versions up to, and including, 6.7.2504.00 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-2278 | 1 Themify | 1 Woocommerce Product Filter | 2025-05-07 | 6.1 Medium |
| Themify WordPress plugin before 1.4.4 does not sanitise and escape some of its Filters settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-1274 | 1 Joedolson | 1 My Calendar | 2025-05-07 | 5.4 Medium |
| The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin) | ||||
| CVE-2024-10704 | 2 10web, Photo Gallery By 10web Wordpress | 2 Photo Gallery, Photo Gallery By 10web Wordpress | 2025-05-07 | 4.8 Medium |
| The Photo Gallery by 10Web WordPress plugin before 1.8.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-10980 | 2 Bdthemes, Element Pack Elementor Addons Wordpress | 2 Element Pack, Element Pack Elementor Addons Wordpress | 2025-05-07 | 5.4 Medium |
| The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) WordPress plugin before 5.10.3 does not validate and escape some of its Cookie Consent block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2024-10551 | 2 Sanil, Sticky Social Icons | 2 Sticky Social Icons, Sticky Social Icons | 2025-05-07 | 4.8 Medium |
| The Sticky Social Icons WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-11183 | 2 Rumspeed, Simple Side Tab | 2 Simple Side Tab, Simple Side Tab | 2025-05-07 | 4.8 Medium |
| The Simple Side Tab WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-9651 | 1 Fluentforms | 1 Contact Form | 2025-05-07 | 6.1 Medium |
| The Fluent Forms WordPress plugin before 5.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-45986 | 2 Online Voting System Project, Projectworlds | 2 Online Voting System, Online Voting System Project | 2025-05-07 | 5.4 Medium |
| A stored Cross-Site Scripting (XSS) vulnerability was identified in Projectworld Online Voting System 1.0 that occurs when an account is registered with a malicious javascript payload. The payload is stored and subsequently executed in the voter.php and profile.php pages whenever the account information is accessed. | ||||
| CVE-2023-6081 | 1 Chartjs Project | 1 Chartjs | 2025-05-07 | 5.4 Medium |
| The chartjs WordPress plugin through 2023.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2022-3420 | 1 Official Integration For Billingo Project | 1 Official Integration For Billingo | 2025-05-07 | 4.8 Medium |
| The Official Integration for Billingo WordPress plugin before 3.4.0 does not sanitise and escape some of its settings, which could allow high privilege users with a role as low as Shop Manager to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2022-3408 | 1 Redlettuce | 1 Wp Word Count | 2025-05-07 | 4.8 Medium |
| The WP Word Count WordPress plugin through 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | ||||
| CVE-2024-45967 | 1 Pagekit | 1 Pagekit | 2025-05-07 | 4.7 Medium |
| Pagekit 1.0.18 is vulnerable to Cross Site Scripting (XSS) in index.php/admin/site/widget. | ||||
| CVE-2024-28150 | 1 Jenkins | 1 Html Publisher | 2025-05-06 | 4.7 Medium |
| Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | ||||
| CVE-2024-28149 | 2 Jenkins, Redhat | 2 Html Publisher, Ocp Tools | 2025-05-06 | 6.5 Medium |
| Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists. | ||||
| CVE-2022-40290 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | 6.1 Medium |
| The application was vulnerable to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in the barcode generation functionality, allowing attackers to generate an unsafe link that could compromise users. | ||||
| CVE-2022-40289 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | 9 Critical |
| The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files. | ||||