Total
37705 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-19904 | 1 Xsltcms.org Project | 1 Xsltcms.org | 2025-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent XSS exists in XSLT CMS via the create/?action=items.edit&type=Page "body" field. | |||||
| CVE-2024-10679 | 1 Expresstech | 1 Quiz And Survey Master | 2025-05-06 | N/A | 6.1 MEDIUM |
| The Quiz and Survey Master (QSM) WordPress plugin before 9.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-1452 | 1 Favoriteposts | 1 Favorites | 2025-05-06 | N/A | 3.5 LOW |
| The Favorites WordPress plugin before 2.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-2304 | 1 Favoriteposts | 1 Favorites | 2025-05-06 | N/A | 6.4 MEDIUM |
| The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'user_favorites' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-12682 | 1 Brijeshk89 | 1 Smart Maintenance Mode | 2025-05-06 | N/A | 6.1 MEDIUM |
| The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-52430 | 1 Authcrunch | 1 Caddy-security | 2025-05-06 | N/A | 6.1 MEDIUM |
| The caddy-security plugin 1.1.20 for Caddy allows reflected XSS via a GET request to a URL that contains an XSS payload and begins with either a /admin or /settings/mfa/delete/ substring. | |||||
| CVE-2018-19918 | 1 Cuppacms | 1 Cuppacms | 2025-05-06 | 3.5 LOW | 5.4 MEDIUM |
| CuppaCMS has XSS via an SVG document uploaded to the administrator/#/component/table_manager/view/cu_views URI. | |||||
| CVE-2018-19906 | 1 Razorcms | 1 Razorcms | 2025-05-06 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS exists in razorCMS 3.4.8 via the /#/page description parameter. | |||||
| CVE-2018-19905 | 1 Razorcms | 1 Razorcms | 2025-05-06 | 3.5 LOW | 5.4 MEDIUM |
| HTML injection exists in razorCMS 3.4.8 via the /#/page keywords parameter. | |||||
| CVE-2024-12683 | 1 Brijeshk89 | 1 Smart Maintenance Mode | 2025-05-06 | N/A | 3.5 LOW |
| The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-44046 | 1 Themify | 1 Woocommerce Product Filter | 2025-05-06 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themify Themify – WooCommerce Product Filter allows Stored XSS.This issue affects Themify – WooCommerce Product Filter: from n/a through 1.5.1. | |||||
| CVE-2024-5968 | 1 10web | 1 Photo Gallery | 2025-05-06 | N/A | 4.8 MEDIUM |
| The Photo Gallery by 10Web WordPress plugin before 1.8.28 does not properly sanitise and escape some of its Gallery settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2025-25062 | 2025-05-06 | N/A | 4.4 MEDIUM | ||
| An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML and JavaScript that may be executed when an administrator attempts to edit a piece of content. This vulnerability is mitigated by the fact that an attacker must have the ability to create long text content (such as through the node or comment forms) and an administrator must edit (not view) the content that contains the malicious content. This problem only exists when using the CKEditor 5 module. | |||||
| CVE-2024-48622 | 1 Domainmod | 1 Domainmod | 2025-05-06 | N/A | 6.6 MEDIUM |
| A cross-site scripting (XSS) issue in DomainMOD below v4.12.0 allows remote attackers to inject JavaScript code via admin/domain-fields/edit.php and the cdfid parameter. | |||||
| CVE-2024-48623 | 1 Domainmod | 1 Domainmod | 2025-05-06 | N/A | 5.3 MEDIUM |
| In queue\index.php of DomainMOD below v4.12.0, the list_id and domain_id parameters in the GET request can be exploited to cause a reflected Cross Site Scripting (XSS). | |||||
| CVE-2024-48624 | 1 Domainmod | 1 Domainmod | 2025-05-06 | N/A | 5.3 MEDIUM |
| In segments\edit.php of DomainMOD below v4.12.0, the segid parameter in the GET request can be exploited to cause a reflected Cross Site Scripting (XSS) vulnerability. | |||||
| CVE-2024-25381 | 1 Emlog | 1 Emlog | 2025-05-06 | N/A | 6.1 MEDIUM |
| There is a Stored XSS Vulnerability in Emlog Pro 2.2.8 Article Publishing, due to non-filtering of quoted content. | |||||
| CVE-2022-40487 | 1 Processwire | 1 Processwire | 2025-05-06 | N/A | 6.1 MEDIUM |
| ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via injection of a crafted payload. | |||||
| CVE-2018-6341 | 1 Facebook | 1 React | 2025-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2. | |||||
| CVE-2024-5075 | 1 Tipsandtricks-hq | 1 Wp Emember | 2025-05-06 | N/A | 5.9 MEDIUM |
| The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||