Total
36814 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8397 | 1 Webtoffee | 1 Gdpr Cookie Consent | 2025-06-12 | N/A | 5.4 MEDIUM |
| The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Consent report' page and the malicious script is executed in the admin context. | |||||
| CVE-2024-8284 | 1 W3eden | 1 Download Manager | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Download Manager WordPress plugin before 3.2.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2024-11266 | 1 Pixeljar | 1 Geocache Stat Bar Widget | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Geocache Stat Bar Widget WordPress plugin through 0.911 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-24062 | 1 Aitangbao | 1 Springboot-manager | 2025-06-12 | N/A | 5.4 MEDIUM |
| springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/role. | |||||
| CVE-2024-24060 | 1 Aitangbao | 1 Springboot-manager | 2025-06-12 | N/A | 5.4 MEDIUM |
| springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/user. | |||||
| CVE-2023-5758 | 1 Mozilla | 1 Firefox | 2025-06-12 | N/A | 6.1 MEDIUM |
| When opening a page in reader mode, the redirect URL could have caused attacker-controlled script to execute in a reflected Cross-Site Scripting (XSS) attack. This vulnerability affects Firefox for iOS < 119. | |||||
| CVE-2024-11221 | 1 Mohsinrasool | 1 Full Screen \(page\) Background Image Slideshow | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Full Screen (Page) Background Image Slideshow WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-11190 | 1 Jidaikobo | 1 Jwp-a11y | 2025-06-12 | N/A | 4.8 MEDIUM |
| The jwp-a11y WordPress plugin through 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-11141 | 1 Jontasc | 1 Sailthru Triggermail | 2025-06-12 | N/A | 6.1 MEDIUM |
| The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape some of its settings and is missing CSRF protection which could allow subscribers to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-10818 | 1 Wvega | 1 Jsfiddle Shortcode | 2025-06-12 | N/A | 5.4 MEDIUM |
| The JSFiddle Shortcode WordPress plugin before 1.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-10639 | 1 Klarned | 1 Auto Prune Posts | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Auto Prune Posts WordPress plugin before 3.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-10143 | 1 Deluxeblogtips | 1 Mb Custom Post Types \& Custom Taxonomies | 2025-06-12 | N/A | 4.8 MEDIUM |
| The MB Custom Post Types & Custom Taxonomies WordPress plugin before 2.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-7086 | 1 Ablyperu | 1 Svg Uploads Support | 2025-06-12 | N/A | 5.4 MEDIUM |
| The SVG Uploads Support WordPress plugin through 2.1.1 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | |||||
| CVE-2023-7088 | 1 Inventivo | 1 Inventivo | 2025-06-12 | N/A | 5.4 MEDIUM |
| The Add SVG Support for Media Uploader | inventivo WordPress plugin through 1.0.5 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | |||||
| CVE-2025-44110 | 1 Fluxbb | 1 Fluxbb | 2025-06-12 | N/A | 5.4 MEDIUM |
| FluxBB 1.5.11 is vulnerable to Cross Site Scripting (XSS) in via the Forum Description Field in admin_forums.php. | |||||
| CVE-2025-47885 | 1 Jenkins | 1 Health Advisor By Cloudbees | 2025-06-12 | N/A | 8.8 HIGH |
| Jenkins Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Jenkins Health Advisor server responses. | |||||
| CVE-2025-48051 | 1 Lichess | 1 Powertip.ts | 2025-06-12 | N/A | 4.7 MEDIUM |
| powertip.ts in Lila (for Lichess) before ab0beaf allows XSS in some applications because of an innerHTML usage pattern in which text is extracted from a DOM node and interpreted as HTML. | |||||
| CVE-2024-45516 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 6.1 MEDIUM |
| An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction. | |||||
| CVE-2024-45517 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 5.4 MEDIUM |
| An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL. | |||||
| CVE-2024-45513 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 4.8 MEDIUM |
| An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A stored Cross-Site Scripting (XSS) vulnerability exists in the /modern/contacts/print endpoint of Zimbra webmail. This allows an attacker to inject and execute arbitrary JavaScript code in the context of the victim's browser when a crafted vCard (VCF) file is processed and printed. This could lead to unauthorized actions within the victim's session. | |||||