CVE-2024-3729

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'feaencrypt' function in all versions up to, and including, 3.19.4. This makes it possible for unauthenticated attackers to manipulate the user processing forms, which can ...

CVE-2024-10574

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ayssavegooglecredentials' function in all versions up to, and including, 8.8.0 Business, up to, and including, 21.8.0 Developer, and up...

IBM Sterling B2B Integrator Cross-Site Scripting Vulnerability (CNVD-2025-02530)

IBM Sterling B2B Integrator is a suite of software from International Business Machines IBM that integrates critical B2B processes, transactions and relationships. The software supports secure integration of complex B2B processes with diverse partner communities. IBM Sterling B2B Integrator suffe...

JFinalOA 安全漏洞

JFinalOA is an enterprise office system developed on the JFinal framework by rabbit individual developers. A security vulnerability exists in JFinalOA versions prior to v2025.01.01. An attacker exploiting this vulnerability could execute arbitrary web script or HTML via a specially crafted payloa...

CVE-2024-13334 Car Demon <= 1.8.1 - Reflected Cross-Site Scripting

The Car Demon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'searchcondition' parameter in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

Arcadyan Meteor 2 CPE 安全漏洞

Arcadyan Meteor 2 CPE is a high-end home integrated access device from China Smart Arcadyan. A security vulnerability exists in the Arcadyan Meteor 2 CPE. An attacker can exploit the vulnerability to execute arbitrary web script or HTML by injecting a specially crafted payload...

CVE-2025-22997

The CVE-2025-22997 entry concerns a stored XSS in Linksys E5600 Router (up to version 1.1.0.26) via the PRF_Table_content component, where a crafted payload in the desc parameter can execute arbitrary scripts. Affected product: Linksys E5600 Router (firmware 1.1.0.26 and earlier). Root cause: lac...

WordPress plugin Hash Elements cross-site scripting vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. WordPress plugin Hash...

WordPress Plugin Groundhogg Cross-Site Scripting Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

CVE-2024-11328

The CLUEVO LMS, E-Learning Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg & removequeryarg without appropriate escaping on the URL in all versions up to, and including, 1.13.2. This makes it possible for unauthenticated attackers to...

CVE-2024-11686

CVE-2024-11686 details: WhatsApp click to chat WordPress plugin (manycontacts-bar) is vulnerable to Reflected Cross-Site Scripting via the manycontacts_code parameter in all versions up to 3.0.4, due to insufficient input sanitization and output escaping. The issue allows unauthenticated attacker...

CVE-2024-12218 Woocommerce check pincode/zipcode for shipping <= 2.0.4 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

The Woocommerce check pincode/zipcode for shipping plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to inject malicious web scrip...

LightPicture 代码注入漏洞

LightPicture is an enterprise/team/personal image resource management system, picture bed system. LightPicture cross-site scripting vulnerability , the vulnerability stems from the file/api/upload parameter file on the user-supplied data lack of effective filtering and escaping , an attacker can...

CVE-2024-12475

The WP Multi Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inje...

JetBrains TeamCity Image Name Cross-Site Scripting Vulnerability

JetBrains TeamCity is a set of distributed build management and continuous integration tools from the Czech company JetBrains. The tool provides continuous unit testing, code quality analysis and build problem analysis reports and other features. A cross-site scripting vulnerability exists in...

CVE-2024-12100

CVE-2024-12100 affects Bitcoin Lightning Publisher for WordPress (WordPress plugin) up to version 1.4.1. The vulnerability is a Reflected Cross-Site Scripting (XSS) caused by using add_query_arg without proper escaping on URLs, enabling unauthenticated attackers to inject and execute scripts in p...

Reflected Cross-Site Scripting (Reflected XSS)

Liferay Portal is vulnerable to reflected cross-site scripting XSS. The vulnerability is due to improper handling of user input in the Dispatch name field, allowing remote attackers to execute arbitrary web script or HTML...

CVE-2024-11331

CVE-2024-11331 affects the isee-products-extractor plugin for WordPress (ppy: “استخراج محصولات ووکامرس برای آیسی”). The vulnerability is a Reflected Cross‑Site Scripting in which add_query_arg and remove_query_arg are used without proper escaping, in all versions up to and including 2.1.3. This e...

GHSA-PX38-239G-X5MG Liferay Portal and Liferay DXP have Cross-site Scripting vulnerability in edit Service Access Policy page

Cross-site scripting XSS vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted...

CVE-2023-37940

Cross-site scripting XSS vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted...