CVE-2021-38348 Advance Search <= 1.1.2 Reflected Cross-Site Scripting

The Advance Search WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the wpasid parameter found in the /inc/admin/views/html-advance-search-admin-options.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1.2...

CVE-2021-38350 spideranalyse <= 0.0.1 Reflected Cross-Site Scripting

The spideranalyse WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the date parameter found in the /analyse/index.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.1...

CVE-2021-34654 Custom Post Type Relations <= 1.0 Reflected Cross-Site Scripting

The Custom Post Type Relations WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the cptrname parameter found in the /pages/admin-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0...

CVE-2021-24349 Gallery From Files <= 1.6.0 - Reflected Cross-Site Scripting (XSS)

This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lac...

CVE-2021-24234 Ivory Search < 4.6.1 - Reflected Cross Site Scripting (XSS)

The Search Forms page of the Ivory Search WordPress lugin before 4.6.1 did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site Scripting issue when opening a malicious crafted link as a high privilege user. Knowledge of a form id is required to...

CVE-2021-24208 WP Page Builder < 1.2.4 - Multiple Stored Cross-Site scripting (XSS)

The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom HTML” widgets though the custom HTML widget requires sending a crafted request - it appears that this...

CVE-2021-24196 Social Slider Widget < 1.8.5 - Authenticated Reflected Cross-Site Scripting (XSS)

The Social Slider Widget WordPress plugin before 1.8.5 allowed Authenticated Reflected XSS in the plugin settings page as the ‘tokenerror’ parameter can be controlled by users and it is directly echoed without being sanitized...

SAML SP Single Sign On < 4.8.84 - Cross-Site Scripting (XSS) via Crafted SAML XML Response

The SAML Single Sign On – SSO Login WordPress plugin was affected by a Cross-Site Scripting XSS via Crafted SAML XML Response security vulnerability...

WordPress Live Chat Support Plugin < 8.0.18 XSS Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:3cx:livechat"; if description...

CVE-2015-3438

Multiple cross-site scripting XSS vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a 1 four-byte UTF-8 character or 2 invalid character that reaches the database layer, as demonstrated by a crafted...

CVE-2014-4583

Multiple cross-site scripting XSS vulnerabilities in forms/messages.php in the WP-Contact wp-contact-sidebar-widget plugin 1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 edit, 2 orderdirection, 3 limitstart, 4 id, or 5 order parameter...

CVE-2012-2580

Cross-site scripting XSS vulnerability in the Postie plugin 1.4.3, and possibly before 1.5.15, for WordPress allows remote attackers to inject arbitrary web script or HTML via the From field of an email...

CVE-2013-2695

Cross-site scripting XSS vulnerability in invite.php in the WP Symposium plugin before 13.04 for WordPress allows remote attackers to inject arbitrary web script or HTML via the u parameter...

CVE-2008-0618

Multiple cross-site scripting XSS vulnerabilities in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 gbname, 2 gbemail, 3 gburl, and 4 gbmsg parameters to unspecified programs. NOTE: the provenance of this information i...