Total
36825 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24432 | 1 Berocket | 1 Advanced Ajax Product Filters | 2025-06-11 | N/A | 6.1 MEDIUM |
| The Advanced AJAX Product Filters WordPress plugin does not sanitise the 'term_id' POST parameter before outputting it in the page, leading to reflected Cross-Site Scripting issue. | |||||
| CVE-2024-12739 | 1 Annabansaghi | 1 Mobile Contact Bar | 2025-06-11 | N/A | 4.8 MEDIUM |
| The Mobile Contact Bar WordPress plugin before 3.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-6693 | 1 Wp-buy | 1 Wp Content Copy Protection \& No Right Click | 2025-06-11 | N/A | 4.8 MEDIUM |
| The wccp-pro WordPress plugin before 15.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-6712 | 1 Acugis | 1 Mapfig Studio | 2025-06-11 | N/A | 6.1 MEDIUM |
| The MapFig Studio WordPress plugin through 0.2.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2024-6713 | 1 Freebiesdownload | 1 Pvn Auth Popup | 2025-06-11 | N/A | 4.8 MEDIUM |
| The PVN Auth Popup WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-7556 | 1 Missionmike | 1 Simple Share | 2025-06-11 | N/A | 4.8 MEDIUM |
| The Simple Share WordPress plugin through 0.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-7759 | 1 Magazine3 | 1 Pwa For Wp \& Amp | 2025-06-11 | N/A | 4.8 MEDIUM |
| The PWA for WP WordPress plugin before 1.7.72 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-7761 | 1 Presstigers | 1 Simple Job Board | 2025-06-11 | N/A | 6.1 MEDIUM |
| In the process of testing the Simple Job Board WordPress plugin before 2.12.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor | |||||
| CVE-2024-7769 | 1 Clicksold | 1 Clicksold Idx | 2025-06-11 | N/A | 4.8 MEDIUM |
| The ClickSold IDX WordPress plugin through 1.90 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-5440 | 1 If-so | 1 Dynamic Content Personalization | 2025-06-11 | N/A | 5.4 MEDIUM |
| The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-6335 | 1 Data443 | 1 Tracking Code Manager | 2025-06-11 | N/A | 4.8 MEDIUM |
| The Tracking Code Manager WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-42009 | 1 Roundcube | 1 Webmail | 2025-06-11 | N/A | 9.3 CRITICAL |
| A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. | |||||
| CVE-2024-6462 | 1 Dyadyalesha | 1 Dl Yandex Metrika | 2025-06-11 | N/A | 4.8 MEDIUM |
| The DL Yandex Metrika WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-6478 | 1 Thisfunctional | 1 Ctt Expresso Para Woocommerce | 2025-06-11 | N/A | 4.8 MEDIUM |
| The CTT Expresso para WooCommerce WordPress plugin before 3.2.13 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-45194 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 4.8 MEDIUM |
| In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring an email account. This injected code is stored on the server and executed in the context of the victim's browser when interacting with specific elements in the web interface. (The vulnerability can be mitigated by properly sanitizing input parameters to prevent the injection of malicious code.) | |||||
| CVE-2025-22996 | 1 Linksys | 2 E5600, E5600 Firmware | 2025-06-11 | N/A | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the spf_table_content component of Linksys E5600 Router Ver. 1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the desc parameter. | |||||
| CVE-2025-22997 | 1 Linksys | 2 E5600, E5600 Firmware | 2025-06-11 | N/A | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the prf_table_content component of Linksys E5600 Router Ver. 1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the desc parameter. | |||||
| CVE-2023-48197 | 1 Grocy Project | 1 Grocy | 2025-06-11 | N/A | 5.4 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in the ‘manageApiKeys’ component of Grocy 4.0.3 and earlier allows attackers to obtain victim's cookies when the victim clicks on the "see QR code" function. | |||||
| CVE-2023-47488 | 1 Combodo | 1 Itop | 2025-06-11 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Combodo iTop v.3.1.0-2-11973 allows a local attacker to obtain sensitive information via a crafted script to the attrib_manager_id parameter in the General Information page and the id parameter in the contact page. | |||||
| CVE-2024-13865 | 1 S3bubble | 1 S3player | 2025-06-11 | N/A | 6.1 MEDIUM |
| The S3Player WordPress plugin through 4.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users. | |||||