Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-21260

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-22 Jan, 2021 | 17:20
Updated At-03 Aug, 2024 | 18:09
Rejected At-
Credits

XSS in description field

Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:22 Jan, 2021 | 17:20
Updated At:03 Aug, 2024 | 18:09
Rejected At:
▼CVE Numbering Authority (CNA)
XSS in description field

Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario.

Affected Products
Vendor
BigProf Softwarebigprof-software
Product
online-invoicing-system
Versions
Affected
  • = 4.0
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Cross-site Scripting (XSS)
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Cross-site Scripting (XSS)
Metrics
VersionBase scoreBase severityVector
3.17.6HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
Version: 3.1
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4
x_refsource_CONFIRM
https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2
x_refsource_MISC
Hyperlink: https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4
x_refsource_CONFIRM
x_transferred
https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:22 Jan, 2021 | 18:15
Updated At:29 Jan, 2021 | 14:11

Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Secondary3.17.6HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CPE Matches
BigProf Software
bigprof
>>online_invoicing_system>>4.0
cpe:2.3:a:bigprof:online_invoicing_system:4.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarysecurity-advisories@github.com
CWE ID: CWE-79
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2security-advisories@github.com
Third Party Advisory
https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4security-advisories@github.com
Exploit
Third Party Advisory
Hyperlink: https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2
Source: security-advisories@github.com
Resource:
Third Party Advisory
Hyperlink: https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4
Source: security-advisories@github.com
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

13927Records found
CVE-2021-24686
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-01 Feb, 2022 | 12:21
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SVG Support < 2.3.20 - Admin+ Stored Cross-Site Scripting

The SVG Support WordPress plugin before 2.3.20 does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-benbodhin/a
Product-svg_supportn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0025
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.52% / 66.82%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 03:10
Updated-21 Mar, 2025 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Solution Manager (BSP Application) - version 720, allows an authenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information or craft a payload which may restrict access to the desired resources.

Action-Not Available
Vendor-SAP SE
Product-solution_managerSolution Manager (BSP Application)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24812
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-23 Nov, 2021 | 19:16
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BetterLinks < 1.2.6 - Admin+ Stored Cross-Site Scripting

The BetterLinks WordPress plugin before 1.2.6 does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV.

Action-Not Available
Vendor-UnknownWPDeveloper
Product-betterlinksBetterLinks – Shorten, Track and Manage any URL
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24813
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 08:46
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Events Made Easy < 2.2.24 - Admin+ Stored Cross-Site Scripting

The Events Made Easy WordPress plugin before 2.2.24 does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-e-dynamicsUnknown
Product-events_made_easyEvents Made Easy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24737
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Comments - wpDiscuz <= 7.3.0 - Admin+ Stored Cross-Site Scripting

The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-gvectorsUnknown
Product-wpdiscuzComments – wpDiscuz
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24720
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.51% / 66.79%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GeoDirectory < 2.1.1.3 - Authenticated Stored Cross-Site Scripting (XSS)

The GeoDirectory Business Directory WordPress plugin before 2.1.1.3 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS).

Action-Not Available
Vendor-ayecodeUnknown
Product-geodirectoryBusiness Directory Plugin | GeoDirectory
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0147
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.35%
||
7 Day CHG~0.00%
Published-06 Feb, 2023 | 19:59
Updated-25 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flexible Captcha <= 4.1 - Contributor+ Stored XSS

The Flexible Captcha WordPress plugin through 4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Action-Not Available
Vendor-flexible_captcha_projectUnknown
Product-flexible_captchaFlexible Captcha
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-41349
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-5.1||MEDIUM
EPSS-0.03% / 9.54%
||
7 Day CHG~0.00%
Published-18 Nov, 2025 | 11:26
Updated-18 Feb, 2026 | 12:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este

Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus. svc/json/savesolpla_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.

