Liferay Portal 跨站脚本漏洞

Liferay Portal is a J2EE-based portal solution from the US company Liferay. The solution uses technologies such as EJB as well as JMS, and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, and so on. A cross-site scripting vulnerability exis...

WordPress WooCommerce Cross-Site Scripting Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in WordPress WooCommerce that stems from insufficient PostMessage data input cleanup and output escaping, which can be exploited by a...

CVE-2025-5062

The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated...

CVE-2024-10858

The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com...

CVE-2023-5718

The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard postMessage API. By creating a malicious web page with an iFrame targeting a sensitive resource i.e. a locally accessible file or sensitive website, and registering a listener on the web...

CVE-2020-11611

An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage function in xdLocalStorage.js specifies the wildcard as the targetOrigin when calling the postMessage function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages...

CVE-2020-11610

An issue was discovered in xdLocalStorage through 2.0.5. The postData function in xdLocalStoragePostMessageApi.js specifies the wildcard as the targetOrigin when calling the postMessage function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and...

CVE-2020-28707

The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting XSS via stockdiocharthistorical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage event is not validated. The stockdioeventer function listens for an...

CVE-2025-5062

The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated...

CVE-2025-5062 WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting

The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated...

CVE-2025-5062

The CVE-2025-5062 issue affects the WooCommerce plugin for WordPress, where PostMessage input data on the customize-store page is not properly sanitized or escaped. This allows unauthenticated attackers to inject arbitrary scripts in pages that a user visits if they can entice the user to perform...

CVE-2025-5062 WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting

The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated...

WordPress plugin WooCommerce 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in WordPress WooCommerce that stems from insufficient PostMessage data input cleanup and output escaping, which can be exploited by a...

PT-2025-22448 · WordPress · Woocommerce

Name of the Vulnerable Software and Affected Versions: WooCommerce plugin for WordPress versions up to, and including, 9.4.2 Description: The issue is related to PostMessage-Based Cross-Site Scripting via the 'customize-store' page due to insufficient input sanitization and output escaping on...

CVE-2024-55541

Stored cross-site scripting XSS vulnerability due to missing origin validation in postMessage. The following products are affected: Acronis Cyber Protect 16 Linux, Windows before build 39169...

PT-2025-1146 · Acronis · Acronis Cyber Protect

Name of the Vulnerable Software and Affected Versions: Acronis Cyber Protect 16 versions prior to build 39169 Description: The issue is related to a stored cross-site scripting XSS vulnerability due to missing origin validation in postMessage. This vulnerability can be exploited by a remote...

CVE-2024-10858 Jetpack 13.0-14.0 - Unauthenticated DOM-XSS

The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com...

WordPress plugin Jetpack 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

PT-2024-16597 · WordPress · Jetpack

Name of the Vulnerable Software and Affected Versions: Jetpack WordPress plugin versions prior to 14.1 Description: The issue is related to the Jetpack WordPress plugin not properly checking the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The proble...

Lessons Learned From Exposing Unusual XSS Vulnerabilities

Misunderstood browser APIs are often at the core of many web security issues. With the rapid expansion of web APIs, keeping up with security best practices can be challenging. In this post, we’ll explore a few common mistakes developers make that lead to modern XSS Cross-Site Scripting...