CVE-2023-0695

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject...

CVE-2021-43633

Sourcecodester Messaging Web Application 1.0 is vulnerable to stored XSS. If a sender inserts valid scripts into the chat, the script will be executed on the receiver chat...

CVE-2025-27418 WeGIA contains a Stored Cross-Site Scripting (XSS) in 'adicionar_tipo_atendido.php' via the 'tipo' parameter

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Stored Cross-Site Scripting XSS vulnerability was identified in the adicionartipoatendido.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into t...

Vulnerabilities fixed in Adobe Commerce and Magento

Adobe has fixed vulnerabilities in Adobe Commerce and Magento. The vulnerabilities include a Path Traversal, unauthorized actions, information exposition, improper authorization, and several stored XSS vulnerabilities. These vulnerabilities allow attackers to gain unauthorized access, reveal...

CVE-2025-0522

The LikeBot WordPress plugin through 0.85 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2022-36098

XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field...

PT-2025-3397 · Nodebb · Nodebb

Name of the Vulnerable Software and Affected Versions: NodeBB version 3.11.0 Description: A persistent cross-site scripting XSS issue allows remote attackers to store arbitrary code in the 'about me' section of their profile. This enables attackers to execute malicious scripts on the website...

PT-2025-4898 · Isnowfy · My-Related-Posts

Name of the Vulnerable Software and Affected Versions: isnowfy my-related-posts versions n/a through 1.1 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web applicatio...

PT-2025-1189

Name of the Vulnerable Software and Affected Versions MGate 5121/5122/5123 Series firmware version v1.0 Description A stored Cross-site Scripting XSS vulnerability exists due to insufficient sanitization and encoding of user input in the Login Message functionality. An authenticated attacker with...

CVE-2025-23032

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Stored Cross-Site Scripting XSS vulnerability was identified in the adicionarescala.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts int...

CVE-2025-23032

Summary (CVE-2025-23032, WeGIA) : A Stored Cross-Site Scripting (XSS) vulnerability exists in the WeGIA application at the adicionar_escala.php endpoint, where input in the escala parameter is not properly validated or sanitized. The embedded payload is stored on the server and executed in users’...

PT-2024-36215 · Unknown · I Plant A Tree

Name of the Vulnerable Software and Affected Versions: I Plant A Tree versions 1.7.3 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web application, and...

PT-2024-35902 · Advance · Advanced

Name of the Vulnerable Software and Affected Versions: Advanced What should we write next about versions n/a through 1.0.3 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions o...

CVE-2024-37345

There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to version 13.06. Attackers can pass a limited-length script to the administrative UI which is then stored where an administrator can access it. The scope is unchanged, there is no...

PT-2024-27488 · Unknown · Absolute Secure Access

Name of the Vulnerable Software and Affected Versions: Absolute Secure Access versions prior to 13.06 Description: There is a cross-site scripting issue in the Secure Access administrative UI. Attackers can pass a limited-length script to the administrative UI, which is then stored where an...

CVE-2023-49575

A vulnerability has been discovered in VX Search Enterprise affecting version 10.2.14, in Sync Breeze Enterprise Server 10.4.18 version, and in Disk Pulse Enterprise 10.4.18 version, that could allow an attacker to execute persistent XSS through /setupsmtp in smtpserver, smtpuser, smtppassword an...

CVE-2024-26073

Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...

CVE-2023-6627

The WP Go Maps formerly WP Google Maps WordPress plugin before 9.0.28 does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site...

PT-2023-11845 · WordPress · Elementor Website Builder

Name of the Vulnerable Software and Affected Versions: Elementor Website Builder plugin for WordPress versions up to and including 2.9.7 Description: The issue allows authenticated attackers with the upload files capability to inject arbitrary web scripts in pages via SVG image uploads. This...

CVE-2023-27990

The cross-site scripting XSS vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50W firmware versions 4.16 through 5.35, USG20W-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through...