Action-Not Available
Vendor-iestInformatica del Este
Product-winplusWinPlus
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0070
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.52%
||
7 Day CHG~0.00%
Published-06 Feb, 2023 | 19:59
Updated-25 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ResponsiveVoice Text To Speech < 1.7.7 - Contributor+ Stored XSS

The ResponsiveVoice Text To Speech WordPress plugin before 1.7.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-responsivevoiceUnknown
Product-responsivevoice_text_to_speechResponsiveVoice Text To Speech
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24822
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 40.38%
||
7 Day CHG+0.04%
Published-29 Nov, 2021 | 08:25
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stylish Cost Calculator < 7.04 - Subscriber+ Unauthorised AJAX Calls to Stored XSS

The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users due to the lack of sanitisation and escaping in some parameters

Action-Not Available
Vendor-stylishcostcalculatorUnknown
Product-stylish_cost_calculatorStylish Cost Calculator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-24671
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-27 Sep, 2021 | 15:25
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MX Time Zone Clocks < 3.4.1 - Contributor+ Cross-Site Scripting

The MX Time Zone Clocks WordPress plugin before 3.4.1 does not escape the time_zone attribute of the mxmtzc_time_zone_clocks shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Action-Not Available
Vendor-mx_time_zone_clocks_projectUnknown
Product-mx_time_zone_clocksMX Time Zone Clocks
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0360
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.52%
||
7 Day CHG~0.00%
Published-13 Feb, 2023 | 14:32
Updated-20 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Location Weather < 1.3.4 - Contributor+ Stored XSS

The Location Weather WordPress plugin before 1.3.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-shapedpluginUnknown
Product-location_weatherLocation Weather
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24576
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Accordion < 2.0.22 - Authenticated Stored XSS

The Easy Accordion WordPress plugin before 2.0.22 does not properly sanitize inputs when adding new items to an accordion.

Action-Not Available
Vendor-techeartyUnknown
Product-easy_accordionEasy Accordion – Best Accordion FAQ Plugin for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24530
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-20 Sep, 2021 | 10:06
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Alojapro Widget <= 1.1.15 - Authenticated Stored Cross-Site Scripting (XSS)

The Alojapro Widget WordPress plugin through 1.1.15 doesn't properly sanitise its Custom CSS settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-alojaproUnknown
Product-alojapro_widgetAlojapro Widget
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24699
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-25 Oct, 2021 | 13:20
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Media Download < 1.1.7 - Contributor+ Stored Cross-Site Scripting

The Easy Media Download WordPress plugin before 1.1.7 does not escape the text argument of its shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-easy_media_download_projectUnknown
Product-easy_media_downloadEasy Media Download
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2117
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 42.37%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 18:59
Updated-08 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elementor Website Builder – More than Just a Page Builder <= 3.20.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Path Widget

The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Path Widget in all versions up to, and including, 3.20.2 due to insufficient output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-elementorelemntor
Product-website_builderElementor Website Builder – more than just a page builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24811
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-29 Nov, 2021 | 08:25
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shop Page WP < 1.2.8 - Admin+ Stored Cross-Site Scripting

The Shop Page WP WordPress plugin before 1.2.8 does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-shoppagewpUnknown
Product-shop_page_wpShop Page WP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24587
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-20 Sep, 2021 | 10:06
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Splash Header < 1.20.8 - Authenticated Stored Cross-Site Scripting (XSS)

The Splash Header WordPress plugin before 1.20.8 doesn't sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue.

Action-Not Available
Vendor-zeeswebUnknown
Product-splash_headerSplash Header
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2136
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 37.55%
||
7 Day CHG~0.00%
Published-07 Mar, 2024 | 08:34
Updated-08 Apr, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPKoi Templates for Elementor <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Heading Widget

The WPKoi Templates for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wpkoiwpkoithemes
Product-wpkoi_templates_for_elementorWPKoi Templates for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25067
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-8.06% / 92.21%
||
7 Day CHG~0.00%
Published-17 Jan, 2022 | 13:00
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Landing Page Builder < 1.4.9.6 - Authenticated Reflected Cross-Site Scripting (XSS)

The Landing Page Builder WordPress plugin before 1.4.9.6 was affected by a reflected XSS in page-builder-add on the ulpb_post admin page.

