Total
37705 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3504 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | N/A | 4.8 MEDIUM |
| The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-3503 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | N/A | 4.8 MEDIUM |
| The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-3502 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | N/A | 4.8 MEDIUM |
| The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-54998 | 1 Monicahq | 1 Monica | 2025-05-07 | N/A | 5.4 MEDIUM |
| MonicaHQ v4.1.2 was discovered to contain an authenticated Client-Side Injection vulnerability via the Reason parameter at /people/h:[id]/debts/create. | |||||
| CVE-2024-54996 | 1 Monicahq | 1 Monica | 2025-05-07 | N/A | 8.8 HIGH |
| MonicaHQ v4.1.2 was discovered to contain multiple authenticated Client-Side Injection vulnerabilities via the title and description parameters at /people/ID/reminders/create. | |||||
| CVE-2024-54994 | 1 Monicahq | 1 Monica | 2025-05-07 | N/A | 6.5 MEDIUM |
| MonicaHQ v4.1.2 was discovered to contain multiple Client-Side Injection vulnerabilities via the first_name and last_name parameters in the Add a new relationship feature. | |||||
| CVE-2022-2826 | 1 Gitlab | 1 Gitlab | 2025-05-07 | N/A | 2.7 LOW |
| An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. TODO | |||||
| CVE-2020-10196 | 1 Sygnoos | 1 Popup Builder | 2025-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several of the popup's fields by sending a request to wp-admin/admin-ajax.php with the POST action parameter of sgpb_autosave and including additional data in an allPopupData parameter, including the popup's ID (which is visible in the source of the page in which the popup is inserted) and arbitrary JavaScript which will then be executed in the browsers of visitors to that page. Because the plugin functionality automatically adds script tags to data entered into these fields, this injection will typically bypass most WAF applications. | |||||
| CVE-2025-31121 | 1 Open-emr | 1 Openemr | 2025-05-07 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 7.0.3.1, the Patient Image feature in OpenEMR is vulnerable to cross-site scripting attacks via the EXIF title in an image. This vulnerability is fixed in 7.0.3.1. | |||||
| CVE-2024-51328 | 1 Projectworlds | 1 Travel Management System | 2025-05-07 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in addcategory.php in projectworld's Travel Management System v1.0 allows remote attacker to inject arbitrary code via the t2 parameter. | |||||
| CVE-2022-43170 | 1 Rukovoditel | 1 Rukovoditel | 2025-05-07 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add info block". | |||||
| CVE-2022-40690 | 1 Bookstackapp | 1 Bookstack | 2025-05-07 | N/A | 5.4 MEDIUM |
| Cross-site scripting vulnerability in BookStack versions prior to v22.09 allows a remote authenticated attacker to inject an arbitrary script. | |||||
| CVE-2022-36368 | 1 Ipfire | 1 Ipfire | 2025-05-07 | N/A | 4.8 MEDIUM |
| Multiple stored cross-site scripting vulnerabilities in the web user interface of IPFire versions prior to 2.27 allows a remote authenticated attacker with administrative privilege to inject an arbitrary script. | |||||
| CVE-2024-28160 | 1 Jenkins | 1 Icescrum | 2025-05-07 | N/A | 8.8 HIGH |
| Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. | |||||
| CVE-2022-42992 | 1 Train Scheduler App Project | 1 Train Scheduler App | 2025-05-07 | N/A | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in Train Scheduler App v1.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Train Code, Train Name, and Destination text fields. | |||||
| CVE-2022-42991 | 1 Simple Online Public Access Catalog Project | 1 Simple Online Public Access Catalog | 2025-05-07 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Simple Online Public Access Catalog v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Account Full Name field. | |||||
| CVE-2022-3392 | 1 Wp Humans.txt Project | 1 Wp Humans.txt | 2025-05-07 | N/A | 4.8 MEDIUM |
| The WP Humans.txt WordPress plugin through 1.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-2190 | 1 Enviragallery | 1 Envira Gallery | 2025-05-07 | N/A | 6.1 MEDIUM |
| The Gallery Plugin for WordPress plugin before 1.8.4.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | |||||
| CVE-2022-2167 | 1 Tagdiv | 1 Newspaper | 2025-05-07 | N/A | 6.1 MEDIUM |
| The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-38728 | 1 Sem-cms | 1 Semcms | 2025-05-07 | N/A | 6.1 MEDIUM |
| SEMCMS SHOP v 1.1 is vulnerable to Cross Site Scripting (XSS) via Ant_M_Coup.php. | |||||