Lucene search
K

2348 matches found

Nuclei
Nuclei
added yesterday58 views

Header Footer Code Manager < 1.1.24 - Cross-Site Scripting

The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting. id: CVE-2022-0899 info: name: Header Footer Code Manager 1.1.24 - Cross-Site Scripting author:...

6.1CVSS6.4AI score0.01072EPSS
Exploits2References2
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-41680

A vulnerability was identified in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 213babdbaa949e94557246414db0130e01394517. This vulnerability affects the function checkForPostRequests of the file application/core/MYController.php of the component Subscribed Emails Admin Page. Such manipulation...

5.3CVSS4.1AI score0.00288EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/29 6:0 a.m.6 views

EUVD-2026-40039

The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input e.g. a transient nam...

7.5CVSS6AI score0.00204EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/29 6:0 a.m.8 views

CVE-2026-10083

The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input e.g. a transient nam...

6AI score0.00204EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 10:16 p.m.10 views

CVE-2026-50765

A stored cross-site scripting XSS vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label...

6.1CVSS0.0022EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/26 12:0 a.m.23 views

CVE-2026-50765

A stored cross-site scripting XSS vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label...

0.0022EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/06/26 12:0 a.m.5 views

CVE-2026-50765

A stored cross-site scripting XSS vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label...

5.8AI score0.0022EPSS
Exploits1References2
NVD
NVD
added 2026/06/25 10:16 p.m.7 views

CVE-2020-37256

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access...

5.4CVSS0.00167EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/25 9:41 p.m.22 views

CVE-2020-37256 Grav - Cross-Site Scripting in Admin Plugin Page Editor

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access...

5.4CVSS0.00167EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.19 views

PT-2026-52606

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.6.30 Description A cross-site scripting issue exists in the default security configuration of the Admin plugin page editor. Privileged users with page editing capabilities can inject malicious scripts to execute...

5.4CVSS6AI score0.00167EPSS
Exploits0References6
CVE
CVE
added 2026/06/24 5:33 a.m.16 views

CVE-2026-9643

WP Meta SEO for WordPress insert(). This allows injection of arbitrary scripts that execute when an administrator visits the 404 & Redirects admin page (/wp-admin/admin.php?page=metaseo_broken_link). Exploitation details are not provided beyond the generic flow; no fixes, mitigations, or exploita...

7.2CVSS6AI score0.00241EPSS
Exploits0References6
CVE
CVE
added 2026/06/18 6:50 a.m.28 views

CVE-2026-12137

The CVE concerns the WordPress plugin SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager. It is vulnerable to a Reflected Cross-Site Scripting (XSS) via the tab parameter in all versions up to and including 4.3.6, caused by insufficient input sanitization...

6.1CVSS5.5AI score0.00211EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/17 6:49 a.m.28 views

CVE-2026-8494 Permalink Manager Lite <= 2.5.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title

The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to insufficient output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00193EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/06/15 12:0 p.m.9 views

CVE-2016-20084 WordPress appointment-booking-calendar 1.1.24 Privilege Escalation XSS

WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScrip...

7.2CVSS5.3AI score0.00245EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/13 12:0 a.m.17 views

PT-2026-49079

Name of the Vulnerable Software and Affected Versions Store Locator WordPress plugin versions prior to 1.6.9 Description Insufficient sanitization and escaping of store logo metadata before it is stored and displayed on the admin page allows high-privileged users, such as administrators, to execu...

3.5CVSS5.4AI score0.00145EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/06/10 8:39 p.m.7 views

CVE-2026-53737 Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads...

6.1CVSS5.5AI score0.00158EPSS
Exploits0References2
CVE
CVE
added 2026/06/10 6:0 a.m.25 views

CVE-2026-9060

CVE-2026-9060 concerns the Store Locator WordPress plugin (before 1.6.6). The vulnerability arises because a setting is not sanitized/escaped before storing and outputting it on the admin page, enabling Stored XSS by high-privilege users (e.g., administrators) even when unfiltered_html is disallo...

3.5CVSS5.5AI score0.00138EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/08 11:15 a.m.13 views

EUVD-2026-35048

A vulnerability was identified in CodeAstro Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/searchstaffforupdation.php. Such manipulation of the argument Name leads to sql injection. The attack may be performed from remote...

6.5CVSS6.5AI score0.00192EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/06/08 11:15 a.m.11 views

CVE-2026-11509 CodeAstro Leave Management System search_staff_for_updation.php sql injection

A vulnerability was identified in CodeAstro Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/searchstaffforupdation.php. Such manipulation of the argument Name leads to sql injection. The attack may be performed from remote...

6.5CVSS6.5AI score0.00192EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/08 10:30 a.m.7 views

CVE-2026-11506

A vulnerability has been found in CodeAstro Leave Management System 1.0. This impacts an unknown function of the file /admin/searchstafffordeletion.php. The manipulation of the argument Name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to t...

6.5CVSS6.4AI score0.002EPSS
Exploits0References6Affected Software1
Rows per page
Query Builder