Action-Not Available
Vendor-pluginopsUnknown
Product-landing_pageLanding Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24526
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 10:48
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Form Maker < 1.13.60 - Authenticated Stored XSS

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-form_makerForm Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24903
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-28 Feb, 2022 | 09:06
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GRAND FlaGallery <= 6.1.2 - Admin+ Stored Cross-Site Scripting

The GRAND FlaGallery WordPress plugin through 6.1.2 does not sanitise and escape some of its gallery settings, which could allow high privilege users to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-codeasilyUnknown
Product-grand_flagalleryAlbum and Image Gallery with Lightbox – Flagallery Photo Portfolio
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24516
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.42% / 62.11%
||
7 Day CHG~0.00%
Published-18 Oct, 2021 | 13:45
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PlanSo Forms <= 2.6.3 - Authenticated Stored Cross-Site Scripting

The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue.

Action-Not Available
Vendor-plansoUnknown
Product-planso_formsPlanSo Forms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24547
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-23 Aug, 2021 | 11:10
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
KN Fix Your Title <= 1.0.1 - Authenticated Stored XSS

The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field.

Action-Not Available
Vendor-kn_fix_your_title_projectUnknown
Product-kn_fix_your_titleKN Fix Your Title
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24571
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-23 Aug, 2021 | 11:10
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HD Quiz < 1.8.4 - Authenticated Stored XSS

The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues

Action-Not Available
Vendor-harmonicdesignUnknown
Product-hd_quizHD Quiz
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24665
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-30 Aug, 2021 | 14:11
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Video Lightbox < 1.9.3 - Contributor+ Stored Cross-Site Scripting

The WP Video Lightbox WordPress plugin before 1.9.3 does not escape the attributes of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks

Action-Not Available
Vendor-UnknownTips and Tricks HQ
Product-wp_video_lightboxWP Video Lightbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2139
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 37.55%
||
7 Day CHG~0.00%
Published-27 Mar, 2024 | 01:56
Updated-08 Apr, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Master Addons for Elementor <= 2.0.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget

The Master Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Table widget in all versions up to, and including, 2.0.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-master-addonslitonice13
Product-master_addonsMaster Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24834
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 47.69%
||
7 Day CHG~0.00%
Published-17 Nov, 2021 | 10:15
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YOP Poll < 6.3.1 - Author+ Stored Cross-Site Scripting via Options Module

The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label.

Action-Not Available
Vendor-yop-pollUnknown
Product-yop_pollYOP Poll
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24992
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-27 Dec, 2021 | 10:33
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Buttonizer - Smart Floating Action Button < 2.5.5 - Admin+ Stored Cross-Site Scripting

The Smart Floating / Sticky Buttons WordPress plugin before 2.5.5 does not sanitise and escape some parameter before outputting them in attributes and page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-buttonizerUnknown
Product-buttonizerSmart Floating / Sticky Buttons – Call, Sharing, Chat Widgets & More – Buttonizer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24817
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 10:40
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate NoFollow <= 1.4.8 - Contributor+ Stored Cross-Site Scripting

The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks

Action-Not Available
Vendor-ultimate_nofollow_projectUnknown
Product-ultimate_nofollowUltimate Nofollow
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24637
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 41.39%
||
7 Day CHG~0.00%
Published-20 Sep, 2021 | 10:06
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fonts Plugin < 3.0.3 - Contributor+ Stored Cross-Site Scripting

The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.

