Cross-site Scripting (XSS)

Overview jsondiffpatch is a JSON diff & patch object and array diff, text diff, multiple output formats Affected versions of this package are vulnerable to Cross-site Scripting XSS via the annotated formatter due to improper sanitization of JSON values and property names. If an application compar...

CVE-2026-3355 Customer Reviews for WooCommerce <= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch'

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘crsearch’ parameter in all versions up to, and including, 5.101.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

CVE-2025-13535

The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities in all versions up to, and including, 51.1.38. This is due to insufficient input sanitization and output escaping across multiple widgets and features. T...

CVE-2026-33739

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages Host, Storage, Group, Image, Printer, Snapin are vulnerable to Stored Cross-Site Scripting XSS, due to insufficient server-side parameter...

CVE-2026-0969

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0...

CVE-2022-0817

The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users...

CVE-2024-41587

Stored XSS, by authenticated users, is caused by poor sanitization of the Login Page Greeting message in DrayTek Vigor310 devices through 4.3.2.6...

CVE-2025-9163 Houzez <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzezpropertyimgupload and houzezpropertyattachmentupload functions. This makes it possib...

PT-2025-32620 · WordPress · Wp Chart Generator

Name of the Vulnerable Software and Affected Versions: Wp chart generator versions up to and including 1.0.4 Description: The Wp chart generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting through the plugin’s wpchart shortcode due to insufficient input sanitization and outp...

CVE-2025-3745 WP Lightbox 2 < 3.0.6.8 - Unauthenticated Stored XSS

The WP Lightbox 2 WordPress plugin before 3.0.6.8 does not correctly sanitize the value of the title attribute of links before using them, which may allow malicious users to conduct XSS attacks...

CVE-2024-4486

The Awesome Contact Form7 for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'AEP Contact Form 7' widget in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

CVE-2021-28247

CA eHealth Performance Manager through 6.3.2.12 is affected by Cross Site Scripting XSS. The impact is: An authenticated remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and perform a Reflected Cross-Site Scripting attack against the...

CVE-2024-2643 My Sticky Bar < 2.6.8 - Admin+ Stored XSS

The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.6.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the...

CVE-2024-41587

Stored XSS, by authenticated users, is caused by poor sanitization of the Login Page Greeting message in DrayTek Vigor310 devices through 4.3.2.6...

CVE-2024-41583

DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to stored Cross Site Scripting XSS by authenticated users due to poor sanitization of the router name...

CVE-2024-41587

CVE-2024-41587 affects DrayTek Vigor310 devices (through firmware 4.3.2.6) with a stored XSS in the login page greeting introduced by poor sanitization. Authenticated users can inject script via the Greeting message, with impact limited to the affected web UI context (confidentiality/integrity im...

CVE-2024-41583

DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to stored Cross Site Scripting XSS by authenticated users due to poor sanitization of the router name...

CVE-2024-41587

Stored XSS, by authenticated users, is caused by poor sanitization of the Login Page Greeting message in DrayTek Vigor310 devices through 4.3.2.6...

CVE-2024-41583

DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to stored Cross Site Scripting XSS by authenticated users due to poor sanitization of the router name...

CVE-2024-41583

CVE-2024-41583 affects DrayTek Vigor3910 devices up to firmware 4.3.2.6, enabling stored XSS by authenticated users due to poor sanitization of the router name. Impact is limited to web UI context with MEDIUM severity (CVSS 3.1: 4.7). Red Hat and NVD corroborate the issue; NCSC notes vendors have...