Total
37633 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4860 | 1 Dlink | 2 Dap-2695, Dap-2695 Firmware | 2025-05-22 | 3.3 LOW | 2.4 LOW |
| A vulnerability classified as problematic has been found in D-Link DAP-2695 120b36r137_ALL_en_20210528. Affected is an unknown function of the file /adv_dhcps.php of the component Static Pool Settings Page. The manipulation of the argument f_mac leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-1357 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-22 | N/A | 6.4 MEDIUM |
| The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aux_timeline shortcode in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping on user supplied attributes such as thumb_mode and date_type. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-52701 | 1 Piwigo | 1 Piwigo | 2025-05-22 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Configuration page of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page banner parameter. | |||||
| CVE-2024-46606 | 1 Piwigo | 1 Piwigo | 2025-05-22 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field. | |||||
| CVE-2024-46605 | 1 Piwigo | 1 Piwigo | 2025-05-22 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field. | |||||
| CVE-2025-3516 | 1 Archetyped | 1 Simple Lightbox | 2025-05-22 | N/A | 5.9 MEDIUM |
| The Simple Lightbox WordPress plugin before 2.9.4 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2022-40748 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-05-22 | N/A | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 236586. | |||||
| CVE-2022-40359 | 1 Kfm Project | 1 Kfm | 2025-05-22 | N/A | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in kfm through 1.4.7 via crafted GET request to /kfm/index.php. | |||||
| CVE-2022-3062 | 1 Simplefilelist | 1 Simple-file-list | 2025-05-22 | N/A | 6.1 MEDIUM |
| The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting | |||||
| CVE-2022-3025 | 1 Bitcoin\/altcoin Faucet Project | 1 Bitcoin\/altcoin Faucet | 2025-05-22 | N/A | 5.4 MEDIUM |
| The Bitcoin / Altcoin Faucet WordPress plugin through 1.6.0 does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2024-9545 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-22 | N/A | 6.4 MEDIUM |
| The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aux_contact_box and aux_gmaps shortcodes in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-12588 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-22 | N/A | 6.4 MEDIUM |
| The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Staff widget in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-12042 | 1 Inspireui | 1 Mstore Api | 2025-05-22 | N/A | 5.4 MEDIUM |
| The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file. | |||||
| CVE-2024-8486 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2025-05-22 | N/A | 6.4 MEDIUM |
| The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in the Modern Heading and Icon Picker widgets all versions up to, and including, 2.16.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-3074 | 1 Quantumcloud | 1 Slider Hero | 2025-05-22 | N/A | 4.8 MEDIUM |
| The Slider Hero WordPress plugin before 8.4.4 does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks. | |||||
| CVE-2022-3070 | 1 Zealousweb | 1 Generate Pdf Using Contact Form 7 | 2025-05-22 | N/A | 4.8 MEDIUM |
| The Generate PDF WordPress plugin before 3.6 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-3069 | 1 Wordlift | 1 Wordlift | 2025-05-22 | N/A | 4.8 MEDIUM |
| The WordLift WordPress plugin before 3.37.2 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2025-48276 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Visual Composer Visual Composer Website Builder allows Stored XSS. This issue affects Visual Composer Website Builder: from n/a through 45.11.0. | |||||
| CVE-2025-48288 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Element Invader ElementInvader Addons for Elementor allows Stored XSS. This issue affects ElementInvader Addons for Elementor: from n/a through 1.3.5. | |||||
| CVE-2025-48232 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xpro Xpro Addons For Beaver Builder – Lite allows Stored XSS. This issue affects Xpro Addons For Beaver Builder – Lite: from n/a through 1.5.5. | |||||