Vulnerabilities (CVE)

Filtered by CWE-79
Total 44821 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-9333 2026-06-17 N/A 5.5 MEDIUM
The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2025-9332 2026-06-17 N/A 5.5 MEDIUM
The Interactive Human Anatomy with Clickable Body Parts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2025-9306 1 Donbermoy 1 Advanced School Management System 2026-06-17 4.0 MEDIUM 3.5 LOW
A vulnerability was detected in SourceCodester Advanced School Management System 1.0. The impacted element is an unknown function of the file /index.php/notice/addNotice. The manipulation of the argument noticeSubject results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used.
CVE-2025-9289 1 Tp-link 9 Oc200, Oc200 Firmware, Oc220 and 6 more 2026-06-17 N/A 4.7 MEDIUM
A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator’s browser, potentially exposing sensitive information and compromising confidentiality.
CVE-2025-9277 2026-06-17 N/A 6.4 MEDIUM
The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the broken preg_replace expression in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-9237 1 Codeastro 1 Ecommerce Website 2026-06-17 4.0 MEDIUM 3.5 LOW
A vulnerability was found in CodeAstro Ecommerce Website 1.0. This impacts an unknown function of the file /customer/my_account.php?edit_account of the component Edit Your Account Page. Performing manipulation of the argument Username results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
CVE-2025-9235 1 Scada-lts 1 Scada-lts 2026-06-17 4.0 MEDIUM 3.5 LOW
A flaw has been found in Scada-LTS up to 2.7.8.1. The impacted element is an unknown function of the file compound_events.shtm. This manipulation of the argument Name causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used.
CVE-2025-9234 1 Scada-lts 1 Scada-lts 2026-06-17 4.0 MEDIUM 3.5 LOW
A vulnerability was detected in Scada-LTS up to 2.7.8.1. The affected element is an unknown function of the file maintenance_events.shtm. The manipulation of the argument Alias results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used.
CVE-2025-9233 1 Scada-lts 1 Scada-lts 2026-06-17 4.0 MEDIUM 3.5 LOW
A security vulnerability has been detected in Scada-LTS up to 2.7.8.1. Impacted is an unknown function of the file view_edit.shtm. The manipulation of the argument Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
CVE-2025-9227 2026-06-17 N/A 6.5 MEDIUM
Zohocorp ManageEngine OpManager versions 128609 and below are vulnerable to Stored XSS Vulnerability in the SNMP trap processor.
CVE-2025-9226 2026-06-17 N/A 4.6 MEDIUM
Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details.
CVE-2025-9225 2026-06-17 N/A 5.5 MEDIUM
Stored cross-site scripting (XSS) in the web interface of MiR software versions prior to 3.0.0 on MiR Robots and MiR Fleet allows execution of arbitrary JavaScript code in a victim’s browser
CVE-2025-9208 1 Opentext 1 Web Site Management Server 2026-06-17 N/A 5.4 MEDIUM
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Stored XSS. The vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL, allowing attackers to compromise user sessions and data. This issue affects Web Site Management Server: 16.7.X, 16.8, 16.8.1.
CVE-2025-9206 2026-06-17 N/A 6.4 MEDIUM
The Meks Easy Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title field in all version up to, and including, 2.1.4. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the map containing the malicious post.
CVE-2025-9204 2026-06-17 N/A 6.4 MEDIUM
The X Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Youtube Video ID field in all versions up to, and including, 1.0.16. This is due to insufficient input sanitization and output escaping on the Youtube Video ID parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an affected page.
CVE-2025-9203 2026-06-17 N/A 6.4 MEDIUM
The Media Player Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtitle_ssize', 'track_title', and 'track_artist_name' parameters in version 1.0.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-9171 1 Solidinvoice 1 Solidinvoice 2026-06-17 4.0 MEDIUM 3.5 LOW
A security flaw has been discovered in SolidInvoice up to 2.4.0. The impacted element is an unknown function of the file /clients of the component Clients Module. Performing manipulation of the argument Name results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-9170 1 Solidinvoice 1 Solidinvoice 2026-06-17 4.0 MEDIUM 3.5 LOW
A vulnerability was identified in SolidInvoice up to 2.4.0. The affected element is an unknown function of the file /tax/rates of the component Tax Rates Module. Such manipulation of the argument Name leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-9169 1 Solidinvoice 1 Solidinvoice 2026-06-17 4.0 MEDIUM 3.5 LOW
A vulnerability was determined in SolidInvoice up to 2.4.0. Impacted is an unknown function of the file /quotes of the component Quote Module. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-9168 1 Solidinvoice 1 Solidinvoice 2026-06-17 4.0 MEDIUM 3.5 LOW
A vulnerability was found in SolidInvoice up to 2.4.0. This issue affects some unknown processing of the file /invoice of the component Invoice Creation Module. The manipulation of the argument Client Name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.