Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2018-25045

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-23 Jul, 2022 | 01:43
Updated At-05 Aug, 2024 | 12:26
Rejected At-
Credits

Django REST framework (aka django-rest-framework) before 3.9.1 allows XSS because the default DRF Browsable API view templates disable autoescaping.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:23 Jul, 2022 | 01:43
Updated At:05 Aug, 2024 | 12:26
Rejected At:
▼CVE Numbering Authority (CNA)

Django REST framework (aka django-rest-framework) before 3.9.1 allows XSS because the default DRF Browsable API view templates disable autoescaping.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/encode/django-rest-framework/pull/6191
x_refsource_MISC
https://github.com/encode/django-rest-framework/pull/6330
x_refsource_MISC
https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8
x_refsource_MISC
Hyperlink: https://github.com/encode/django-rest-framework/pull/6191
Resource:
x_refsource_MISC
Hyperlink: https://github.com/encode/django-rest-framework/pull/6330
Resource:
x_refsource_MISC
Hyperlink: https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/encode/django-rest-framework/pull/6191
x_refsource_MISC
x_transferred
https://github.com/encode/django-rest-framework/pull/6330
x_refsource_MISC
x_transferred
https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/encode/django-rest-framework/pull/6191
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/encode/django-rest-framework/pull/6330
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:23 Jul, 2022 | 02:15
Updated At:29 Jul, 2022 | 03:31

Django REST framework (aka django-rest-framework) before 3.9.1 allows XSS because the default DRF Browsable API view templates disable autoescaping.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CPE Matches
django-rest-framework
django-rest-framework
>>django_rest_framework>>Versions before 3.9.1(exclusive)
cpe:2.3:a:django-rest-framework:django_rest_framework:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8cve@mitre.org
Patch
Third Party Advisory
https://github.com/encode/django-rest-framework/pull/6191cve@mitre.org
Third Party Advisory
https://github.com/encode/django-rest-framework/pull/6330cve@mitre.org
Third Party Advisory
Hyperlink: https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8
Source: cve@mitre.org
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/encode/django-rest-framework/pull/6191
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: https://github.com/encode/django-rest-framework/pull/6330
Source: cve@mitre.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

10417Records found
CVE-2025-12335
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 13.21%
||
7 Day CHG+0.01%
Published-27 Oct, 2025 | 23:32
Updated-31 Oct, 2025 | 20:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects E-Commerce Website supplier_update.php cross site scripting

A vulnerability was determined in code-projects E-Commerce Website 1.0. Affected by this vulnerability is an unknown functionality of the file /pages/supplier_update.php. This manipulation of the argument supp_name/supp_address causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

Action-Not Available
Vendor-Fabian RosSource Code & Projects
Product-e-commerce_websiteE-Commerce Website
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-4652
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.34% / 56.99%
||
7 Day CHG~0.00%
Published-09 Jun, 2025 | 06:00
Updated-12 Jun, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Broadstreet < 1.51.8 - Reflected XSS

The Broadstreet WordPress plugin before 1.51.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-broadstreetadsUnknown
Product-broadstreetBroadstreet
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12450
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.11% / 28.27%
||
7 Day CHG~0.00%
Published-29 Oct, 2025 | 09:27
Updated-08 Apr, 2026 | 17:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LiteSpeed Cache <= 7.5.0.1 - Reflected Cross-Site Scripting

The LiteSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 7.5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-litespeedtech
Product-LiteSpeed Cache
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-26698
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.65% / 71.06%
||
7 Day CHG~0.00%
Published-22 Jul, 2021 | 16:07
Updated-03 Aug, 2024 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used.

Action-Not Available
Vendor-n/aOpen-Xchange AG
Product-open-xchange_appsuiten/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-26230
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 44.71%
||
7 Day CHG~0.00%
Published-22 Jul, 2021 | 16:39
Updated-03 Aug, 2024 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to inject arbitrary web script or HTML via the user information to save_user.php.

