CVE-2025-53822

WeGIA (open source web manager) is affected by a Reflected XSS in the relatorio_geracao.php endpoint, via the tipo_relatorio parameter, for versions prior to 3.4.5. The underlying issue is lack of proper input filtering/escaping, enabling injection of arbitrary scripts. A fix is available in vers...

CVE-2025-53820 WeGIA vulnerable to Cross-Site Scripting (XSS) Reflected via endpoint 'index.php' parameter 'erro'

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting XSS vulnerability was identified in the index.php endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject...

CVE-2025-7380

A stored Cross-Site Scripting XSS vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the folder name is...

CVE-2025-7554 Sapido RB-1802 URL Filtering Page urlfilter.asp cross site scripting

A vulnerability classified as problematic was found in Sapido RB-1802 1.0.32. This vulnerability affects unknown code of the file urlfilter.asp of the component URL Filtering Page. The manipulation of the argument URL address leads to cross site scripting. The attack can be initiated remotely. Th...

Endress+Hauser MEAC300-FNADE4 Cross-Site Scripting Vulnerability (CNVD-2025-16357)

The Endress+Hauser MEAC300-FNADE4 is a cost-effective emissions data management computer from Endress+Hauser Vietnam. The Endress+Hauser MEAC300-FNADE4 suffers from a cross-site scripting vulnerability that stems from the application's lack of effective filtering and escaping of user-supplied dat...

CVE-2024-36697

A cross-site scripting XSS vulnerability in the Admin Login page of Allworx System Software v9.1.9.12 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the SessionID parameter at query.asp...

CVE-2025-52357

FiberHome FD602GW-DX-R410 router (firmware V2.2.14) contains a reflected XSS in the ping diagnostic feature. Authenticated users can inject input in the ping form field, which is not properly sanitized, allowing arbitrary JavaScript execution in the router’s admin/web interface. Impacts include s...

CVE-2025-40720

Reflected Cross-site Scripting XSS vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL trhough the campo parameter in /FacturaE/VerFacturaPDF...

CVE-2025-6743

The Woodmart theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'multiplemarkers' attribute in all versions up to, and including, 8.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

WordPress Easy restaurant menu manager plugin <= 2.0.1 - Authenticated (Contributot+) Stored Cross-Site Scripting via `nsc_eprm_menu_link` Shortcode vulnerability

Authenticated Contributot+ Stored Cross-Site Scripting via nsceprmmenulink Shortcode vulnerability discovered by Alex Thomas in WordPress Plugin Easy pdf restaurant menu upload versions = 2.0.1...

CVE-2025-24771

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in OTWthemes Content Manager Light content-manager-light allows Reflected XSS.This issue affects Content Manager Light: from n/a through = 3.2...

CVE-2025-40723

Stored Cross-Site Scripting XSS vulnerability in versions prior to Flatboard 3.2.2 of Flatboard Pro, consisting of a stored XSS due to lack of proper validation of user input, through the footertext and announcement parameters in config.php...

CVE-2025-6563

A cross-site scripting vulnerability is present in the hotspot of MikroTik's RouterOS on versions below 7.19.2. An attacker can inject the javascript protocol in the dst parameter. When the victim browses to the malicious URL and logs in, the XSS executes. The POST request used to login, can also...

CVE-2025-31037 WordPress Homey theme <= 2.4.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in favethemes Homey homey allows Reflected XSS.This issue affects Homey: from n/a through = 2.4.5...

WordPress OwnerRez API plugin <= 1.2.1 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin OwnerRez API versions = 1.2.1...

WordPress Video Gallery Block plugin <= 1.1.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Prissy in WordPress Plugin Video Gallery Block versions = 1.1.0...

CVE-2025-28957

CVE-2025-28957 : Stored XSS in the WordPress plugin OwnerRez (versions up to 1.2.1). Root cause: improper input neutralization during web page generation. Impact as per sources: cross-site scripting with low–moderate confidentiality/integrity/availability impact; CVSSv3.1 base score 6.5. Exploita...

CVE-2025-24764 WordPress (Simply) Guest Author Name plugin <= 4.36 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in A. Jones Simply Guest Author Name allows DOM-Based XSS. This issue affects Simply Guest Author Name: from n/a through 4.36...

CVE-2025-7046

The Portfolio for Elementor & Image Gallery | PowerFolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS Attributes of Plugin's widgets in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possibl...

CVE-2024-9017

The PeepSo Core: Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Group Description field in all versions up to, and including, 6.4.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...