CVE-2025-66474

XWiki Rendering is a generic rendering system that converts textual input in a given syntax wiki syntax, HTML, etc into another syntax XHTML, etc. Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against /html injection, which...

EUVD-2025-199794

The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

Cross-site Scripting (XSS)

Overview getformwork/formwork is an a file-based Content Management System CMS to make and manage simple sites. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the blog tag field. An attacker can execute arbitrary scripts in the context of another user's browser...

CVE-2025-12660

The Padlet Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'key' parameter in the 'wallwisher' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

Cross-site Scripting (XSS)

Overview ph7software/ph7builder is a pH7Builder. Social Dating Web App Site Builder Affected versions of this package are vulnerable to Cross-site Scripting XSS via the message content field in the application's messaging system. An attacker can execute arbitrary scripts in the context of another...

CVE-2025-11874

The Slippy Slider – Responsive Touch Navigation Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'slippy-slider' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. Thi...

CVE-2025-11863

The My Geo Posts Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mygeocity' shortcode in all versions up to, and including, 1.2. This is due to the plugin not properly sanitizing user input or escaping output of the 'default' shortcode attribute. This makes it...

EUVD-2025-60946

The Share to Google Classroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sharetogoogle shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

EUVD-2025-60960

The Geopost plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter of the 'geopost' shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-12663

CVE-2025-12663 (Jeba Cute forkit WordPress plugin) is a Stored Cross-Site Scripting vulnerability in the jeba_forkit shortcode. The issue stems from insufficient input sanitization and output escaping of the text attribute, affecting all versions up to 1.0. Exploitation requires authenticated acc...

Cross-site Scripting (XSS)

Snipe-IT is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of user-supplied input, which allows an attacker to inject and execute arbitrary web scripts in the context of a victim’s browser...

EUVD-2025-37405

The Inactive Logout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'inaredirectpageindividualuser' parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-63885

A stored cross-site scripting XSS vulnerability in AIxBlock commit 04f305 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the modeldesc field...

CVE-2025-11866

The Photographers galleries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes w, h, rawcss, look, etc. in all versions up to, and including, 1.1.8. This is due to the plugin not properly sanitizing user input or escaping output when inserting thes...

Mediawiki - AdvancedSearch Extension Cross-Site Scripting Vulnerability

Mediawiki - AdvancedSearch Extension is an extension plugin for MediaWiki that enhances the search functionality, often used in conjunction with CirrusSearch and Elastica, to significantly improve search efficiency and accuracy. A cross-site scripting vulnerability exists in MediaWiki -...

EUVD-2025-34741

ChatLuck contains a cross-site scripting vulnerability in Chat Rooms. If exploited, an arbitrary script may be executed on the web browser of the user who is accessing the product...

CVE-2025-10194

The Shortcode Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-7652

The Easy Plugin Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eps' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Commerce Product Comparison Table widget when user-supplied input is injected into the Name text field of a Commerce Product. An attacker can execute arbitrary web scripts in the context of the user's...

EUVD-2021-24787

Malware in sbrugna...