CVE-2019-7197

A stored cross-site scripting XSS vulnerability has been reported to affect multiple versions of QTS. If exploited, this vulnerability may allow an attacker to inject and execute scripts on the administrator console. To fix this vulnerability, QNAP recommend updating QTS to the latest version...

CVE-2019-16307

A Reflected Cross-Site Scripting XSS vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter webExMeetingLogin.jsp and meetingKey...

CVE-2019-16688

Dolibarr 9.0.5 has stored XSS in an Email Template section to mailstemplates.php. A user with no privileges can inject script to attack the admin. This stored XSS can affect all types of user privilege from Admin to users with no permissions...

CVE-2019-16958

Cross-site Scripting XSS vulnerability in SolarWinds Web Help Desk 12.7.0 allows attacker to inject arbitrary web script or HTML via Location Name...

CVE-2019-16182

A reflected cross-site scripting XSS vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject arbitrary web script or HTML via extensions of uploaded files...

CVE-2019-16685

Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation...

CVE-2019-12581

A reflective Cross-site scripting XSS vulnerability in the freetimefailed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the errmsg parameter...

CVE-2025-15058 Responsive Pricing Table <= 5.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'table_currency'

The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tablecurrency' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-14453

CVE-2025-14453 affects the My Album Gallery WordPress plugin. A stored XSS exists via the style_css shortcode attribute in all versions up to 1.0.4 due to insufficient input sanitization and output escaping. Exploitation requires authenticated access (Contributor level or higher) and affects page...

CVE-2025-13849 Cool YT Player <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

CVE-2025-14028

CVE-2025-14028 affects Contact Us Simple Form (WordPress) plugins

CVE-2025-14127 Testimonial Master <= 0.2.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-1665

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 3.11.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-2117

The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Path Widget in all versions up to, and including, 3.20.2 due to insufficient output escaping on user supplied attributes. This makes it possible for...

CVE-2024-2254

The RT Easy Builder – Advanced addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...

CVE-2024-2830

The WordPress Tag and Category Manager – AI Autotagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sttagcloud' shortcode in all versions up to, and including, 3.13.0 due to insufficient input sanitization and output escaping on user supplied attributes. Thi...

CVE-2025-13519

CVE-2025-13519 involves the SVG Map Plugin for WordPress. The vulnerability is a CSRF issue (CSRF to Settings Update) and Stored XSS in the SVG Map Plugin

WordPress SVG Map Plugin plugin <= 1.0.0 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting vulnerability discovered by dayea song - Ahnlab in WordPress Plugin SVG Map Plugin versions = 1.0.0...

CVE-2025-14835 WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-14891 Customer Reviews for WooCommerce <= 5.93.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via displayName Parameter

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...