Action-Not Available
Vendor-casap_automated_enrollment_system_projectn/a
Product-casap_automated_enrollment_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12398
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.09% / 25.25%
||
7 Day CHG-0.12%
Published-21 Dec, 2025 | 03:20
Updated-08 Apr, 2026 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Product Table for WooCommerce <= 5.0.8 - Reflected Cross-Site Scripting

The Product Table for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_key' parameter in all versions up to, and including, 5.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-codersaiful
Product-Product Table for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-26122
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 44.09%
||
7 Day CHG~0.00%
Published-07 May, 2021 | 11:07
Updated-03 Aug, 2024 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LivingLogic XIST4C before 0.107.8 allows XSS via feedback.htm or feedback.wihtm.

Action-Not Available
Vendor-livinglogicn/a
Product-xist4cn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24350
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-2.65% / 85.94%
||
7 Day CHG~0.00%
Published-14 Jun, 2021 | 13:37
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Visitors <= 0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)

The Visitors WordPress plugin through 0.3 is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel.

Action-Not Available
Vendor-UnknownBestWebSoft
Product-visitors_onlineVisitors
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24536
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.10% / 26.85%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 10:48
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Custom Login Redirect <= 1.0.0 - CSRF to Stored XSS

The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue

Action-Not Available
Vendor-custom_login_redirect_projectUnknown
Product-custom_login_redirectCustom Login Redirect
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-24488
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-11.53% / 93.72%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post Grid < 2.1.8 - Reflected Cross-Site Scripting (XSS)

The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues

Action-Not Available
Vendor-pickpluginsUnknown
Product-post_gridPost Grid
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24925
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.40% / 60.54%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 10:41
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Modern Events Calendar Lite < 6.1.5 - Reflected Cross-Site Scripting

The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-webnusUnknown
Product-modern_events_calendar_liteModern Events Calendar Lite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1175
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 29.90%
||
7 Day CHG~0.00%
Published-10 Feb, 2025 | 12:42
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in Kelio Visio

Reflected Cross-Site Scripting (XSS) vulnerability in Kelio Visio 1, Kelio Visio X7 and Kelio Visio X4, in versions between 3.2C and 5.1K. This vulnerability could allow an attacker to execute a JavaScript payload by making a POST request and injecting malicious code into the editable ‘username’ parameter of the ‘/PageLoginVisio.do’ endpoint.

Action-Not Available
Vendor-Kelio
Product-Kelio Visio 1Kelio Visio X7Kelio Visio X4
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24994
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-3.52% / 87.80%
||
7 Day CHG~0.00%
Published-28 Feb, 2022 | 09:06
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPvivid Backup and Migration Plugin < 0.9.69 - Unauthenticated Stored Cross-Site Scripting

The Migration, Backup, Staging WordPress plugin before 0.9.69 does not have authorisation when adding remote storages, and does not sanitise as well as escape a parameter from such unauthenticated requests before outputting it in admin page, leading to a Stored Cross-Site Scripting issue

Action-Not Available
Vendor-wpvividUnknown
Product-migration\,_backup\,_stagingMigration, Backup, Staging – WPvivid Backup and Migration Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25022
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.27% / 50.42%
||
7 Day CHG~0.00%
Published-03 Jan, 2022 | 12:49
Updated-22 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UpdraftPlus < 1.16.66 - Reflected Cross-Site Scripting

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues

Action-Not Available
Vendor-updraftplusUnknown
Product-updraftplusUpdraftPlus WordPress Backup Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24926
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-8.02% / 92.20%
||
7 Day CHG~0.00%
Published-01 Feb, 2022 | 12:21
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Domain Check < 1.0.17 - Reflected Cross-Site Scripting

The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-domaincheckpluginn/a
Product-domain_checkn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24808
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 08:46
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BP Better Messages < 1.9.9.41 - Reflected Cross-Site Scripting

The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-wordplusUnknown
Product-better_messagesBP Better Messages
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24407
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-20.96% / 95.72%
||
7 Day CHG~0.00%
Published-06 Jul, 2021 | 11:03
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jannah < 5.4.5 - Reflected Cross-Site Scripting (XSS)

