CVE-2025-34403

MailEnable < 10.54 contains a reflected XSS in the FieldTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldTo value, processed via GET, is reflected inside a [removed] block in the JavaScript variable fieldTo, enabling attacker-controlled script execution that can redirect users,...

CVE-2025-34404 MailEnable < 10.54 Reflected XSS in InstanceScope Parameter of CAL/compose.aspx

MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized when processed via a GET request and is reflected inside a block in the...

CVE-2025-13071

The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2025-41745

CVE-2025-41745 describes an XSS in pxc_portCntr2.php that allows an unauthenticated attacker to trick an authenticated user into sending a manipulated POST to modify web-based management parameters. The vulnerability affects devices exposing the pxc_portCntr2.php page within their web management ...

CVE-2025-13071

CVE-2025-13071 affects the WordPress plugin “Custom Admin Menu” up to version 1.0.0. The issue is a reflected Cross-Site Scripting (XSS) where a parameter is echoed back without proper sanitisation/escaping, enabling an attacker to inject scripts that could run in the context of an admin user’s s...

CVE-2025-13071 Custom Admin Menu <= 1.0.0 - Reflected XSS

The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

EUVD-2025-201813

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactiveimage component of NiceGUI. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or...

PT-2025-50146

Name of the Vulnerable Software and Affected Versions MailEnable versions prior to 10.54 Description The software contains a reflected cross-site scripting XSS issue in the Added parameter of the ''/Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx'' endpoint. The Added value is not properly...

CVE-2025-13894

The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2025-11263

The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2025-13137

CVE-2025-13137 – Live Sales Notification for Woocommerce – Woomotiv : Reflected XSS via the woocomotiv_limit parameter affecting the WordPress plugin up to version 3.6.3. The vulnerability arises from insufficient input sanitization and output escaping, permitting unauthenticated attackers to inj...

CVE-2025-13626 myLCO <= 0.8.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The myLCO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2025-11263

The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2025-11263

CVE-2025-11263 is a reflected Cross-Site Scripting vulnerability in the WordPress plugin Link Whisper Free (versions up to and including 0.8.8). The issue arises from insufficient input sanitization and output escaping in the type parameter, allowing unauthenticated attackers to inject scripts in...

EUVD-2025-201373

The Twitscription plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATHINFO in all versions up to, and including, 0.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2025-13512

CVE-2025-13512 : CoSign Single Signon (WordPress plugin)

GFI KerioControl < 9.4.5 HTTP Response Splitting

GFI KerioControl version prior to 9.4.5 is affected by an HTTP Response Splitting vulnerability. Due to a not properly sanitized GET parameter used to generate a Location HTTP header in a 302 HTTP response an attacker can exploit this vulnerability to perform an Open Redirect or HTTP Response...

📄 MaNGOSWebV4 4.0.6 Cross Site Scripting

MaNGOSWebV4 version 4.0.6 suffers from a cross site scripting vulnerability. Exploit Title: MaNGOSWebV4 4.0.6 - Reflected XSS Date: 2024-10-26 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/paintballrefjosh/MaNGOSWebV4 Software Link: https://github.com/paintballrefjosh/MaNGOSWebV4...

MaNGOSWebV4 4.0.6 - Reflected XSS

Exploit Title: MaNGOSWebV4 4.0.6 - Reflected XSS Date: 2024-10-26 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/paintballrefjosh/MaNGOSWebV4 Software Link: https://github.com/paintballrefjosh/MaNGOSWebV4 Version: 4.0.6 Tested on: Ubuntu Windows CVE : CVE-2017-6478 PoC: // Access...

CVE-2025-13525

CVE-2025-13525 concerns the WordPress plugin WP Directory Kit. The connected documents confirm a Reflected Cross-Site Scripting vulnerability via the order_by parameter in all versions up to and including 1.4.5, caused by insufficient input sanitization and output escaping. The exposure can enabl...