1042880 matches found
CVE-2026-6742
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'additional' parameter in all versions up to, and including, 2026.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...
CVE-2026-10570
The CVE-2026-10570 entry concerns the Sympl Repeater for ACF and Elementor WordPress plugin (versions up to 2.3). Affected component: the function symp_arfe_replace_content() , which uses str_replace() to insert raw ACF field values (via get_field()) directly into Elementor-generated HTML without...
Microweber <1.2.11 - Stored Cross-Site Scripting
Microweber before 1.2.1 contains multiple stored cross-site scripting vulnerabilities in Shop's Other Settings, Autorespond E-mail Settings, and Payment Methods. id: CVE-2022-0954 info: name: Microweber 1.2.11 - Stored Cross-Site Scripting author: amit-jd severity: medium description: | Microwebe...
WordPress Hero Maps Premium <=2.2.1 - Cross-Site Scripting
WordPress Hero Maps Premium plugin 2.2.1 and prior contains an unauthenticated reflected cross-site scripting vulnerability via the views/dashboard/index.php p parameter. id: CVE-2019-19134 info: name: WordPress Hero Maps Premium =2.2.2 or apply the vendor-provided patch to fix the XSS...
Sidekiq < 7.0.8 - Cross-Site Scripting
An XSS vulnerability on a Sidekiq admin panel can pose serious risks to the security and functionality of the system. id: CVE-2023-1892 info: name: Sidekiq 7.0.8 - Cross-Site Scripting author: ritikchaddha,princechaddha severity: critical description: | An XSS vulnerability on a Sidekiq admin pan...
WWBN AVideo 11.6 - Cross-Site Scripting
A reflected XSS vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff, allowing arbitrary Javascript execution. id: CVE-2023-48728 info: name: WWBN AVideo 11.6 - Cross-Site Scripting author: ritikchaddha severity: medium...
ProfilePress < 3.1.11 - Cross-Site Scripting
The ProfilePress plugin for WordPress before 3.1.11 is vulnerable to unauthenticated reflected cross-site scripting XSS via the tabbed login/register widget due to improper escaping of user input. Attackers can inject arbitrary JavaScript via the tabbed-login-name parameter. id: CVE-2021-24522...
XWiki Platform - Cross-Site Scripting
XWiki Platform versions = 4.2-milestone-3 and = 16.5.0-rc-1 and = 17.0.0-rc-1 and = 4.2-milestone-3 and = 16.5.0-rc-1 and = 17.0.0-rc-1 and 17.3.0-rc-1 are vulnerable to reflected XSS in two templates. The vulnerability allows an attacker to execute malicious JavaScript code in the context of the...
Contact Form Generator <= 2.5.5 - Cross-Site Scripting
The Contact Form Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in wp-admin/admin.php in versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
Quest KACE SMA /common/run_cross_report.php 'fmt' XSS
The 'fmt' parameter of the '/common/runcrossreport.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting. id: CVE-2018-11133 info: name: Quest KACE SMA /common/runcrossreport.php 'fmt' XSS author: iamnoooob,pdresearch severity: medium...
AcuToWeb server/10.5.0.7577c8b - Cross-Site Scripting
AcuToWeb server/10.5.0.7577c8b is vulnerable to reflected cross-site scripting XSS via the portgw parameter. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution. id: CVE-2024-42852 info: name: AcuToWeb server/10.5.0.7577c8b - Cross-Site Scripting author:...
FOSSBilling < 0.5.3 - Cross-Site Scripting
Cross-site Scripting XSS - Reflected in GitHub repository fossbilling/fossbilling prior to 0.5.4. id: CVE-2023-3521 info: name: FOSSBilling &datefrom='" HTTP/1.1 Host: Hostname matchers-condition: and matchers: - type: word part: body words:...
Essential Grid <= 3.1.0 - Cross-Site Scripting
Unauthenticated Reflected Cross-Site Scripting XSS vulnerability in ThemePunch OHG Essential Grid plugin = 3.1.0 versions. id: CVE-2023-47684 info: name: Essential Grid = 3.1.0 - Cross-Site Scripting author: 0xpugal severity: medium description: | Unauthenticated Reflected Cross-Site Scripting XS...
Store Locator WordPress < 1.4.13 - Cross-Site Scripting
The Store Locator WordPress plugin before 1.4.13 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. id: CVE-2023-4151 info: name: Store Locator...
OPNsense - Cross-Site Scripting to RCE
There is a XSS in /ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 via openAction in app/controllers/OPNsense/Cron/ItemController.php. id: CVE-2023-39007 info: name: OPNsense - Cross-Site Scripting to RCE author: ritikchaddha...
Redirection for Contact Form 7 < 2.5.0 - Cross-Site Scripting
The Redirection for Contact Form 7 WordPress plugin before 2.5.0 does not escape a link generated before outputting it in an attribute, leading to a Reflected Cross-Site Scripting. id: CVE-2022-0250 info: name: Redirection for Contact Form 7 2.5.0 - Cross-Site Scripting author: ritikchaddha...
SuperWebMailer - Cross-Site Scripting
An issue was discovered in SuperWebMailer 9.00.0.01710 that allows keepalive.php XSS via a GET parameter. id: CVE-2023-38194 info: name: SuperWebMailer - Cross-Site Scripting author: ritikchaddha severity: medium description: | An issue was discovered in SuperWebMailer 9.00.0.01710 that allows...
Blog2Social < 7.2.1 - Cross-Site Scripting
The Blog2Social WordPress plugin before 7.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin id: CVE-2023-3936 info: name: Blog2Social 7.2.1 - Cross-Site...
PHPJabbers Bus Reservation System 1.1 - Cross-Site Scripting
A vulnerability was found in PHP Jabbers Bus Reservation System 1.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument index/pickupid leads to cross site scripting. The attack may be launched remotely. id:...
MooDating 1.2 - Cross-Site Scripting
A vulnerability classified as problematic has been found in mooSocial mooDating 1.2. This affects an unknown part of the file /pages of the component URL Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. id: CVE-2023-3846 info: name: MooDatin...