932 matches found
CVE-2026-1643
The MP-Ukagaka plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if...
CVE-2026-1634 Subitem AL Slider <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
WordPress ForumWP - Forum & Discussion Board plugin <= 2.1.2 - Reflected Cross-Site Scripting via url Parameter vulnerability
WordPress ForumWP - Forum & Discussion Board plugin = 2.1.2 - Reflected Cross-Site Scripting via url Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin ForumWP versions = 2.1.2...
CVE-2026-24426 Tenda AC7 Reflected XSS via Web Interface Output Encoding
Shenzhen Tenda AC7 firmware version V03.03.03.01cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses without adequate escaping, allowing injection of arbitrary HTML or JavaScript in a victim’s browser...
CVE-2026-24674
Open eClass (formerly GUnet eClass) is vulnerable to a Reflected XSS in multiple endpoints prior to version 4.2. The root cause is reflected XSS that allows an attacker to coerce authenticated users into executing arbitrary JavaScript via crafted URLs. Impact is to expose user context data and po...
Moodle vulnerable to Cross-site Scripting
A flaw was found in Moodle. A remote attacker could exploit a reflected Cross-Site Scripting XSS vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links...
UBUNTU-CVE-2025-67855
A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting XSS vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links...
WordPress Contact Form by BestWebSoft plugin <= 4.2.8 - Reflected Cross-Site Scripting via cntctfrm_contact_subject vulnerability
Reflected Cross-Site Scripting via cntctfrmcontactsubject vulnerability discovered by Krzysztof Zając - CERT PL in WordPress Plugin Contact Form by BestWebSoft versions = 4.2.8...
CVE-2025-70958
Multiple reflected cross-site scripting XSS vulnerabilities in the installation module of Subrion CMS v4.2.1 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the dbuser, dbpwd, and dbname parameters...
GHSA-G6W2-Q45F-XRP4 FacturaScripts is Vulnerable to Reflected XSS
Reflected XSS via SQL Error Messages Summary A reflected XSS bug has been found in FacturaScripts. The problem is in how error messages get displayed - it's using Twig's | raw filter which skips HTML escaping. When a database error is triggered like passing a string where an integer is expected,...
CVE-2021-47911
Affiliate Pro 1.7 is affected by multiple reflected cross-site scripting (XSS) vulnerabilities in the index module’s input fields. The attacker-controlled parameters fullname, username, and email can inject scripts to trigger client-side attacks and manipulate browser requests. The CVE details in...
PYSEC-2026-115
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting XSS attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For...
CVE-2020-37044 OpenCTI 3.3.1 - Cross Site Scripting
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting XSS attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For...
CVE-2020-37044
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting XSS attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For...
CVE-2026-1391
The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $SERVER'PHPSELF' variable. This makes it possible for unauthenticated attackers to inject...
CVE-2025-14063 SEO Links Interlinking <= 1.7.9.9.1 - Reflected Cross-Site Scripting via 'google_error' Parameter
The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'googleerror' parameter in all versions up to, and including, 1.7.9.9.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...
CVE-2026-1429
CVE-2026-1429 concerns the WellChoose Single Sign-On Portal System, which is reported to have a Reflected Cross-site Scripting (XSS) vulnerability. The vulnerability allows authenticated remote attackers to cause the victim’s browser to execute arbitrary JavaScript via phishing-style input. The d...
100-days-challenge-day-30-XSS-attacks
100-days-challenge-day-30-XSS-attacks XSS attacks demonstrate...
CVE-2026-0862
The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘options’ parameter in all versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...
CVE-2025-13676
The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the PHPSELF server variable. This makes it possible for unauthenticated attackers to...