19 matches found
CVE-2026-48822
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting XSS vulnerability in the Markdown-to-HTML conversion process used in the Bookmark Description field. An authenticated user can inject a malicious javascript: URI inside a Markdown link. The...
EUVD-2024-37589
Malicious code in bioql PyPI...
CVE-2021-24581
The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited...
FluxBB 1.5.11 Cross Site Scripting
FluxBB version 1.5.11 suffers from a persistent cross site scripting vulnerability. Exploit Title: FluxBB 1.5.11 Stored xss Date: 3/8/2025 Exploit Author: Chokri Hammedi Vendor Homepage: www.fluxbb.org Software Link: https://www.softaculous.com/apps/forums/FluxBB Version: FluxBB 1.5.11 Tested on:...
CVE-2024-38274 moodle: stored XSS via calendar's event title when deleting the event
Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt...
WP Font Awesome < 1.7.9 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. wpfa color='red" onmouseover="alert1"'...
Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. As admin, put the following payload in a field label: The XSS will be triggered when editing the form, as well as in...
NextCellent Gallery <= 1.9.35 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its image settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Create/edit a gallery with at least one image, pu...
Amazon Link <= 3.2.10 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. Put the following payload in settings such as the "AWS Public Key": "...
Sliderby10Web < 1.2.52 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize and escape some of its settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a slider, put the following payload in the CSS settings and save: The XSS will be...
Page Security & Membership <= 1.5.15 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the "Force Public Pages" settings of the plugin...
Palo Alto Network Cortex XSOAR 跨站脚本漏洞
Palo Alto Networks Cortex Xsoar is a Security Orchestration Automation and Response Soar platform from Palo Alto Networks, USA. A cross-site scripting vulnerability exists in Palo Alto Networks Cortex XSOAR that allows an attacker to store a persistent javascript exploit code that could lead to t...
WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)
Exploit Title: WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting XSS Date: 11/12/2021 Exploit Author: Murat DEMIRCI @butterflyhunt3r Vendor Homepage: https://accesspressthemes.com/ Software Link: https://wordpress.org/plugins/accesspress-social-icons/...
Testimonial Builder < 1.6.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some testimonial fields which could allow high privilege users to perform Cross Site Scripting attacks even when the unfilteredhtml capability is disallowed As admin, create/edit a testimonial and put the following payload in the Testimonial User Name field: "...
Formidable Form Builder < 5.0.07 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/edit a form, add the following payload to a Field Label: alert/XSS/ The XSS will be triggered when...
Colorbox Lightbox <= 1.1.2 - Authenticated Stored Cross-Site Scripting
The ‘hyperlink’ field in used while linking an image from a URL was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using...
CentOS Web Panel 0.9.8.763 - Persistent Cross-Site Scripting
Exploit Title: CentOS Web Panel 0.9.8.763 - Stored Cross-Site Scripting Vulnerability Google Dork: N/A Date: 10 - January - 2019 Exploit Author: DKM Vendor Homepage: http://centos-webpanel.com Software Link: http://centos-webpanel.com Version: v0.9.8.763 Tested on: CentOS 7 CVE : CVE-2019-7646...
D-Link DSL-2730B Modem - XSS Injection Stored Exploit Lancfg2get.cgi Exploit
Exploit for hardware platform in category web applications Exploit Title: D-Link DSL-2730B Modem lancfg2get.cgi Exploit XSS Injection Stored Date: 11-01-2015 Exploit Author: Mauricio Correa Vendor Homepage: www.dlink.com Hardware version: C1 Version: GE 1.01 Tested on: Windows 8 and Linux...
D-Link DSL-2730B Modem - XSS Injection Stored Exploit DnsProxy.cmd Exploit
Exploit for hardware platform in category web applications Exploit Title: D-Link DSL-2730B Modem dnsProxy.cmd Exploit XSS Injection Stored Date: 11-01-2015 Exploit Author: Mauricio Correa Vendor Homepage: www.dlink.com Hardware version: C1 Version: GE 1.01 Tested on: Windows 8 and Linux...