Total
36538 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-9238 | 1 Grandplugins | 1 Avif Uploader | 2025-06-12 | N/A | 5.4 MEDIUM |
| The AVIF Uploader WordPress plugin before 1.1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | |||||
| CVE-2024-8702 | 1 Wpproking | 1 Backup Database | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Backup Database WordPress plugin through 4.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-44108 | 1 Flatpress | 1 Flatpress | 2025-06-12 | N/A | 4.8 MEDIUM |
| A stored Cross-Site Scripting (XSS) vulnerability exists in the administration panel of Flatpress CMS before 1.4 via the gallery captions component. An attacker with admin privileges can inject a malicious JavaScript payload into the system, which is then stored persistently. | |||||
| CVE-2025-2929 | 1 Tychesoftwares | 1 Order Delivery Date For Woocommerce | 2025-06-12 | N/A | 7.1 HIGH |
| The Order Delivery Date WordPress plugin before 12.4.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2025-3582 | 1 Thenewsletterplugin | 1 Newsletter | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-5796 | 1 Code-projects | 1 Simple Laundry System | 2025-06-12 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in code-projects Laundry System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /data/edit_type.php. The manipulation of the argument Type leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-5797 | 1 Code-projects | 1 Simple Laundry System | 2025-06-12 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in code-projects Laundry System 1.0 and classified as problematic. This issue affects some unknown processing of the file /data/insert_type.php. The manipulation of the argument Type leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3581 | 1 Thenewsletterplugin | 1 Newsletter | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-4652 | 1 Broadstreetads | 1 Broadstreet | 2025-06-12 | N/A | 6.1 MEDIUM |
| The Broadstreet WordPress plugin before 1.51.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2025-5879 | 2025-06-12 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability, which was classified as problematic, was found in WuKongOpenSource WukongCRM 9.0. This affects an unknown part of the file AdminSysConfigController.java of the component File Upload. The manipulation of the argument File leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-47598 | 2025-06-12 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in click5 History Log by click5 allows Stored XSS. This issue affects History Log by click5: from n/a through 1.0.13. | |||||
| CVE-2025-31057 | 2025-06-12 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player allows Reflected XSS. This issue affects Universal Video Player: from n/a through 1.4.0. | |||||
| CVE-2025-46178 | 2025-06-12 | N/A | 6.1 MEDIUM | ||
| Cross-Site Scripting (XSS) vulnerability exists in askquery.php via the eid parameter in the CloudClassroom PHP Project. This allows remote attackers to inject arbitrary JavaScript in the context of a victim s browser session by sending a crafted URL, leading to session hijacking or defacement. | |||||
| CVE-2025-31426 | 2025-06-12 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Sticky Radio Player allows Reflected XSS. This issue affects Sticky Radio Player: from n/a through 3.4. | |||||
| CVE-2025-49130 | 2025-06-12 | N/A | N/A | ||
| Laravel Translation Manager is a package to manage Laravel translation files. Prior to version 0.6.8, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. Only authenticated users with access to the translation manager are impacted. The issue is fixed in version 0.6.8. | |||||
| CVE-2025-5884 | 2025-06-12 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability, which was classified as problematic, was found in Konica Minolta bizhub up to 20250202. This affects an unknown part of the component Display MFP Information List. The manipulation of the argument Model Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-45002 | 2025-06-12 | N/A | 5.4 MEDIUM | ||
| Vigybag v1.0 and before is vulnerable to Cross Site Scripting (XSS) via the upload profile picture function under my profile. | |||||
| CVE-2025-31058 | 2025-06-12 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Revolution Video Player allows Reflected XSS. This issue affects Revolution Video Player: from n/a through 2.9.2. | |||||
| CVE-2025-48062 | 2025-06-12 | N/A | 7.1 HIGH | ||
| Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML. This includes inviting someone (without an account) to a PM and inviting someone (without an account) to a topic with a custom message. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. This can be worked around if the relevant templates are overridden without `{topic_title}`. | |||||
| CVE-2025-45055 | 2025-06-12 | N/A | 5.4 MEDIUM | ||
| Silverpeas 6.4.2 contains a stored cross-site scripting (XSS) vulnerability in the event management module. An authenticated user can upload a malicious SVG file as an event attachment, which, when viewed by an administrator, executes embedded JavaScript in the admin's session. This allows attackers to escalate privileges by creating a new administrator account. The vulnerability arises from insufficient sanitization of SVG files and weak CSRF protections. | |||||