The Jannah WordPress theme before 5.4.5 did not properly sanitize the 'query' POST parameter in its tie_ajax_search AJAX action, leading to a Reflected Cross-site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-tielabsTieLabs
Product-jannahJannah
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12001
Matching Score-4
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-4
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.04% / 12.32%
||
7 Day CHG~0.00%
Published-20 Oct, 2025 | 21:53
Updated-07 Nov, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Content-Type Header

Lack of application manifest sanitation could lead to potential stored XSS.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24697
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-08 Nov, 2021 | 17:35
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Download Monitor < 3.9.5 - Reflected Cross-Site Scripting

The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Action-Not Available
Vendor-UnknownTips and Tricks HQ
Product-simple_download_monitorSimple Download Monitor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24924
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-06 Dec, 2021 | 15:55
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Email Log < 2.4.8 - Reflected Cross-Site Scripting

The Email Log WordPress plugin before 2.4.8 does not escape the d parameter before outputting it back in an attribute in the Log page, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-email_log_projectUnknown
Product-email_logEmail Log
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24975
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-3.52% / 87.80%
||
7 Day CHG~0.00%
Published-01 Feb, 2022 | 12:21
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NextScripts: Social Networks Auto-Poster < 4.3.24 - Unauthenticated Stored XSS

The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.24 does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue

Action-Not Available
Vendor-nextscriptsUnknown
Product-social_networks_auto_posterNextScripts: Social Networks Auto-Poster
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24599
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 40.44%
||
7 Day CHG~0.00%
Published-06 Sep, 2021 | 11:09
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Email Encoder < 2.1.2 - Reflected Cross Site Scripting

The Email Encoder – Protect Email Addresses WordPress plugin before 2.1.2 has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data.

Action-Not Available
Vendor-wp-webhooksUnknown
Product-email_encoderEmail Encoder – Protect Email Addresses
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25040
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-03 Jan, 2022 | 12:49
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Booking Calendar < 8.9.2 - Reflected Cross-Site Scripting

The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-UnknownWP Booking Calendar
Product-booking_calendarBooking Calendar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25085
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-3.20% / 87.17%
||
7 Day CHG~0.00%
Published-01 Feb, 2022 | 12:21
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WOOF - Products Filter for WooCommerce < 1.2.6.3 - Reflected Cross-Site Scripting

The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape the woof_redraw_elements before outputing back in an admin page, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-UnknownPluginUs.Net (RealMag777)
Product-woocommerce_products_filterWOOF – Products Filter for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-7103
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.40% / 80.63%
||
7 Day CHG~0.00%
Published-15 Mar, 2017 | 00:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Action-Not Available
Vendor-jqueryuin/aJuniper Networks, Inc.Oracle CorporationRed Hat, Inc.Debian GNU/LinuxFedora ProjectNetApp, Inc.
Product-weblogic_serverapplication_expressbusiness_intelligenceprimavera_unifiersiebel_ui_frameworkdebian_linuxjunosjquery_uihospitality_cruise_fleet_managementoss_support_toolsfedoraopenstacksnapcentern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24452
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-3.38% / 87.53%
||
7 Day CHG-4.35%
Published-19 Jul, 2021 | 10:53
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
W3 Total Cache < 2.1.5 - Reflected XSS in Extensions Page (JS Context)

The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (XSS) issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.

Action-Not Available
Vendor-BoldGrid (InMotion Hosting, Inc.)
Product-w3_total_cacheW3 Total Cache
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24300
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-3.40% / 87.58%
||
7 Day CHG~0.00%
Published-24 May, 2021 | 10:58
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PickPlugins Product Slider for WooCommerce < 1.13.22 - Reflected Cross-Site Scripting (XSS)

The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue

Action-Not Available
Vendor-pickpluginsPickPlugins
Product-product_slider_for_woocommercePickPlugins Product Slider for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25006
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-14 Mar, 2022 | 14:41
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MOLIE <= 0.5 - Reflected Cross-Site Scripting

The MOLIE WordPress plugin through 0.5 does not escape the course_id parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-molie_instructure_canvas_linking_tool_projectUnknown
Product-molie_instructure_canvas_linking_toolMOLIE – Instructure Canvas Linking tool
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25161
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.1||MEDIUM
EPSS-1.93% / 83.62%
||
7 Day CHG~0.00%
Published-30 Mar, 2021 | 01:44
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote cross-site scripting (xss) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.

