CVE-2023-2498

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.19 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inje...

FusionInvoice 2023-1.0 Cross Site Scripting

Exploit Title: FusionInvoice 2023-1.0 - Stored XSS Cross-Site Scripting Date: 2023-05-24 Exploit Author: Andrea Intilangelo Vendor Homepage: https://www.squarepiginteractive.com Software Link: https://www.fusioninvoice.com/store Version: 2023-1.0 Tested on: Latest Version of Desktop Web Browsers...

CVE-2023-33793

CVE-2023-33793 is a stored XSS affecting NetBox v3.5.1 in the Create Power Panels API at /dcim/power-panels/ via the Name field. Multiple sources corroborate the flaw; the NVD entry assigns CVSSv3.1 base score 5.4 (Medium) with network attack vector, low complexity, user interaction required. The...

CVE-2023-33788

A stored cross-site scripting XSS vulnerability in the Create Providers /circuits/providers/ function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field...

CVE-2023-33799

A stored cross-site scripting XSS vulnerability in the Create Contacts /tenancy/contacts/ function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field...

CVE-2023-33798

A stored cross-site scripting XSS vulnerability in the Create Rack /dcim/rack/ function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field...

CVE-2023-33795

A stored cross-site scripting XSS vulnerability in the Create Contact Roles /tenancy/contact-roles/ function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field...

CVE-2023-33785

A stored cross-site scripting XSS vulnerability in the Create Rack Roles /dcim/rack-roles/ function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field...

CVE-2023-31664

A reflected cross-site scripting XSS vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter...

CVE-2023-31664

A reflected cross-site scripting XSS vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter...

Novelist < 1.2.1 - Admin+ Stored XSS

The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup...

Rank Math SEO PRO < 3.0.36 - Unauthenticated Reflected XSS

The plugin does not sanitize and escape a parameter before outputting it back in the page, allowing an unauthenticated attacker to inject web scripts that will execute when a visitor follows a crafted link to the page...

MailChimp Subscribe Forms < 4.0.9.2 - Admin+ Stored XSS

The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup...

Contact Form Entries < 1.3.1 - Contributor+ Stored XSS

The plugin does not sanitize and escape the vx-entries shortcode attributes before using them, which could allow a logged in user with roles as low as contributor to inject arbitrary web scripts into posts or pages...

CVE-2023-2735

The Groundhogg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ghform' shortcode in versions up to, and including, 2.7.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

alkacon-OpenCMS vulnerable to stored Cross-site Scripting

A stored cross-site scripting XSS vulnerability in alkacon-OpenCMS v11.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field under the Upload Image module...

CVE-2023-31544

A stored cross-site scripting XSS vulnerability in alkacon-OpenCMS v11.0.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field under the Upload Image module...

CVE-2023-31544

A stored cross-site scripting XSS vulnerability in alkacon-OpenCMS v11.0.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field under the Upload Image module...

CVE-2023-2708

The Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘searchterm’ parameter in versions up to, and including, 1.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

Cross site scripting

The Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘searchterm’ parameter in versions up to, and including, 1.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...