1151 matches found
CVE-2025-9620
CVE-2025-9620 (Seo Monster, WordPress) is a CSRF to Stored XSS vulnerability affecting Seo Monster up to version 3.3.3. The root cause is missing or incorrect nonce validation in check_integration(), enabling unauthenticated attackers to update settings and inject malicious scripts via forged req...
CVE-2025-8318
CVE-2025-8318 affects the WordPress Jobify plugin (versions
CVE-2025-5801 Digital Events Calendar <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via column Parameter
The Digital Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘column’ parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...
CVE-2025-8686 WP Easy FAQs <= 1.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via WP_EASY_FAQ Shortcode
The WP Easy FAQs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WPEASYFAQ shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-9857
The Heateor Login – Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'HeateorFacebookLogin' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This make...
Linux Distros Unpatched Vulnerability : CVE-2018-19995
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A stored cross-site scripting XSS vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the address POST ...
GHSA-88G3-PV3W-5WMR Liferay Portal is vulnerable to XSS attacks via its remote app title field
A stored cross-site scripting XSS vulnerability in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via remot...
CVE-2025-36125
IBM Hardware Management Console - Power 10.3.1050.0 and 11.1.1110.0 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure...
CVE-2025-9111
The AI ChatBot for WordPress WordPress plugin before 7.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-58868
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Simasicher SimaCookie simasicher-dsgvo-cookie allows Stored XSS.This issue affects SimaCookie: from n/a through = 1.3.2...
CVE-2025-6757
The Recent Posts Widget Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rpwe' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-9126
The Smart Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level acces...
CVE-2025-6067 Easy Social Feed – Social Photos Gallery – Post Feed – Like Box <= 6.6.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-caption and data-linktext parameters in all versions up to, and including, 6.6.7 due to insufficient input sanitization and output escaping. This make...
CVE-2025-58844
Cross-Site Request Forgery CSRF vulnerability in Subhash Kumar Database to Excel database-to-excel allows Stored XSS.This issue affects Database to Excel: from n/a through = 1.0...
CVE-2025-58880
CVE-2025-58880 affects the WordPress plugin Translate This gTranslate Shortcode (versions up to 1.0). The vulnerability is an Stored Cross-Site Scripting (XSS) arising from improper input neutralization during web page generation. The CVE entry notes a MODERATE risk (CVSS v3.1 base score 6.5) wit...
CVE-2025-58869
CVE-2025-58869 is a CSRF vulnerability in the WordPress plugin SimaCookie (Simasicher) that also enables Stored XSS. Affected versions are up to 1.3.2 (from n/a through 1.3.2). The provided documents identify the vulnerability and its CVE record but do not specify a fixed version or available pat...
CVE-2025-58857
CVE-2025-58857 corresponds to a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin “Table of content” (WordPress Table of content, content-table). Public sources in the connected documents indicate the affected versions are
CVE-2025-58793 WordPress WPB Elementor Addons plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WPBean WPB Elementor Addons wpb-elementor-addons allows Stored XSS.This issue affects WPB Elementor Addons: from n/a through = 1.7...
CVE-2025-41048
A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'dataAddonlayouts' and 'dataAddonlayoutsexcept' parameters in /apprain/developer/addons/update/admin...
CVE-2025-52546
E3 Site Supervisor Control firmware version 2.31F01 has a floor plan feature that allows for an unauthenticated attacker to upload floor plan files. By uploading a specially crafted floor plan file, an attacker can inject a stored XSS to the floorplan web page...