Cross-site Scripting (XSS)

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the admin/pages/ endpoint due to insufficient sanitization of user-supplied input in the detectXss function. An...

CVE-2025-15378

CVE-2025-15378 concerns the WordPress AJS Footnotes plugin, where versions up to 1.0 are vulnerable to a stored XSS due to missing authorization/nonce verification on settings save and insufficient input sanitization/output escaping on two parameters: note_list_class and popup_display_effect_in. ...

CVE-2025-14548 Calendar <= 1.3.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'event_desc'

The Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eventdesc' parameter in all versions up to, and including, 1.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access a...

CVE-2025-68385 Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper neutralization of input during web page generation 'Cross-site Scripting' CWE-79 allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting XSS CAPEC-63 via a method in Vega bypassing a previous Vega XSS mitigation...

EUVD-2025-203924

The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities via DOM manipulation in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user-supplied attributes. Th...

CVE-2025-11885

CVE-2025-11885 : WordPress EchBay Admin Security plugin suffers a Reflected XSS via the _ebnonce parameter in versions up to 1.3.0 due to insufficient input sanitization and output escaping. Unauthenticated attackers could entice a user to perform an action (e.g., click a link) and have arbitrary...

CVE-2025-12590

The YSlider plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.1. This is due to missing nonce verification on the content configuration page and insufficient input sanitization and output escaping. This makes it...

WordPress plugin YSlider 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site...

PT-2025-33529 · WordPress · Earnware Connect

Name of the Vulnerable Software and Affected Versions: Earnware Connect versions prior to 1.0.74 Description: The Earnware Connect plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ew hasrole shortcode due to insufficient input sanitization and output escaping on...

CVE-2024-13802

The Bandsintown Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bandsintownevents' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-12816 NOTICE BOARD BY TOWKIR <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The NOTICE BOARD BY TOWKIR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'notice-board' shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-10872 Getwid – Gutenberg Blocks <= 2.0.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template-post-custom-field block in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...

WordPress plugin ShopLentor security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2024-1234

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor acce...

eap: HTTP header injection / response splitting

It was reported that EAP 7 Application Server/Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value...