Total
37669 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-11108 | 1 Cryoutcreations | 1 Serious Slider | 2025-05-14 | N/A | 5.4 MEDIUM |
| The Serious Slider WordPress plugin before 1.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-8968 | 1 Maxfoundry | 1 Maxbuttons | 2025-05-14 | N/A | 4.7 MEDIUM |
| The WordPress Button Plugin MaxButtons WordPress plugin before 9.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-42069 | 1 Oretnom23 | 1 Online Birth Certificate Management System | 2025-05-14 | N/A | 5.4 MEDIUM |
| Online Birth Certificate Management System version 1.0 suffers from a persistent Cross Site Scripting (XSS) vulnerability. | |||||
| CVE-2022-42066 | 1 Projectworlds | 1 Online Examination System | 2025-05-14 | N/A | 6.1 MEDIUM |
| Online Examination System version 1.0 suffers from a cross site scripting vulnerability via index.php. | |||||
| CVE-2022-3149 | 1 Wp Custom Cursors Project | 1 Wp Custom Cursors | 2025-05-14 | N/A | 6.1 MEDIUM |
| The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored Cross-Site Scripting | |||||
| CVE-2022-3139 | 1 Designextreme | 1 We\'re Open | 2025-05-14 | N/A | 4.8 MEDIUM |
| The We’re Open! WordPress plugin before 1.42 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-9638 | 1 Zephyrwest | 1 Category Posts Widget | 2025-05-14 | N/A | 4.8 MEDIUM |
| The Category Posts Widget WordPress plugin before 4.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-45985 | 1 Varunsardana004 | 1 Blood Bank And Donation Management System | 2025-05-14 | N/A | 4.7 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in update_contact.php of Blood Bank and Donation Management System v1.0 allows an attacker to inject malicious scripts via the name parameter of the update_contact.php | |||||
| CVE-2024-45984 | 1 Varunsardana004 | 1 Blood Bank And Donation Management System | 2025-05-14 | N/A | 4.7 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in add_donor.php of Blood Bank And Donation Management System 1.0 allows an attacker to inject malicious scripts that will be executed when the Donor List is viewed. | |||||
| CVE-2024-10151 | 1 Toolstack | 1 Auto Iframe | 2025-05-14 | N/A | 5.4 MEDIUM |
| The Auto iFrame WordPress plugin before 2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-12585 | 1 Wp-property-hive | 1 Propertyhive | 2025-05-14 | N/A | 6.1 MEDIUM |
| The Property Hive WordPress plugin before 2.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-10815 | 1 Reneade | 1 Postlists | 2025-05-14 | N/A | 4.2 MEDIUM |
| The PostLists WordPress plugin through 2.0.2 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | |||||
| CVE-2024-12096 | 1 Ulfben | 1 Exhibit To Wp Gallery | 2025-05-14 | N/A | 6.1 MEDIUM |
| The Exhibit to WP Gallery WordPress plugin through 0.0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2022-42071 | 1 Oretnom23 | 1 Online Birth Certificate Management System | 2025-05-14 | N/A | 6.1 MEDIUM |
| Online Birth Certificate Management System version 1.0 suffers from a Cross Site Scripting (XSS) Vulnerability. | |||||
| CVE-2024-10858 | 1 Automattic | 1 Jetpack | 2025-05-14 | N/A | 6.1 MEDIUM |
| The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com. | |||||
| CVE-2024-11644 | 1 Salko | 1 Wp-svg | 2025-05-14 | N/A | 5.9 MEDIUM |
| The WP-SVG WordPress plugin through 0.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-11921 | 1 Givewp | 1 Givewp | 2025-05-14 | N/A | 4.8 MEDIUM |
| The GiveWP WordPress plugin before 3.19.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-3433 | 1 Puneethreddyhc | 1 Event Management | 2025-05-14 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic has been found in PuneethReddyHC Event Management 1.0. Affected is an unknown function of the file /backend/register.php. The manipulation of the argument event_id/full_name/email/mobile/college/branch leads to cross site scripting. It is possible to launch the attack remotely. VDB-259614 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-11849 | 1 Podsfoundation | 1 Pods | 2025-05-14 | N/A | 6.1 MEDIUM |
| The Pods WordPress plugin before 3.2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-24645 | 2025-05-14 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rob Scott Eazy Under Construction allows Reflected XSS. This issue affects Eazy Under Construction: from n/a through 1.0. | |||||