Total
40256 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14691 | 2025-12-15 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is sufficient to fix this issue. You should upgrade the affected component. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete." | |||||
| CVE-2025-8687 | 2025-12-15 | N/A | 6.4 MEDIUM | ||
| The Enter Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown and Image Comparison widgets in all versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-13740 | 2025-12-15 | N/A | 6.4 MEDIUM | ||
| The Lightweight Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `lightweight-accordion` shortcode in all versions up to, and including, 1.5.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-8780 | 2025-12-15 | N/A | 6.4 MEDIUM | ||
| The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Hero Header and Pricing Table widgets in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-7960 | 2025-12-15 | N/A | 6.4 MEDIUM | ||
| The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Slider, Pricing Calculator, and Image Accordion widgets in all versions up to, and including, 51.1.39 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-13367 | 2025-12-15 | N/A | 6.4 MEDIUM | ||
| The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-13728 | 2025-12-15 | N/A | 6.4 MEDIUM | ||
| The FluentAuth – The Ultimate Authorization & Security Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fluent_auth_reset_password` shortcode in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-12077 | 2025-12-15 | N/A | 6.1 MEDIUM | ||
| The WP to LinkedIn Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-9488 | 2025-12-15 | N/A | 6.4 MEDIUM | ||
| The Redux Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data’ parameter in all versions up to, and including, 4.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-11376 | 2025-12-15 | N/A | 6.4 MEDIUM | ||
| The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_loop' shortcode in all versions up to, and including, 1.0.335 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-13705 | 2025-12-15 | N/A | 6.4 MEDIUM | ||
| The Custom Frames plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter of the 'customframe' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-8617 | 2025-12-15 | N/A | 6.4 MEDIUM | ||
| The YITH WooCommerce Quick View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yith_quick_view shortcode in all versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-14387 | 2025-12-15 | N/A | 6.4 MEDIUM | ||
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-12076 | 2025-12-15 | N/A | 6.1 MEDIUM | ||
| The Social Media Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage parameter in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-13608 | 2025-12-15 | N/A | 6.4 MEDIUM | ||
| The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'child_pages' shortcode in all versions up to, and including, 2.0.0. This is due to insufficient input sanitization and output escaping on four user-supplied attributes (use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt) in the 'show_child_pages' function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-9873 | 2025-12-15 | N/A | 6.4 MEDIUM | ||
| The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-43826 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-15 | N/A | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allow remote attackers to inject arbitrary web script or HTML via any rich text field in a web content article. | |||||
| CVE-2025-43779 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-15 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_commerce_product_definitions_web_internal_portlet_CPDefinitionsPortlet_productTypeName parameter. This malicious payload is then reflected and executed within the user's browser. | |||||
| CVE-2025-43807 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-15 | N/A | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) vulnerability in the notifications widget in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a publication’s “Name” text field. | |||||
| CVE-2025-43821 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-15 | N/A | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field. | |||||