CVE-2025-13732

The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitizatio...

CVE-2026-25596

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any...

WordPress plugin Slimstat Analytics 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

HCL Digital Experience 安全漏洞

HCL Digital Experience is a digital experience platform and content delivery solution provided by the Indian company HCL. HCL Digital Experience has a security vulnerability; this vulnerability stems from the management user interface being vulnerable to storage-based cross-site scripting attacks...

CVE-2026-23606

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Advanced Content Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtRuleName parameter to...

CVE-2026-23609

GFI MailEssentials AI (versions prior to 22.4) contains a stored cross-site scripting vulnerability in the Perimeter SMTP Servers configuration page. An authenticated user can submit HTML/JavaScript to ctl00$ContentPlaceHolder1$pv3$txtDescription on /MailEssentials/pages/MailSecurity/PerimeterSMT...

CVE-2019-25408

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the netmaskaddr parameter. Attackers can send POST requests to the netwizard2 endpoint with script payloads in the netmaskaddr...

CVE-2019-25418 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via fwgroups

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the FWADDRESSES parameter. Attackers can send POST requests to the /korugan/fwgroups endpoint with script payloads to execute arbitra...

CVE-2025-15562 Reflected Cross-Site Scripting in NesterSoft WorkTime

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker...

PT-2026-20810

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the backup schedule interface. Attackers can send POST requests to the backupschedule endpoint with JavaScript code in the BACKUP...

PT-2026-20751

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WpEstate Wpresidence Core wpresidence-core allows Stored XSS.This issue affects Wpresidence Core: from n/a through = 5.4.0...

PT-2026-20897

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4 Description GFI MailEssentials AI versions before 22.4 are affected by a stored cross-site scripting issue. An authenticated user can inject HTML or JavaScript code into the...

SPIP 安全漏洞

SPIP is an open-source software developed by SPIP for creating Internet websites. Versions of SPIP prior to 4.4.8 contained a security vulnerability caused by insufficient cleanup of the echapperhtmlsuspect function, which could lead to stored-xss attacks...

CVE-2026-25596

InvoicePlane 1.7.0 is affected by a Stored XSS vulnerability in the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. The issue is mitigated in version 1.7.1 ...

CVE-2026-27176 MajorDoMo Reflected Cross-Site Scripting in command.php

MajorDoMo aka Major Domestic Module contains a reflected cross-site scripting XSS vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars, both in an input field value attribute and in a paragraph element. An attacker can...

CVE-2025-13727

The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...

CVE-2025-11185

CVE-2025-11185 concerns the WordPress plugin “Complianz – GDPR/CCPA Cookie Consent”. The vulnerability is a Stored Cross-Site Scripting (Stored XSS) via the plugin’s cmplz-accept-link shortcode, arising from insufficient input sanitization and output escaping on user-supplied attributes. It affec...

CVE-2025-12037

The WP 404 Auto Redirect to Similar Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2019-25369

OPNsense 19.1 contains a stored cross-site scripting vulnerability in the systemadvancedsysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. Attackers can submit POST requests with script payloads that are stored and executed in the context o...

CVE-2026-1903

CVE-2026-1903 (Reserved entry) has concrete detail in connected document: WordPress plugin Ravelry Designs Widget <= 1.0.0 is affected by an Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability via the sb_ravelry_designs shortcode layout attribute. Impact: stored XSS could be...