EUVD-2026-11093

The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2025-4652

The Broadstreet WordPress plugin before 1.51.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2022-1559

The Clipr WordPress plugin through 1.2.3 does not sanitise and escape its API Key settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed...

CVE-2024-13094

The WP Triggers Lite WordPress plugin through 2.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-5626

The Inline Related Posts WordPress plugin before 3.7.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

Shortcode Menu <= 3.2 - Contributor+ Stored Cross-Site Scripting

Description The plugin does not properly sanitize user input or escape output in the 'shortmenu' shortcode, leading to a Stored Cross-Site Scripting vulnerability. This issue allows authenticated users with contributor-level and above permissions to inject arbitrary web scripts into pages...

CartFlows Pro < 1.11.12 - Reflected Cross-Site Scripting

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

Mail Control <= 0.2.8 - Unauthenticated Stored Cross-Site Scripting via Email Subject

The plugin does not adequately sanitize input or escape output for email subjects, resulting in potential for stored cross-site scripting...

CVE-2022-0621

The dTabs WordPress plugin through 1.4 does not sanitize and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...

XSS in Error Page - ownCloud

A Attacker can inject HTML script code into a error message Affected Software ownCloud Server 10.0.2 CVE-2017-8896 ownCloud Server 9.1.6 CVE-2017-8896 ownCloud Server 9.0.10 CVE-2017-8896 ownCloud Server 8.2.12 CVE-2017-8896 Action Taken Escape output Acknowledgements The ownCloud team thanks the...

Struts 2.3.15.3 Cross Site Scripting

Abstract£º The latest version of the current official struts-2.3.15.3£¬struts2-showcase.war demo XSS still exist! Details£º I found an update of the official demo of Strust2, so I did a test. It used to be able to filter, escape input and escape output, but why didn¡¯t it escape this time? Proofs...