Total
37625 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13128 | 1 Thimpress | 1 Learnpress | 2025-05-22 | N/A | 4.8 MEDIUM |
| The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-4858 | 1 Dlink | 2 Dap-2695, Dap-2695 Firmware | 2025-05-22 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in D-Link DAP-2695 120b36r137_ALL_en_20210528. It has been declared as problematic. This vulnerability affects unknown code of the file /adv_arpspoofing.php of the component ARP Spoofing Prevention Page. The manipulation of the argument harp_mac leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-4859 | 1 Dlink | 2 Dap-2695, Dap-2695 Firmware | 2025-05-22 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in D-Link DAP-2695 120b36r137_ALL_en_20210528. It has been rated as problematic. This issue affects some unknown processing of the file /adv_macbypass.php of the component MAC Bypass Settings Page. The manipulation of the argument f_mac leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-0187 | 1 Peepso | 1 Peepso | 2025-05-22 | N/A | 6.1 MEDIUM |
| The Community by PeepSo WordPress plugin before 6.3.1.2 does not sanitise and escape various parameters and generated URLs before outputting them back attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-5124 | 1 Pagelayer | 1 Pagelayer | 2025-05-22 | N/A | 4.8 MEDIUM |
| The Page Builder: Pagelayer WordPress plugin before 1.8.0 doesn't prevent attackers with administrator privileges from inserting malicious JavaScript inside a post's header or footer code, even when unfiltered_html is disallowed, such as in multi-site WordPress configurations. | |||||
| CVE-2025-4860 | 1 Dlink | 2 Dap-2695, Dap-2695 Firmware | 2025-05-22 | 3.3 LOW | 2.4 LOW |
| A vulnerability classified as problematic has been found in D-Link DAP-2695 120b36r137_ALL_en_20210528. Affected is an unknown function of the file /adv_dhcps.php of the component Static Pool Settings Page. The manipulation of the argument f_mac leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-1357 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-22 | N/A | 6.4 MEDIUM |
| The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aux_timeline shortcode in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping on user supplied attributes such as thumb_mode and date_type. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-52701 | 1 Piwigo | 1 Piwigo | 2025-05-22 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Configuration page of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page banner parameter. | |||||
| CVE-2024-46606 | 1 Piwigo | 1 Piwigo | 2025-05-22 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field. | |||||
| CVE-2024-46605 | 1 Piwigo | 1 Piwigo | 2025-05-22 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field. | |||||
| CVE-2025-3516 | 1 Archetyped | 1 Simple Lightbox | 2025-05-22 | N/A | 5.9 MEDIUM |
| The Simple Lightbox WordPress plugin before 2.9.4 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2022-40748 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-05-22 | N/A | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 236586. | |||||
| CVE-2022-40359 | 1 Kfm Project | 1 Kfm | 2025-05-22 | N/A | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in kfm through 1.4.7 via crafted GET request to /kfm/index.php. | |||||
| CVE-2022-3062 | 1 Simplefilelist | 1 Simple-file-list | 2025-05-22 | N/A | 6.1 MEDIUM |
| The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting | |||||
| CVE-2022-3025 | 1 Bitcoin\/altcoin Faucet Project | 1 Bitcoin\/altcoin Faucet | 2025-05-22 | N/A | 5.4 MEDIUM |
| The Bitcoin / Altcoin Faucet WordPress plugin through 1.6.0 does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2024-9545 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-22 | N/A | 6.4 MEDIUM |
| The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aux_contact_box and aux_gmaps shortcodes in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-12588 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-22 | N/A | 6.4 MEDIUM |
| The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Staff widget in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-12042 | 1 Inspireui | 1 Mstore Api | 2025-05-22 | N/A | 5.4 MEDIUM |
| The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file. | |||||
| CVE-2024-8486 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-22 | N/A | 6.4 MEDIUM |
| The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in the Modern Heading and Icon Picker widgets all versions up to, and including, 2.16.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-3074 | 1 Quantumcloud | 1 Slider Hero | 2025-05-22 | N/A | 4.8 MEDIUM |
| The Slider Hero WordPress plugin before 8.4.4 does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks. | |||||