Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 allow remote attackers to inject arbitrary web script or HTML via the (1) post-content or (2) post-title parameter to admin/edit.php.

Cross-site scripting (XSS) vulnerability in admin/filebrowser.php in GetSimple CMS before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the func parameter.

There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title field.

Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter.

Cross Site Scripting vulnerability in GetSimpleCMS <=3.3.15 via the (1) sitename, (2) username, and (3) email parameters to /admin/setup.php

Cross Site Scriptiong (XSS) vulnerability in GetSimpleCMS <=3.3.15 via the timezone parameter to settings.php.

Cross Site Scripting (XSS) vulnerability in GetSimpleCMS <= 3.3.15 in admin/changedata.php via the redirect_url parameter and the headers_sent function.

Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) param parameter to admin/load.php or (2) user, (3) email, or (4) name parameter in a Save Settings action to admin/settings.php.

Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3.1.2 and 3.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) post-menu field to edit.php or (2) Display name field to settings.php. NOTE: The Custom Permalink Structure and Email Address fields are already covered by CVE-2012-6621.

Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3.1, 3.1.2, 3.2.3, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) Email Address or (2) Custom Permalink Structure fields in admin/settings.php; (3) path parameter to admin/upload.php; (4) err parameter to admin/theme.php; (5) error parameter to admin/pages.php; or (6) success or (7) err parameter to admin/index.php.

A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.php login portal webpage, allows remote attackers to execute JavaScript code in the client's browser and harvest login credentials after a client clicks a link, enters credentials, and submits the login form.

Cross-site scripting (XSS) vulnerability in admin/components.php in GetSimple CMS 2.01 allows remote attackers to inject arbitrary web script or HTML via the val[] parameter.

Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to backup-edit.php; (2) title or (3) menu parameter to edit.php; or (4) path or (5) returnid parameter to filebrowser.php in admin/. NOTE: the path parameter in admin/upload.php vector is already covered by CVE-2012-6621.

GetSimpleCMS 3.3.16 contains a cross-site Scripting (XSS) vulnerability, where Function TSL does not filter check settings.php Website URL: "siteURL" parameter.

admin/profile.php in GetSimple CMS 3.x has XSS in a name field.

Cross Site Scripting (XSS) vulnerability in GetSimpleCMS 3.4.0a in admin/edit.php.

Cross Site Scripting vulnerability in GetSimpleCMS 3.4.0a in admin/snippets.php via (1) Add Snippet and (2) Save snippets.

Cross Site Scripting vulnerability in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via the a crafted payload to the components.php function.

There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325.

An issue was discovered in GetSimple CMS 3.3.15. An administrator can insert stored XSS via the admin/settings.php Custom Permalink Structure parameter, which injects the XSS payload into any page created at the admin/pages.php URI.

GetSimple CMS 3.3.14 has XSS via the admin/edit.php "Add New Page" field.

A stored cross site scripting (XSS) vulnerability in /admin/snippets.php of GetSimple CMS 3.4.0a allows attackers to execute arbitrary web scripts or HTML via crafted payload in the Edit Snippets module.

A vulnerability, which was classified as problematic, has been found in GetSimple CMS. Affected by this issue is the file /admin/edit.php of the Content Module. The manipulation of the argument post-content with an input like <script>alert(1)</script> leads to cross site scripting. The attack may be launched remotely but requires authentication. Expoit details have been disclosed within the advisory.

A Cross Site Scripting (XSS) vulnerability in GetSimple CMS 3.3.16 exists when using Source Code Mode as a backend user to add articles via the /admin/edit.php page.

Cross Site Scripting vulnerability in GetSimpleCMS 3.3.16 in admin/upload.php by adding comments or jpg and other file header information to the content of xla, pages, and gzip files,

GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.

prettyPhoto before 3.1.6 has js/jquery.prettyPhoto.js XSS.

The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User-Agent HTTP header.

The feed-them-social plugin before 1.7.0 for WordPress has reflected XSS in the Facebook Feeds load more button.

esoTalk 1.0.0g4 has XSS via the PATH_INFO to the conversations/ URI.

The Postmatic plugin before 1.4.6 for WordPress has XSS.

The events-manager plugin before 5.5.7 for WordPress has multiple XSS issues.

PayPal Pro Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

The sitepress-multilingual-cms (WPML) plugin 2.9.3 to 3.2.6 for WordPress has XSS via the Accept-Language HTTP header.

The Easy Digital Downloads (EDD) Recommended Products extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.

The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.

The Easy Digital Downloads (EDD) Commissions extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.

The option-tree plugin before 2.5.4 for WordPress has XSS related to add_query_arg.

Cross-site scripting (XSS) vulnerability in IBM Marketing Platform 8.6.x and 9.x before 9.1.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

The Easy Digital Downloads (EDD) PDF Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.

LinuxKI v6.0-1 and earlier is vulnerable to an XSS which is resolved in release 6.0-2.

Table Rate Shipping Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

The events-manager plugin before 5.5.7.1 for WordPress has DOM XSS.

The download-monitor plugin before 1.7.1 for WordPress has XSS related to add_query_arg.

The Easy Digital Downloads (EDD) Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.

XSS exists in the the-holiday-calendar plugin before 1.11.3 for WordPress via the thc-month parameter.

The yawpp plugin through 1.2.2 for WordPress has XSS via the field1 parameter.

The Post Connector plugin before 1.0.4 for WordPress has XSS via add_query_arg() and remove_query_arg().

The web application of several Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) was affected by Reflected XSS. Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions.