Vulnerabilities (CVE)

Filtered by CWE-79
Total 44813 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-6687 1 Pwrplugins 1 Magic Buttons For Elementor 2026-06-17 N/A 6.4 MEDIUM
The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on the 'icon' user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-6686 1 Pwrplugins 1 Magic Buttons For Elementor 2026-06-17 N/A 6.4 MEDIUM
The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on the 'text' user supplied attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-6681 2026-06-17 N/A 6.4 MEDIUM
The Fan Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-6677 1 Paragraphs Table Project 1 Paragraphs Table 2026-06-17 N/A 5.4 MEDIUM
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Paragraphs table allows Cross-Site Scripting (XSS).This issue affects Paragraphs table: from 2.0.0 before 2.0.5.
CVE-2025-6676 1 Gbyte 1 Simple Xml Sitemap 2026-06-17 N/A 5.4 MEDIUM
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple XML sitemap allows Cross-Site Scripting (XSS).This issue affects Simple XML sitemap: from 0.0.0 before 4.2.2.
CVE-2025-6674 1 Gabderrahim 1 Ckeditor5 Youtube 2026-06-17 N/A 6.1 MEDIUM
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CKEditor5 Youtube allows Cross-Site Scripting (XSS).This issue affects CKEditor5 Youtube: from 0.0.0 before 1.0.3.
CVE-2025-6673 2026-06-17 N/A 6.4 MEDIUM
The Easy restaurant menu manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's nsc_eprm_menu_link shortcode in versions up to, and including 2.0.1, due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-6626 2026-06-17 N/A 4.4 MEDIUM
The ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the API URL Setting in all versions up to, and including, 3.10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2025-6613 1 Anujk305 1 Hospital Management System 2026-06-17 4.0 MEDIUM 3.5 LOW
A vulnerability classified as problematic was found in PHPGurukul Hospital Management System 4.0. Affected by this vulnerability is an unknown functionality of the file /doctor/manage-patient.php. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-6596 2026-06-17 N/A N/A
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/portlets.Js, resources/skins.Vector.Legacy.Js/portlets.Js. This issue affects Vector: from >= 1.40.0 before 1.42.7, 1.43.2, 1.44.0.
CVE-2025-6595 2026-06-17 N/A 4.7 MEDIUM
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MultimediaViewer.This issue affects MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0.
CVE-2025-6594 2026-06-17 N/A 4.7 MEDIUM
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.
CVE-2025-6591 2026-06-17 N/A N/A
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0.
CVE-2025-6588 2026-06-17 N/A 6.1 MEDIUM
The FunnelCockpit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘error’ parameter in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.
CVE-2025-6575 1 Dolusoft 1 Omaspot 2026-06-17 N/A 5.4 MEDIUM
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dolusoft Omaspot allows Reflected XSS. This issue affects Omaspot: before 12.09.2025.
CVE-2025-6569 1 Fabian 1 School Fees Payment System 2026-06-17 5.0 MEDIUM 4.3 MEDIUM
A vulnerability classified as problematic was found in code-projects School Fees Payment System 1.0. Affected by this vulnerability is an unknown functionality of the file /student.php. The manipulation of the argument sname/contact/about/emailid/transcation_remark leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-6551 1 Java-aodeng 1 Hope-boot 2026-06-17 4.0 MEDIUM 3.5 LOW
A vulnerability was found in java-aodeng Hope-Boot 1.0.0 and classified as problematic. This issue affects the function Login of the file /src/main/java/com/hope/controller/WebController.java. The manipulation of the argument errorMsg leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-6550 1 Webangon 1 The Pack Elementor Addons 2026-06-17 N/A 6.4 MEDIUM
The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slider_options’ parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-6546 1 Azumbro 1 Drive Folder Embedder 2026-06-17 N/A 6.4 MEDIUM
The Drive Folder Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tablecssclass’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-6540 1 Murtuzamakda52 1 Web-cam 2026-06-17 N/A 6.4 MEDIUM
The web-cam plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slug’ parameter in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.