947 matches found
CVE-2025-41745
CVE-2025-41745 describes an XSS in pxc_portCntr2.php that allows an unauthenticated attacker to trick an authenticated user into sending a manipulated POST to modify web-based management parameters. The vulnerability affects devices exposing the pxc_portCntr2.php page within their web management ...
CVE-2025-13071
CVE-2025-13071 affects the WordPress plugin “Custom Admin Menu” up to version 1.0.0. The issue is a reflected Cross-Site Scripting (XSS) where a parameter is echoed back without proper sanitisation/escaping, enabling an attacker to inject scripts that could run in the context of an admin user’s s...
CVE-2025-13071 Custom Admin Menu <= 1.0.0 - Reflected XSS
The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
EUVD-2025-201813
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactiveimage component of NiceGUI. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or...
PT-2025-50146
Name of the Vulnerable Software and Affected Versions MailEnable versions prior to 10.54 Description The software contains a reflected cross-site scripting XSS issue in the Added parameter of the ''/Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx'' endpoint. The Added value is not properly...
CVE-2025-13894
The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
CVE-2025-11263
The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
CVE-2025-13137
CVE-2025-13137 – Live Sales Notification for Woocommerce – Woomotiv : Reflected XSS via the woocomotiv_limit parameter affecting the WordPress plugin up to version 3.6.3. The vulnerability arises from insufficient input sanitization and output escaping, permitting unauthenticated attackers to inj...
CVE-2025-13626 myLCO <= 0.8.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
The myLCO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
CVE-2025-11263
The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
CVE-2025-11263
CVE-2025-11263 is a reflected Cross-Site Scripting vulnerability in the WordPress plugin Link Whisper Free (versions up to and including 0.8.8). The issue arises from insufficient input sanitization and output escaping in the type parameter, allowing unauthenticated attackers to inject scripts in...
EUVD-2025-201373
The Twitscription plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATHINFO in all versions up to, and including, 0.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
CVE-2025-13512
CVE-2025-13512 : CoSign Single Signon (WordPress plugin)
GFI KerioControl < 9.4.5 HTTP Response Splitting
GFI KerioControl version prior to 9.4.5 is affected by an HTTP Response Splitting vulnerability. Due to a not properly sanitized GET parameter used to generate a Location HTTP header in a 302 HTTP response an attacker can exploit this vulnerability to perform an Open Redirect or HTTP Response...
📄 MaNGOSWebV4 4.0.6 Cross Site Scripting
MaNGOSWebV4 version 4.0.6 suffers from a cross site scripting vulnerability. Exploit Title: MaNGOSWebV4 4.0.6 - Reflected XSS Date: 2024-10-26 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/paintballrefjosh/MaNGOSWebV4 Software Link: https://github.com/paintballrefjosh/MaNGOSWebV4...
MaNGOSWebV4 4.0.6 - Reflected XSS
Exploit Title: MaNGOSWebV4 4.0.6 - Reflected XSS Date: 2024-10-26 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/paintballrefjosh/MaNGOSWebV4 Software Link: https://github.com/paintballrefjosh/MaNGOSWebV4 Version: 4.0.6 Tested on: Ubuntu Windows CVE : CVE-2017-6478 PoC: // Access...
CVE-2025-13525
CVE-2025-13525 concerns the WordPress plugin WP Directory Kit. The connected documents confirm a Reflected Cross-Site Scripting vulnerability via the order_by parameter in all versions up to and including 1.4.5, caused by insufficient input sanitization and output escaping. The exposure can enabl...
VulnCheck KEV: CVE-2025-6174
The Qwizcards | online quizzes and flashcards WordPress plugin through 3.9.4 does not sanitise and escape the "stylesheet" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or any other user...
EUVD-2025-199738
Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser...
CVE-2025-21621 GeoServer Reflected Cross-Site Scripting (XSS) vulnerability in WMS GetFeatureInfo HTML format
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting XSS vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's...