Total
36538 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4256 | 1 Seacms | 1 Seacms | 2025-06-12 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic was found in SeaCMS 13.2. This vulnerability affects unknown code of the file /admin_paylog.php. The manipulation of the argument cstatus leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-12595 | 1 Mitchelllevy | 1 Ahathat | 2025-06-12 | N/A | 4.7 MEDIUM |
| The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | |||||
| CVE-2024-11645 | 1 Computy | 1 Float Block | 2025-06-12 | N/A | 4.8 MEDIUM |
| The float block WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-11605 | 1 Wp-publications Project | 1 Wp-publications | 2025-06-12 | N/A | 4.8 MEDIUM |
| The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-10103 | 1 Automattic | 1 Mailpoet | 2025-06-12 | N/A | 6.1 MEDIUM |
| In the process of testing the MailPoet WordPress plugin before 5.3.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor | |||||
| CVE-2024-6270 | 1 Community Events Project | 1 Community Events | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Community Events WordPress plugin before 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-12736 | 1 Bu | 1 Bu Section Editing | 2025-06-12 | N/A | 6.1 MEDIUM |
| The BU Section Editing WordPress plugin through 0.9.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-11606 | 1 Tabs Shortcode Project | 1 Tabs Shortcode | 2025-06-12 | N/A | 5.3 MEDIUM |
| The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2025-43926 | 1 Znuny | 1 Znuny | 2025-06-12 | N/A | 6.1 MEDIUM |
| An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings. | |||||
| CVE-2024-9236 | 1 Radiustheme | 1 Team - Wordpress Team Members Showcase | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-47786 | 1 Emlog | 1 Emlog | 2025-06-12 | N/A | 4.8 MEDIUM |
| Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In `/admin/comment.php`, the parameter `perpage_num` is not validated and is directly stored in the `admin_commend_perpage_num` field of the `emlog_options` table in the database. Moreover, the output is not filtered, resulting in the direct output of malicious code. As of time of publication, it is unclear if a patch exists. | |||||
| CVE-2025-1454 | 1 Ninja Pages Project | 1 Ninja Pages | 2025-06-12 | N/A | 5.4 MEDIUM |
| The Ninja Pages WordPress plugin through 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-1286 | 1 Sfarbota | 1 Download Html Tinymce Button | 2025-06-12 | N/A | 6.1 MEDIUM |
| The Download HTML TinyMCE Button WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-9182 | 1 Wpmaspik | 1 Maspik | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Maspik WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2025-1033 | 1 Danielpowney | 1 Badgearoo | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-0329 | 1 Quantumcloud | 1 Wpbot | 2025-06-12 | N/A | 4.8 MEDIUM |
| The AI ChatBot for WordPress WordPress plugin before 6.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-9882 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-8759 | 1 Kylephillips | 1 Nested Pages | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Nested Pages WordPress plugin before 3.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-9663 | 1 Toolstack | 1 Cyan Backup | 2025-06-12 | N/A | 5.4 MEDIUM |
| The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-9662 | 1 Toolstack | 1 Cyan Backup | 2025-06-12 | N/A | 5.4 MEDIUM |
| The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||