Login Configurator <=2.1 - Cross-Site Scripting

Login Configurator WordPress plugin = 2.1 contains a reflected cross-site scripting caused by improper escaping of URL parameter before outputting it to the page, letting attackers execute scripts in the context of site administrators, exploit requires victim to visit a malicious URL. id:...

wpForo Forum <= 2.1.8 - Cross-Site Scripting

The wpForo Forum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpforodebug’ function in versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

kkFileView 4.1.0 - Cross-Site Scripting

kkFileView 4.1.0 contains multiple cross-site scripting vulnerabilities via the urls and currentUrl parameters at /controller/OnlinePreviewController.java. id: CVE-2022-35151 info: name: kkFileView 4.1.0 - Cross-Site Scripting author: arafatansari severity: medium description: | kkFileView 4.1.0...

WordPress Plugin MapPress <2.73.4 - Cross-Site Scripting

WordPress Plugin MapPress before version 2.73.4 does not sanitize and escape the 'mapid' parameter before outputting it back in the "Bad mapid" error message, leading to reflected cross-site scripting. id: CVE-2022-0208 info: name: WordPress Plugin MapPress 2.73.4 - Cross-Site Scripting author:...

Wavlink WN-535G3 - Cross-Site Scripting

Wavlink WN-535G3 contains a POST cross-site scripting vulnerability via the hostname parameter at /cgi-bin/login.cgi. id: CVE-2022-30489 info: name: Wavlink WN-535G3 - Cross-Site Scripting author: For3stCo1d severity: medium description: | Wavlink WN-535G3 contains a POST cross-site scripting...

WordPress Events Calendar <1.4.5 - Cross-Site Scripting

WordPress Events Calendar plugin before 1.4.5 contains multiple cross-site scripting vulnerabilities. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the...

ManageEngine ADSelfService Plus <6121 - Stored Cross-Site Scripting

ManageEngine ADSelfService Plus before 6121 contains a stored cross-site scripting vulnerability via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screens. id: CVE-2022-24681 info: name: ManageEngine ADSelfService Plus 6121 - Stored Cross-Site...

WordPress Under Construction <1.19 - Cross-Site Scripting

WordPress Under Construction plugin before 1.19 contains a cross-site scripting vulnerability. The plugin echoes out the raw value of $GLOBALS'PHPSELF' in the ucOptions.php file on certain configurations, including Apache+modPHP. id: CVE-2021-39320 info: name: WordPress Under Construction 1.19 -...

Sidekiq <=6.2.0 - Cross-Site Scripting

Sidekiq through 5.1.3 and 6.x through 6.2.0 contains a cross-site scripting vulnerability via the queue name of the live-poll feature when Internet Explorer is used. id: CVE-2021-30151 info: name: Sidekiq =6.2.0 - Cross-Site Scripting author: DhiyaneshDk severity: medium description: Sidekiq...

Cacti - Cross-Site Scripting

Cacti contains a cross-site scripting vulnerability via "http:///authchangepassword.php?ref=alert1" which can successfully execute the JavaScript payload present in the "ref" URL parameter. id: CVE-2021-26247 info: name: Cacti - Cross-Site Scripting author: dhiyaneshDK severity: medium descriptio...

WordPress Simple Giveaways <2.36.2 - Cross-Site Scripting

WordPress Simple Giveaways plugin before 2.36.2 contains a cross-site scripting vulnerability via the method and share GET parameters of the Giveaway pages, which are not sanitized, validated, or escaped before being output back in the pages. id: CVE-2021-24298 info: name: WordPress Simple...

Cloudron 6.2 Cross-Site Scripting

In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to cross-site scripting. id: CVE-2021-40868 info: name: Cloudron 6.2 Cross-Site Scripting author: daffainfo severity: medium description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to cross-site...

Erxes <0.23.0 - Cross-Site Scripting

Erxes before 0.23.0 contains a cross-site scripting vulnerability. The value of topicID parameter is not escaped and is triggered in the enclosing script tag. id: CVE-2021-32853 info: name: Erxes 0.23.0 - Cross-Site Scripting author: dwisiswant0 severity: critical description: Erxes before 0.23.0...

Advantech R-SeeNet - Cross-Site Scripting

Advantech R-SeeNet is vulnerable to cross-site scripting via the devicegraphpage.php script via the is2sim parameter. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution. id: CVE-2021-21803 info: name: Advantech R-SeeNet - Cross-Site...

Adminer <=4.8.0 - Cross-Site Scripting

Adminer 4.6.1 to 4.8.0 contains a cross-site scripting vulnerability which affects users of MySQL, MariaDB, PgSQL, and SQLite in browsers without CSP when Adminer uses a pdo extension to communicate with the database it is used if the native extensions are not enabled. id: CVE-2021-29625 info:...

SIS Informatik REWE GO SP17 <7.7 - Cross-Site Scripting

SIS Informatik REWE GO SP17 before 7.7 contains a cross-site scripting vulnerability via rewe/prod/web/index.php affected parameters are config, version, win, db, pwd, and user and /rewe/prod/web/rewegocheck.php version and all other parameters. id: CVE-2021-31537 info: name: SIS Informatik REWE ...

WordPress Quiz and Survey Master <7.1.14 - Cross-Site Scripting

WordPress Quiz and Survey Master plugin prior to 7.1.14 contains a cross-site scripting vulnerability which allows a remote attacker to inject arbitrary script via unspecified vectors. id: CVE-2021-20792 info: name: WordPress Quiz and Survey Master 7.1.14 - Cross-Site Scripting author: dhiyaneshD...

Visual CSS Style Editor < 7.5.4 - Cross-Site Scripting

The plugin does not sanitise and escape the wyppagetype parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue id: CVE-2021-24934 info: name: Visual CSS Style Editor 7.5.4 - Cross-Site Scripting author: Splint3r7 severity: medium description: | The...

WordPress MF Gig Calendar <=1.1 - Cross-Site Scripting

WordPress MF Gig Calendar plugin 1.1 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize or escape the id GET parameter before outputting back in the admin dashboard when editing an event. id: CVE-2021-24510 info: name: WordPress MF Gig Calendar =1.2 which...

Opensis-Classic 8.0 - Cross-Site Scripting

Opensis-Classic Version 8.0 is affected by cross-site scripting. An unauthenticated user can inject and execute JavaScript code through the linkurl parameter in Ajaxurlencode.php. id: CVE-2021-40542 info: name: Opensis-Classic 8.0 - Cross-Site Scripting author: alph4byt3 severity: medium...