CVE-2025-9116

The WPS Visitor Counter WordPress plugin through 1.4.8 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

EUVD-2025-203238

The WPS Visitor Counter Plugin WordPress plugin through 1.4.8 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

EUVD-2022-35331

Malicious code in bioql PyPI...

EUVD-2025-26496

Malicious code in bioql PyPI...

CVE-2025-9115

The Etsy Shop WordPress plugin before 3.0.7 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

CVE-2025-9115

The Etsy Shop WordPress plugin before 3.0.7 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

CVE-2025-9115

CVE-2025-9115 affects the Etsy Shop WordPress plugin (versions older than 3.0.7). The issue is caused by not escaping the $_SERVER['REQUEST_URI'] value when outputting it into an attribute, enabling a reflected cross-site scripting (XSS) vulnerability in old browsers. The vulnerability is mitigat...

PT-2025-37295

Name of the Vulnerable Software and Affected Versions: Contact Form 7 reCAPTCHA WordPress plugin versions through 1.2.0 Description: The plugin does not escape the $ SERVER'REQUEST URI' parameter before outputting it, potentially leading to Reflected Cross-Site Scripting in older web browsers...

CVE-2025-8113

The Ebook Store WordPress plugin before 5.8015 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

CVE-2025-8046

The CVE-2025-8046 entry is confirmed with concrete details: Injection Guard WordPress plugin versions prior to 1.2.8 do not escape $_SERVER['REQUEST_URI'] when echoing in an HTML attribute, enabling Reflected XSS in older browsers. Affected software: Injection Guard WordPress plugin

CVE-2022-30119

XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2. This cannot be exploited in modern-da...

CVE-2024-9835

The RSS Feed Widget WordPress plugin before 3.0.1 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

CVE-2024-6018

The Music Request Manager WordPress plugin through 1.3 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

PT-2024-37090 · WordPress · If-So Dynamic Content Personalization

Name of the Vulnerable Software and Affected Versions: If-So Dynamic Content Personalization WordPress plugin versions prior to 1.8.0.4 Description: The issue is related to Reflected Cross-Site Scripting in old web browsers due to the failure to escape the $ SERVER'REQUEST URI' parameter before...

PT-2022-27008 · Unknown · Concrete Cms

Name of the Vulnerable Software and Affected Versions: Concrete CMS versions prior to 8.5.10 Concrete CMS versions 9.0.0 through 9.1.2 Description: The issue allows a user to cause an administrator to trigger reflected XSS with a URL if the targeted administrator is using an old browser that lack...

CVE-2022-2189

The WP Video Lightbox WordPress plugin before 1.9.5 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

CVE-2022-2187

The Contact Form 7 Captcha WordPress plugin before 0.1.2 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

Cross-site Scripting (XSS)

concrete5/concrete5 is vulnerable to cross-site scripting. The vulnerability exists in the old browsers with the XSS protection is disabled, allowing an attacker to inject and execute malicious javascript as the library does not properly escape malicious inputs by default...

GHSA-M2WW-6WV6-VW3C Cross site scripting in Concrete CMS

XSS in /dashboard/blocks/stacks/viewdetails/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot...

Cross site scripting in Concrete CMS

XSS in /dashboard/blocks/stacks/viewdetails/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot...