Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2016-15053

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-30 Oct, 2025 | 21:54
Updated At-17 Nov, 2025 | 18:21
Rejected At-
Credits

Nagios XI < 5.2.4 XSS via “My Reports” Listing

Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:30 Oct, 2025 | 21:54
Updated At:17 Nov, 2025 | 18:21
Rejected At:
▼CVE Numbering Authority (CNA)
Nagios XI < 5.2.4 XSS via “My Reports” Listing

Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Affected Products
Vendor
Nagios Enterprises, LLCNagios
Product
XI
Modules
  • Web UI – “My Reports” listing (report entries & link renderers)
Default Status
unaffected
Versions
Affected
  • From 0 before 5.2.4 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-63CAPEC-63 Cross-Site Scripting (XSS)
CAPEC ID: CAPEC-63
Description: CAPEC-63 Cross-Site Scripting (XSS)
Solutions

Nagios addresses this vulnerability as "Fixed XSS injection possibility in my reports."

Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.nagios.com/changelog/nagios-xi/
release-notes
patch
https://www.vulncheck.com/advisories/nagios-xi-xss-via-my-reports-listing
third-party-advisory
Hyperlink: https://www.nagios.com/changelog/nagios-xi/
Resource:
release-notes
patch
Hyperlink: https://www.vulncheck.com/advisories/nagios-xi-xss-via-my-reports-listing
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:30 Oct, 2025 | 22:15
Updated At:05 Nov, 2025 | 18:27

Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CPE Matches
Nagios Enterprises, LLC
nagios
>>nagios_xi>>Versions before 5.2.4(exclusive)
cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondarydisclosure@vulncheck.com
CWE ID: CWE-79
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.nagios.com/changelog/nagios-xi/disclosure@vulncheck.com
Release Notes
https://www.vulncheck.com/advisories/nagios-xi-xss-via-my-reports-listingdisclosure@vulncheck.com
Third Party Advisory
Hyperlink: https://www.nagios.com/changelog/nagios-xi/
Source: disclosure@vulncheck.com
Resource:
Release Notes
Hyperlink: https://www.vulncheck.com/advisories/nagios-xi-xss-via-my-reports-listing
Source: disclosure@vulncheck.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

9963Records found
CVE-2024-13183
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.18% / 39.54%
||
7 Day CHG~0.00%
Published-10 Jan, 2025 | 07:21
Updated-16 Jan, 2025 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag Parameter

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_tag’ parameter in all versions up to, and including, 2.10.43 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Themeisle
Product-orbit_foxOrbit Fox by ThemeIsle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13350
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.28%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 08:21
Updated-26 May, 2025 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SearchIQ – The Search Solution <= 4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The SearchIQ – The Search Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siq_searchbox' shortcode in all versions up to, and including, 4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-searchiqsearchiq
Product-searchiqSearchIQ – The Search Solution
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13132
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 37.11%
||
7 Day CHG~0.00%
Published-05 Jan, 2025 | 04:31
Updated-25 Feb, 2025 | 22:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Emlog Pro Subpage article.php cross site scripting

A vulnerability classified as problematic was found in Emlog Pro up to 2.4.3. This vulnerability affects unknown code of the file /admin/article.php of the component Subpage Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-emlogn/a
Product-emlogEmlog Pro
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-1348
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 37.97%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:51
Updated-29 May, 2025 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS parameter in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Depicter (Averta)
Product-shortcodes_and_extra_features_for_phlox_themeShortcodes and extra features for Phlox themeshortcodes_and_extra_features_for_phlox_theme
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13667
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.08% / 22.82%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 11:10
Updated-21 Feb, 2025 | 14:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncode <= 2.9.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via mle-description

The Uncode theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mle-description’ parameter in all versions up to, and including, 2.9.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-undsgnundsgn
Product-uncodeUncode
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13548
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.07% / 22.29%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 07:24
Updated-04 Feb, 2025 | 19:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Power Ups for Elementor <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Power Ups for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wppugdotrex
Product-power_ups_for_elementorPower Ups for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-7035
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.03% / 10.07%
||
7 Day CHG-0.00%
Published-16 Jul, 2025 | 09:22
Updated-23 Jul, 2025 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Media Library Assistant <= 3.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via mla_tag_cloud and mla_term_list Shortcodes

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mla_tag_cloud and mla_term_list shortcodes in all versions up to, and including, 3.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-davidlingrendglingren
Product-media_library_assistantMedia Library Assistant
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13340
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 24.20%
||
7 Day CHG~0.00%
Published-23 Jan, 2025 | 11:13
Updated-31 Jan, 2025 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MDTF – Meta Data and Taxonomies Filter <= 1.3.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdf_results_by_ajax' shortcode in all versions up to, and including, 1.3.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-PluginUs.Net (RealMag777)
Product-meta_data_and_taxonomies_filterMDTF – Meta Data and Taxonomies Filter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13294
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 41.51%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:17
Updated-02 Sep, 2025 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal POST File allows Cross-Site Scripting (XSS).This issue affects POST File: from 0.0.0 before 1.0.2.

Action-Not Available
Vendor-post_file_projectThe Drupal Association
Product-post_filePOST File
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13153
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 37.98%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 08:24
Updated-03 Mar, 2025 | 17:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.135 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.5.135 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: Since the widget code isn't part of the code, to apply the patch, the affected widgets: Image Tooltip, Notification, Simple Popup, Video Play Button, and Card Carousel, must be deleted and reinstalled manually.

Action-Not Available
Vendor-unlimited-elementsunitecms
Product-unlimited_elements_for_elementorUnlimited Elements For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4690
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.1||HIGH
EPSS-0.26% / 49.17%
||
7 Day CHG~0.00%
Published-23 Dec, 2022 | 00:00
Updated-10 Apr, 2025 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in usememos/memos

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13461
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.82%
||
7 Day CHG~0.00%
Published-21 Feb, 2025 | 09:21
Updated-25 Feb, 2025 | 03:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Autoship Cloud for WooCommerce Subscription Products <= 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Autoship Cloud for WooCommerce Subscription Products plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'autoship-create-scheduled-order-action' shortcode in all versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-patternsinthecloudpatternsinthecloud
Product-autoship_cloudAutoship Cloud for WooCommerce Subscription Products
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1384
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.23% / 45.95%
||
7 Day CHG~0.00%
Published-29 Aug, 2024 | 12:31
Updated-19 Sep, 2024 | 22:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Premium Portfolio Features for Phlox theme <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aux_recent_portfolios_grid' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Depicter (Averta)
Product-auxinportfolioPremium Portfolio Features for Phlox theme
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13599
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.07% / 22.29%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 07:24
Updated-04 Feb, 2025 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnPress – WordPress LMS Plugin <= 4.2.7.5 - Authenticated (LP Instructor+) Stored Cross-Site Scripting via Lesson Name

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.7.5 due to insufficient input sanitization and output escaping of a lesson name. This makes it possible for authenticated attackers, with LP Instructor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-learnpressLearnPress – WordPress LMS Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13672
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.28%
||
7 Day CHG~0.00%
Published-21 Feb, 2025 | 03:21
Updated-25 Feb, 2025 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mini Course Generator | Embed mini-courses and interactive content <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Mini Course Generator | Embed mini-courses and interactive content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mcg' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-minicoursegeneratorminicoursegenerator
Product-mini_course_generatorMini Course Generator | Embed mini-courses and interactive content
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1332
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 42.07%
||
7 Day CHG~0.00%
Published-24 May, 2024 | 06:42
Updated-04 Apr, 2025 | 18:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Custom Fonts – Host Your Fonts Locally <= 2.1.4 - Authenticated (Author+) Stored Cross-Site Scripting

The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Brainstorm Force
Product-custom_fontsCustom Fonts – Host Your Fonts Locally
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4728
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.43% / 62.06%
||
7 Day CHG~0.00%
Published-24 Dec, 2022 | 00:00
Updated-10 Apr, 2025 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Graphite Web Cookie cross site scripting

A vulnerability has been found in Graphite Web and classified as problematic. This vulnerability affects unknown code of the component Cookie Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a patch to fix this issue. VDB-216742 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-graphite_projectGraphite
Product-graphiteWeb
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13642
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.82%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 06:41
Updated-04 Feb, 2025 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stratum – Elementor Widgets <= 1.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting Vulnerability via Image Hotspot Widget

The Stratum – Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Hotspot widget in all versions up to, and including, 1.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-motopressjetmonsters
Product-stratumStratum – Elementor Widgets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13582
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.82%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-21 Feb, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Pricing Tables For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Simple Pricing Tables For WPBakery Page Builder(Formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdo_simple_pricing_table_free' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-webdevoceanlabibahmed42
Product-pricing_tablesSimple Pricing Tables For WPBakery Page Builder(Formerly Visual Composer)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13403
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.18% / 40.09%
||
7 Day CHG~0.00%
Published-04 Feb, 2025 | 08:21
Updated-12 Aug, 2025 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPForms Lite <= 1.9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via fieldHTML Parameter

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fieldHTML’ parameter in all versions up to, and including, 1.9.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Awesome Motive Inc.WPForms, LLC
Product-wpformsWPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4212
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.76% / 73.01%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 03:32
Updated-13 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets

The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's TF Group Image, TF Nav Menu, TF Posts, TF Woo Product Grid, TF Accordion, and TF Image Box widgets in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-themesflatthemesflat
Product-themesflat_addons_for_elementorThemesflat Addons For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13579
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.82%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-21 Feb, 2025 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP-Asambleas <= 2.85.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP-Asambleas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'polls_popup' shortcode in all versions up to, and including, 2.85.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-platcomplatcom
Product-wp-asambleasWP-Asambleas
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15274
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.59% / 68.77%
||
7 Day CHG~0.00%
Published-26 Oct, 2020 | 18:35
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS via search result in Wiki.js

In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual page title, it is not the case in the search results. Commit a57d9af34c15adbf460dde6553d964efddf433de fixes this vulnerability (version 2.5.162) by properly escaping the text content displayed in the search results.

Action-Not Available
Vendor-requarksRequarks
Product-wiki.jswiki.js
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13583
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.07% / 22.29%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 09:21
Updated-12 Feb, 2025 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Gallery with Filter <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Simple Gallery with Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'c2tw_sgwf' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-come2thewebjitendra742744
Product-simple_gallery_with_filterSimple Gallery with Filter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1293
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 41.42%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-16 Jan, 2025 | 15:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the embedded media custom block in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-brizythemefusecom
Product-brizyBrizy – Page Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13734
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 27.74%
||
7 Day CHG~0.00%
Published-27 Feb, 2025 | 09:21
Updated-11 Mar, 2025 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Card Elements for Elementor <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Profile Card Widget

The Card Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Profile Card widget in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-techeshtatecheshta
Product-card_elements_for_elementorCard Elements for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4786
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 41.75%
||
7 Day CHG+0.05%
Published-21 Feb, 2023 | 08:50
Updated-13 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Video.js - HTML5 Video Player for WordPress <= 4.5.0 - Contributor+ Stored XSS via Shortcode

The Video.js WordPress plugin through 4.5.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Action-Not Available
Vendor-video.js_projectUnknown
Product-video.jsVideo.js
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13701
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.82%
||
7 Day CHG~0.00%
Published-12 Feb, 2025 | 03:21
Updated-25 Feb, 2025 | 03:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Liveticker (by stklcode) <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Liveticker (by stklcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'liveticker' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-stklcodestklcode
Product-livetickerLiveticker (by stklcode)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1327
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.14% / 33.93%
||
7 Day CHG~0.00%
Published-03 Apr, 2024 | 02:32
Updated-15 Jan, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's image box widget in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-jegthemejegtheme
Product-jeg_elementor_kitJeg Elementor Kit
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-34308
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.04% / 10.60%
||
7 Day CHG~0.00%
Published-28 Oct, 2025 | 14:36
Updated-03 Nov, 2025 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IPFire < v2.29 Stored XSS via Default Time Sync

IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the UPDATE_VALUE parameter when updating the default time synchronization settings. When the default values displayed on the Time Server page are updated, the application issues an HTTP POST request to /cgi-bin/time.cgi, and the synchronization value is provided in the UPDATE_VALUE parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected Time Server configuration page.

Action-Not Available
Vendor-ipfireIPFire.org
Product-ipfireIPFire
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-1451
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.90% / 75.38%
||
7 Day CHG~0.00%
Published-14 Jul, 2020 | 22:54
Updated-28 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1450, CVE-2020-1456.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_enterprise_serversharepoint_serverMicrosoft SharePoint Enterprise ServerMicrosoft SharePoint Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13141
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.14% / 33.68%
||
7 Day CHG+0.07%
Published-05 Jan, 2025 | 14:31
Updated-10 Jan, 2025 | 21:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
osuuu LightPicture SVG File Upload upload cross site scripting

A vulnerability classified as problematic was found in osuuu LightPicture up to 1.2.2. This vulnerability affects unknown code of the file /api/upload of the component SVG File Upload Handler. The manipulation of the argument file leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-osuuuosuuu
Product-lightpictureLightPicture
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-13101
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.02% / 5.22%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 06:00
Updated-11 May, 2025 | 23:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP MediaTagger <= 4.1.1 - Contributor+ Stored XSS

The WP MediaTagger WordPress plugin through 4.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-phd38Unknown
Product-wp_mediataggerWP MediaTagger
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1333
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 43.97%
||
7 Day CHG~0.00%
Published-18 Mar, 2024 | 15:15
Updated-05 May, 2025 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Responsive Pricing Table < 5.1.11 - Author+ Stored XSS

The Responsive Pricing Table WordPress plugin before 5.1.11 does not validate and escape some of its Pricing Table options before outputting them back in a page/post where the related shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks

Action-Not Available
Vendor-wpdarkoUnknownwpdarko
Product-responsive_pricing_tableResponsive Pricing Tableresponsive_pricing_table
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-45510
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.32% / 54.24%
||
7 Day CHG+0.01%
Published-20 Nov, 2024 | 00:00
Updated-11 Jun, 2025 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Zimbra Collaboration (ZCS) through 10.0. Zimbra Webmail (Modern UI) is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper sanitization of user input. This allows an attacker to inject malicious code into specific fields of an e-mail message. When the victim adds the attacker to their contacts, the malicious code is stored and executed when viewing the contact list. This can lead to unauthorized actions such as arbitrary mail sending, mailbox exfiltration, profile picture alteration, and other malicious actions. Proper sanitization and escaping of input fields are necessary to mitigate this vulnerability.

Action-Not Available
Vendor-n/aSynacor, Inc.
Product-zimbra_collaboration_suiten/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13081
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.13% / 32.40%
||
7 Day CHG~0.00%
Published-31 Dec, 2024 | 20:31
Updated-06 Jan, 2025 | 14:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Land Record System contactus.php cross site scripting

A vulnerability was found in PHPGurukul Land Record System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/contactus.php. The manipulation of the argument Page Description leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-land_record_systemLand Record System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-13700
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.82%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 13:41
Updated-31 Jan, 2025 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Embed Swagger UI <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Embed Swagger UI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsgui' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-vinayjainspanrig
Product-embed_swagger_uiEmbed Swagger UI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4608
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 44.90%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 03:32
Updated-01 Aug, 2024 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SellKit – Funnel builder and checkout optimizer for WooCommerce to sell more, faster <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

The SellKit – Funnel builder and checkout optimizer for WooCommerce to sell more, faster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-artbeesartbees
Product-sellkitSellKit – Funnel builder and checkout optimizer for WooCommerce to sell more, faster
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13649
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.28%
||
7 Day CHG~0.00%
Published-08 Mar, 2025 | 11:16
Updated-11 Mar, 2025 | 21:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.4.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wpxproxpro
Product-xpro_addons_for_elementor140+ Widgets | Xpro Addons For Elementor – FREE
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13670
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.82%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 13:42
Updated-31 Jan, 2025 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Music Sheet Viewer <= 4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Music Sheet Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pn_msv' shortcode in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-partitionnumeriqueefreja
Product-music_sheet_viewerMusic Sheet Viewer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13238
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.47% / 64.16%
||
7 Day CHG+0.05%
Published-09 Jan, 2025 | 18:33
Updated-04 Jun, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Typogrify allows Cross-Site Scripting (XSS).This issue affects Typogrify: from 0.0.0 before 1.3.0.

Action-Not Available
Vendor-typogrify_projectThe Drupal Association
Product-typogrifyTypogrify
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13805
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 15.34%
||
7 Day CHG~0.00%
Published-07 Mar, 2025 | 09:21
Updated-21 May, 2025 | 18:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advanced File Manager <= 5.2.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Upload

The Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.2.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Action-Not Available
Vendor-advancedfilemanagersaadiqbal
Product-advanced_file_managerAdvanced File Manager — Ultimate WordPress File Manager and Document Library Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13644
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.82%
||
7 Day CHG~0.00%
Published-13 Feb, 2025 | 01:44
Updated-25 Feb, 2025 | 19:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DethemeKit For Elementor <= 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via De Gallery Widget

The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's De Gallery widget in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-dethemedetheme
Product-dethemekit_for_elementorDethemeKit for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13565
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.09% / 25.28%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-24 Feb, 2025 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Map No Api <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

The Simple Map No Api plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-shaonback2shaonback2
Product-simple_map_no_apiSimple Map No Api
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-68946
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.01% / 1.12%
||
7 Day CHG-0.02%
Published-26 Dec, 2025 | 04:14
Updated-31 Dec, 2025 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.

Action-Not Available
Vendor-giteaGitea
Product-giteaGitea
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13699
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 38.18%
||
7 Day CHG~0.00%
Published-04 Feb, 2025 | 12:22
Updated-12 Feb, 2025 | 20:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qi Addons For Elementor <= 1.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cursor’ parameter in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in versions 1.8.5, 1.8.6, and 1.8.7.

Action-Not Available
Vendor-qodeinteractiveqodeinteractive
Product-qi_addons_for_elementorQi Addons For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-3067
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.35% / 57.22%
||
7 Day CHG~0.00%
Published-07 Feb, 2020 | 18:24
Updated-06 Aug, 2024 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Linksys WRT310Nv2 2.0.0.1 is vulnerable to XSS.

Action-Not Available
Vendor-n/aLinksys Holdings, Inc.
Product-wrt310n_firmwarewrt310nn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13464
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.82%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-24 Feb, 2025 | 14:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Library Bookshelves <= 5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Library Bookshelves plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bookshelf' shortcode in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-photonicgnosticphotonicgnostic
Product-library_bookshelvesLibrary Bookshelves
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13402
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 22.82%
||
7 Day CHG~0.00%
Published-27 Feb, 2025 | 12:47
Updated-24 May, 2025 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BuddyBoss Platform <= 2.7.70 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'link_title'

The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link_title’ parameter in all versions up to, and including, 2.7.70 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-BUDDYBOSS LLC
Product-buddyboss_platformBuddyboss Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13196
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 37.11%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 00:00
Updated-22 Aug, 2025 | 21:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
donglight bookstore电商书城系统说明 BookInfoController.java BookSearchList cross site scripting

A vulnerability was found in donglight bookstore电商书城系统说明 1.0.0. It has been declared as problematic. This vulnerability affects the function BookSearchList of the file src/main/java/org/zdd/bookstore/web/controller/BookInfoController.java. The manipulation of the argument keywords leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-donglightdonglight
Product-bookstorebookstore电商书城系统说明
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
  • Previous
  • 1
  • 2
  • ...
  • 60
  • 61
  • 62
  • ...
  • 199
  • 200
  • Next
Details not found