935 matches found
CVE-2025-13071
The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
CVE-2025-13072
The HandL UTM Grabber / Tracker WordPress plugin (versions prior to 2.8.1) is affected by CVE-2025-13072 due to improper sanitization/escaping of a parameter before it is reflected back on the page, enabling a Reflected XSS that could target high-privilege users such as admins. The issue is confi...
PT-2025-50306
Name of the Vulnerable Software and Affected Versions HandL UTM Grabber / Tracker WordPress plugin versions prior to 2.8.1 Description The HandL UTM Grabber / Tracker WordPress plugin does not properly sanitize and escape a parameter before displaying it, resulting in a Reflected Cross-Site...
EUVD-2025-202050
Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in TalentSoft Software UNIS allows Reflected XSS.This issue affects UNIS: before 42957...
CVE-2025-34398 MailEnable < 10.54 Reflected XSS in AddressesBcc Parameter of AddressBook.aspx
MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the AddressesBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The AddressesBcc value is not properly sanitized when processed via a GET request and is reflected within a block in the JavaScrip...
CVE-2025-34400 MailEnable < 10.54 Reflected XSS in AddressesTo Parameter of AddressBook.aspx
MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the AddressesTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The AddressesTo value is not properly sanitized when processed via a GET request and is reflected within a block in the response. B...
CVE-2025-34403
MailEnable < 10.54 contains a reflected XSS in the FieldTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldTo value, processed via GET, is reflected inside a [removed] block in the JavaScript variable fieldTo, enabling attacker-controlled script execution that can redirect users,...
CVE-2025-34404 MailEnable < 10.54 Reflected XSS in InstanceScope Parameter of CAL/compose.aspx
MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized when processed via a GET request and is reflected inside a block in the...
CVE-2025-13071
The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
CVE-2025-41745
CVE-2025-41745 describes an XSS in pxc_portCntr2.php that allows an unauthenticated attacker to trick an authenticated user into sending a manipulated POST to modify web-based management parameters. The vulnerability affects devices exposing the pxc_portCntr2.php page within their web management ...
CVE-2025-13071 Custom Admin Menu <= 1.0.0 - Reflected XSS
The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
CVE-2025-13071
CVE-2025-13071 affects the WordPress plugin “Custom Admin Menu” up to version 1.0.0. The issue is a reflected Cross-Site Scripting (XSS) where a parameter is echoed back without proper sanitisation/escaping, enabling an attacker to inject scripts that could run in the context of an admin user’s s...
EUVD-2025-201813
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactiveimage component of NiceGUI. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or...
PT-2025-50146
Name of the Vulnerable Software and Affected Versions MailEnable versions prior to 10.54 Description The software contains a reflected cross-site scripting XSS issue in the Added parameter of the ''/Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx'' endpoint. The Added value is not properly...
CVE-2025-13894
The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
CVE-2025-11263
The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
CVE-2025-13137
CVE-2025-13137 – Live Sales Notification for Woocommerce – Woomotiv : Reflected XSS via the woocomotiv_limit parameter affecting the WordPress plugin up to version 3.6.3. The vulnerability arises from insufficient input sanitization and output escaping, permitting unauthenticated attackers to inj...
CVE-2025-13626 myLCO <= 0.8.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
The myLCO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
CVE-2025-11263
The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
CVE-2025-11263
CVE-2025-11263 is a reflected Cross-Site Scripting vulnerability in the WordPress plugin Link Whisper Free (versions up to and including 0.8.8). The issue arises from insufficient input sanitization and output escaping in the type parameter, allowing unauthenticated attackers to inject scripts in...