Action-Not Available
Vendor-n/aSiemens AGAruba Networks
Product-scalance_w1750d_firmwareinstantscalance_w1750dAruba Instant Access Points
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24291
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-14.62% / 94.56%
||
7 Day CHG~0.00%
Published-14 May, 2021 | 11:38
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS)

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.69 was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and _id GET parameters passed to the bwg_frontend_data AJAX action (available to both unauthenticated and authenticated users)

Action-Not Available
Vendor-10Web (TenWeb, Inc.)AYS Pro Extensions
Product-photo_galleryPhoto Gallery by 10Web – Mobile-Friendly Image Gallery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25027
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-03 Jan, 2022 | 12:49
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PowerPack Addons for Elementor < 2.6.2 - Reflected Cross-Site Scripting

The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-ideaboxUnknown
Product-powerpack_addons_for_elementorPowerPack Addons for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12079
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 30.16%
||
7 Day CHG~0.00%
Published-18 Nov, 2025 | 09:27
Updated-08 Apr, 2026 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Twitter Auto Publish <= 1.7.4 - Reflected Cross-Site Scripting via PostMessage

The WP Twitter Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-f1logic
Product-WP Twitter Auto Publish
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25089
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-01 Feb, 2022 | 12:21
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UpdraftPlus < 1.16.69 - Reflected Cross-Site Scripting

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.69 does not sanitise and escape the updraft_restore parameter before outputting it back in the Restore page, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-updraftplusUnknown
Product-updraftplusUpdraftPlus WordPress Backup Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24304
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-2.65% / 85.94%
||
7 Day CHG~0.00%
Published-09 Aug, 2021 | 10:04
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Newsmag < 5.0 - Unauthenticated Reflected Cross-site Scripting (XSS)

The Newsmag WordPress theme before 5.0 does not sanitise the td_block_id parameter in its td_ajax_block AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-tagdivUnknown
Product-newsmagNewsmag
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24454
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-1.65% / 82.25%
||
7 Day CHG~0.00%
Published-12 Jul, 2021 | 19:21
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YOP Poll < 6.2.8 - Stored Cross-Site Scripting

In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options "Allow other answers", "Display other answers in the result list" and "Show results", it can lead to Stored Cross-Site Scripting issues as the 'Other' answer is not sanitised before being output in the page. The execution of the XSS payload depends on the 'Show results' option selected, which could be before or after sending the vote for example.

Action-Not Available
Vendor-yop-pollUnknown
Product-yop_pollYOP Poll
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24987
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-6.05% / 90.84%
||
7 Day CHG~0.00%
Published-11 Apr, 2022 | 14:40
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Super Socializer < 7.13.30 - Reflected Cross-Site Scripting

The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.30 does not sanitise and escape the urls parameter in its the_champ_sharing_count AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue.

Action-Not Available
Vendor-UnknownHeateor
Product-super_socializerSocial Share, Social Login and Social Comments Plugin – Super Socializer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24436
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-4.63% / 89.40%
||
7 Day CHG-0.41%
Published-19 Jul, 2021 | 10:53
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
W3 Total Cache < 2.1.4 - Reflected XSS in Extensions Page (Attribute Context)

The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.

Action-Not Available
Vendor-BoldGrid (InMotion Hosting, Inc.)
Product-w3_total_cacheW3 Total Cache
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24438
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 40.54%
||
7 Day CHG~0.00%
Published-30 Aug, 2021 | 14:11
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ShareThis Dashboard for Google Analytics < 2.5.2 - Reflected Cross-Site Scripting (XSS)

The ShareThis Dashboard for Google Analytics WordPress plugin before 2.5.2 does not sanitise or escape the 'ga_action' parameter in the stats view before outputting it back in an attribute when the plugin is connected to a Google Analytics account, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator

Action-Not Available
Vendor-sharethisUnknown
Product-dashboard_for_google_analyticsShareThis Dashboard for Google Analytics
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25012
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-28 Mar, 2022 | 17:21
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pz-LinkCard <= 2.4.4.4 - Reflected Cross-Site Scripting

