CVE-2025-13355

The URL Shortify WordPress plugin before 1.11.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

xss-demo

This repo presents the various types of Cross Site Scripting XS...

CVE-2025-9116

The WPS Visitor Counter WordPress plugin through 1.4.8 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

CVE-2025-9116

The CVE-2025-9116 entry concerns the WordPress plugin WPS Visitor Counter Plugin (versions up to 1.4.8). The connected sources confirm a Reflected Cross-Site Scripting flaw where the plugin does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it in an HTML attribute, enabling X...

EUVD-2025-203238

The WPS Visitor Counter Plugin WordPress plugin through 1.4.8 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

vuln_XSS_web

Vulnerable Websites for XSS Testing Đây là 4 website mẫu, mỗi...

CVE-2025-65120

Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user...

CVE-2025-65120

Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user...

CVE-2025-14137

The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-14137

CVE-2025-14137 – WordPress plugin Simple AL Slider: Reflected Cross‑Site Scripting via the PHP_SELF variable, affected versions up to and including 1.2.10. The issue enables unauthenticated attackers to inject scripts on pages that execute user actions. Public details indicate CVSSv3.1 base score...

CVE-2025-34409

MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the Failed parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx. The Failed value is not properly sanitized when processed via a GET request and is reflected in the response, allowing an...

CVE-2025-13071

The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2025-13072

The HandL UTM Grabber / Tracker WordPress plugin (versions prior to 2.8.1) is affected by CVE-2025-13072 due to improper sanitization/escaping of a parameter before it is reflected back on the page, enabling a Reflected XSS that could target high-privilege users such as admins. The issue is confi...

PT-2025-50306

Name of the Vulnerable Software and Affected Versions HandL UTM Grabber / Tracker WordPress plugin versions prior to 2.8.1 Description The HandL UTM Grabber / Tracker WordPress plugin does not properly sanitize and escape a parameter before displaying it, resulting in a Reflected Cross-Site...

EUVD-2025-202050

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in TalentSoft Software UNIS allows Reflected XSS.This issue affects UNIS: before 42957...

CVE-2025-34398 MailEnable < 10.54 Reflected XSS in AddressesBcc Parameter of AddressBook.aspx

MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the AddressesBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The AddressesBcc value is not properly sanitized when processed via a GET request and is reflected within a block in the JavaScrip...

CVE-2025-34400 MailEnable < 10.54 Reflected XSS in AddressesTo Parameter of AddressBook.aspx

MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the AddressesTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The AddressesTo value is not properly sanitized when processed via a GET request and is reflected within a block in the response. B...

CVE-2025-34403

MailEnable &lt; 10.54 contains a reflected XSS in the FieldTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldTo value, processed via GET, is reflected inside a [removed] block in the JavaScript variable fieldTo, enabling attacker-controlled script execution that can redirect users,...

CVE-2025-34404 MailEnable < 10.54 Reflected XSS in InstanceScope Parameter of CAL/compose.aspx

MailEnable versions prior to 10.54 contain a reflected cross-site scripting XSS vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized when processed via a GET request and is reflected inside a block in the...

CVE-2025-13071

The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...