CVE-2025-34182 Deciso OPNsense < 25.7.4 /interfaces_ppps_edit.php ptpid Stored XSS

In Deciso OPNsense before 25.7.4, when creating an "Interfaces: Devices: Point-to-Point" entry, the value of the parameter ptpid is not sanitized of HTML-related characters/strings. This value is directly displayed when visiting the page/interfacesassign.php, which can result in stored cross-site...

CVE-2025-20357 Cisco CyberVision Center Reports Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Cyber Vision Center could allow an authenticated, remote attacker to conduct cross-site scripting XSS attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-base...

PT-2025-40279

Name of the Vulnerable Software and Affected Versions Deciso OPNsense versions prior to 25.7.4 Description OPNsense versions prior to 25.7.4 are susceptible to a stored cross-site scripting issue. This occurs when creating a "Interfaces: Devices: Point-to-Point" entry, where the ptpid parameter i...

CVE-2025-8623

The WeedMaps Menu for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's weedmapsmenu shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-6815

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘servicename’ parameter in all versions up to, and including, 5.1.94 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-6815 LatePoint <= 5.1.94 - Authenticated (Administrator+) Stored Cross-Site Scripting

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘servicename’ parameter in all versions up to, and including, 5.1.94 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-9946

CVE-2025-9946 (LockerPress – WordPress Security Plugin) is a CSRF-to-stored-XSS vulnerability affecting LockerPress versions

CVE-2025-8608

CVE-2025-8608 affects Mihdan: Elementor Yandex Maps plugin for WordPress (versions up to 1.6.11). The vulnerability is a Stored XSS via the plugin’s block attributes, caused by insufficient input sanitization and output escaping. An authenticated attacker with contributor-level access or higher c...

CVE-2025-10128 Eulerpool Research Systems <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Eulerpool Research Systems plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aaq' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-8623 WeedMaps Menu for WordPress <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via weedmaps_menu Shortcode

The WeedMaps Menu for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's weedmapsmenu shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-10179

CVE-2025-10179 – My AskAI (WordPress) – Stored XSS . Affected: My AskAI WordPress plugin; vulnerable component is the myaskai shortcode. Root cause: insufficient input sanitization and output escaping on user-supplied attributes. Impact: authenticated attackers with contributor-level access can i...

CVE-2025-8566

Summary (CVE-2025-8566) The GutenBee – Gutenberg Blocks WordPress plugin is vulnerable to Stored Cross-Site Scripting in CountUp and Google Maps blocks. Affected versions are up to 2.18.0 due to insufficient input sanitization and output escaping. Exploitation requires authenticated access at Con...

Mealie 安全漏洞

Mealie is a self-hosted recipe manager and meal planner by an individual developer in Hayden, USA. A security vulnerability exists in Mealie 3.0.1 and prior versions, which stems from the failure to clean and escape user input in the note and text fields in the recipe creation feature, which coul...

CVE-2025-9044

The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple fields in versions up to, and including, 1.20.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level permissions and...

CVE-2025-60172

Cross-Site Request Forgery CSRF vulnerability in flytedesk Flytedesk Digital flytedesk-digital allows Stored XSS.This issue affects Flytedesk Digital: from n/a through = 20181101...

CVE-2025-60149

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Rocket Apps Notely notely allows Stored XSS.This issue affects Notely: from n/a through = 1.8.0...

CVE-2025-60173

CVE-2025-60173 : GST for WooCommerce (plugin) has a CSRF flaw that enables Stored XSS in versions up to 2.0. The NVD entry lists a CVSS v3.1 base score of 7.1 (HIGH) with NETWORK attack vector, UI required, and updated as of 2026-01-27. Connected sources corroborate the vendor/plugin (GST for Woo...

CVE-2025-60102

CVE-2025-60102 : Stored Cross-Site Scripting in WPFront User Role Editor for WordPress. Affected software: WPFront User Role Editor, version range up to and including 4.2.3. Root cause and impact: improper neutralization of input during web page generation leading to stored XSS. Public details in...

CVE-2025-10490

The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.202 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

CVE-2025-9044

The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple fields in versions up to, and including, 1.20.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level permissions and...