The Pz-LinkCard WordPress plugin through 2.4.4.4 does not sanitise and escape multiple parameters before outputting them back in admin dashboard pages, leading to Reflected Cross-Site Scripting issues

Action-Not Available
Vendor-popozureUnknown
Product-pz-linkcardPz-LinkCard
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25071
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-28 Mar, 2022 | 17:22
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Akismet Privacy Policies <= 2.0.1 - Reflected Cross-Site Scripting

The WordPress plugin through 2.0.1 does not sanitise and escape the translation parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-inpsydeUnknown
Product-akismet_privacy_policiesAkismet Privacy Policies
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25080
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-51.61% / 97.93%
||
7 Day CHG~0.00%
Published-24 Jan, 2022 | 08:01
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form Entries < 1.1.7 - Unauthenticated Stored Cross-Site Scripting

The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry

Action-Not Available
Vendor-crmperksUnknown
Product-contact_form_entriesContact Form Entries – Contact Form 7, WPforms and more
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24389
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-13.89% / 94.39%
||
7 Day CHG~0.00%
Published-06 Jul, 2021 | 11:03
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FoodBakery < 2.2 - Reflected Cross-Site Scripting (XSS)

The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-chimpgroupChimpstudio
Product-foodbakeryWP FoodbakeryFoodBakery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24907
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.47% / 64.85%
||
7 Day CHG~0.00%
Published-21 Dec, 2021 | 08:45
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Everest Forms < 1.8.0 - Reflected Cross-Site Scripting

The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-wpeverestUnknown
Product-everest_formsContact Form, Drag and Drop Form Builder for WordPress – Everest Forms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25055
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-1.70% / 82.51%
||
7 Day CHG~0.00%
Published-21 Feb, 2022 | 10:45
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FeedWordPress < 2022.0123 - Reflected Cross-Site Scripting (XSS)

The FeedWordPress plugin before 2022.0123 is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter.

Action-Not Available
Vendor-feedwordpress_projectUnknown
Product-feedwordpressFeedWordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25100
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-21 Feb, 2022 | 10:45
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Give < 2.17.3 - Reflected Cross-Site Scripting via Donation Forms Dashboard

The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-UnknownGiveWP
Product-givewpGiveWP – Donation Plugin and Fundraising Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12017
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.11% / 29.59%
||
7 Day CHG+0.01%
Published-24 Oct, 2025 | 08:24
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VNPAY for Woocommerce <= 1.0.0 - Reflected Cross-Site Scripting

The VNPAY Payment gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-teyldoan
Product-VNPAY Payment gateway
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24953
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-07 Mar, 2022 | 08:16
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advanced iFrame < 2022 - Reflected Cross-Site Scripting

The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-tinywebgalleryUnknown
Product-advanced_iframeAdvanced iFrame
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24588
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-06 Sep, 2021 | 11:09
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SMS Alert Order Notifications – WooCommerce < 3.4.7 Authenticated Cross Site Scripting

The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerability in the plugin's setting page.

Action-Not Available
Vendor-cozyvisionUnknown
Product-sms_alert_order_notificationsSMS Alert Order Notifications – WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25039
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-07 Mar, 2022 | 08:16
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multisite Content Copier/Updater < 2.1.0 - Reflected Cross-Site Scripting

The WordPress Multisite Content Copier/Updater WordPress plugin before 2.1.0 does not sanitise and escape the wmcc_content_type, wmcc_source_blog and wmcc_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Action-Not Available
Vendor-obtaininfotechUnknown
Product-multisite_content_copier\/updaterWordPress Multisite Content Copier/Updater
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24756
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-14.82% / 94.60%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 10:40
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP System Log < 1.0.21 - Unauthenticated Stored Cross-Site Scripting

The WP System Log WordPress plugin before 1.0.21 does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting attacks against admins viewing the logs.

Action-Not Available
Vendor-wp_system_log_projectUnknown
Product-wp_system_logWP System Log
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 208
  • 209
  • Next
Details not found