CVE-2021-24971

The WP Responsive Menu WordPress plugin before 3.1.7.1 does not have capability and CSRF checks in the wprliveupdate AJAX action, as well as do not sanitise and escape some of the data submitted. As a result, any authenticated, such as subscriber could update the plugin's settings and perform...

CVE-2010-2088

ASP.NET in Microsoft .NET 3.5 does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting XSS attacks against the form control via the VIEWSTATE parameter...

CVE-2005-4855

Unrestricted file upload vulnerability in eZ publish 3.5 before 3.5.5, 3.6 before 3.6.2, 3.7 before 3.7.0rc2, and 3.8 before 20050922 does not restrict Image datatype uploads to image content types, which allows remote authenticated users to upload certain types of files, as demonstrated by .js...

CVE-2024-8493

The Events Calendar WordPress plugin before 6.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-1289

The CVE-2025-1289 entry concerns the Plugin Oficial WordPress plugin up to version 1.7.3. The vulnerability is a stored XSS risk caused by insufficient sanitisation/escaping of certain settings, enabling high-privilege users (e.g., admins) to inject XSS even when unfiltered_html is disallowed (no...

CVE-2024-8703 Z-Downloads < 1.11.6 - Unauthenticated Stored XSS

The Z-Downloads WordPress plugin before 1.11.6 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks when accessing share URLs...

CVE-2024-8426

The CVE-2024-8426 entry concerns the Page Builder: Pagelayer WordPress plugin before version 1.8.8, where settings are not properly sanitized/escaped. This can allow high-privilege users (e.g., admins) to perform stored Cross-Site Scripting (XSS) attacks even when unfiltered_html is disallowed, a...

ROS-20250515-07

Vulnerability of RevertAction.Php, ApiFileRevert.Php files of MediaWiki hypertext environment implementation software is related to incorrect permissions saving. MediaWiki hypertext environment is related to incorrect permissions saving. Exploitation of the vulnerability could allow a remote...

USN-7436-1: WebKitGTK vulnerabilities

Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and...

CVE-2024-10089 XSS in iKSORIS

Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Stored XSS Cross-site Scripting attacks. An attacker might trick a user into filling a form designed for changing user's data with a malicious script, what causes the script to run in user's context. This vulnerability has...

USN-7395-1: WebKitGTK vulnerabilities

Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and...

Ubuntu 16.04 LTS : Doorkeeper vulnerabilities (USN-7394-1)

The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-7394-1 advisory. Jonathan Clem and Justin Bull discovered that Doorkeeper could allow arbitrary token revocation and replay attacks. An attacker could possibly use this...

CVE-2025-0718

CVE-2025-0718 affects the Nested Pages WordPress plugin up to 3.2.12 (vulnerability would be present before 3.2.13). It permits Stored XSS via unsanitised/unstable configuration settings, potentially abused by high-privilege users (e.g., contributors), even when unfiltered_html is disallowed. Roo...

Cisco Identity Services Engine Multiple Vulnerabilities (cisco-sa-ise-multi-vuln-DBQdWRy)

According to its self-reported version, Cisco Identity Services Engine Vulnerabilities is affected by multiple vulnerabilities. - A vulnerability in the web-based management interface of Cisco ISE could allow an unauthenticated, remote attacker to conduct an XSS attack against a user of the...

CVE-2024-47947 Stored cross site scripting

Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. Only the users Poweruser and Admin can use this function...

CVE-2024-5561 Popup Maker < 1.19.1 - Admin+ Stored XSS

The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-45176

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper input validation, the C-MOR web interface is vulnerable to reflected cross-site scripting XSS attacks. It was found out that different functions are prone to reflected cross-site scripting attacks due to...

ROS-20240827-07

Vulnerability in UnlinkedWikibase extension of a software tool for implementing hypertext environments MediaWiki is related to improper input neutralization during web page creation. Exploitation The vulnerability could allow an attacker acting remotely to perform cross-site scripting attacks XSS...

IBM Datacap Navigator 安全漏洞

IBM Datacap Navigator is a Web client for Datacap from International Business Machines IBM. IBM Datacap Navigator suffers from an HTTP header injection vulnerability that originates from an input validation error in the HOST header, which can be exploited by an attacker to conduct cross-site...

CVE-2024-3963 RafflePress Lite < 1.12.14 - Editor+ Stored XSS

The Giveaways and Contests by RafflePress WordPress plugin before 1.12.14 does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting attacks...