Action-Not Available
Vendor-fontspluginUnknown
Product-fontsFonts Plugin | Google Fonts Typography
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4459
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.26% / 48.88%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 03:32
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Titles

The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget's titles in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-themesflatthemesflat
Product-themesflat_addons_for_elementorThemesflat Addons For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-87
Improper Neutralization of Alternate XSS Syntax
CVE-2021-24810
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-07 Mar, 2022 | 08:16
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Event Manager < 3.1.23 - Admin+ Stored Cross-Site Scripting

The WP Event Manager WordPress plugin before 3.1.23 does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-wp-eventmanagerUnknown
Product-wp_event_managerWP Event Manager – Easily Build your Calendar of Events!
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24712
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 47.93%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Appointment Hour Booking – WordPress Booking Plugin < 1.3.17 - Authenticated Stored XSS

The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars.

Action-Not Available
Vendor-UnknownCodePeople
Product-appointment_hour_bookingAppointment Hour Booking – WordPress Booking Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0536
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.35%
||
7 Day CHG-0.08%
Published-08 May, 2023 | 13:58
Updated-05 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wp-D3 <= 2.4.1 - Contributor+ Stored XSS

The Wp-D3 WordPress plugin through 2.4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-wp-d3_projectUnknown
Product-wp-d3Wp-D3
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24899
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-29 Nov, 2021 | 08:25
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Media-Tags <= 3.2.0.2 - Admin+ Stored Cross-Site Scripting

The Media-Tags WordPress plugin through 3.2.0.2 does not sanitise and escape any of its Labels settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_htnl capability is disallowed.

Action-Not Available
Vendor-media-tags_projectUnknown
Product-media-tagsMedia Tags
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24793
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 08:46
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPeMatico RSS Feed Fetcher < 2.6.12 - Admin+ Stored Cross-Site Scripting

The WPeMatico RSS Feed Fetcher WordPress plugin before 2.6.12 does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-etruelUnknown
Product-wpematico_rss_feed_fetcherWPeMatico RSS Feed Fetcher
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24577
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Coming Soon and Maintenance Mode < 3.5.3 - Authenticated Stored XSS

The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS.

Action-Not Available
Vendor-UnknownWpDevArt
Product-coming_soon_and_maintenance_modeComing soon and Maintenance mode
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1413
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.23% / 45.58%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:27
Updated-08 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exclusive Addons for Elementor <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Timer widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-exclusiveaddonstimstrifler
Product-exclusive_addons_for_elementorExclusive Addons for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2302
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.14% / 32.89%
||
7 Day CHG~0.00%
Published-03 Jun, 2023 | 04:35
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form and Calls To Action by vcita <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with the edit_posts capability, such as contributors and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-vcitavcita
Product-contact_form_and_calls_to_action_by_vcitaContact Form and Calls To Action by vcita
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24608
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-25 Oct, 2021 | 13:20
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Formidable Form Builder < 5.0.07 - Admin+ Stored Cross-Site Scripting

The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-UnknownStrategy11
Product-formidable_form_builderFormidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24828
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-03 Jan, 2022 | 12:49
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mortgage Calculator / Loan Calculator < 1.5.17 - Contributor+ Stored Cross-Site Scripting

The Mortgage Calculator / Loan Calculator WordPress plugin before 1.5.17 does not escape the some of the attributes of its mlcalc shortcode before outputting them, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

Action-Not Available
Vendor-mlcalcUnknown
Product-mortgage_calculator\/loan_calculatorMortgage Calculator / Loan Calculator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24785
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-25 Oct, 2021 | 13:20
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Great Quotes <= 1.0.0 - Admin+ Stored Cross-Site Scripting

The Great Quotes WordPress plugin through 1.0.0 does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

Action-Not Available
Vendor-great-quotes_projectUnknown
Product-great-quotesGreat Quotes
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-24344
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.01% / 0.29%
||
7 Day CHG~0.00%
Published-25 Feb, 2022 | 14:35
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-youtrackn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24471
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 36.73%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 10:48
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YouTube Embed < 5.2.2 - Contributor+ Stored XSS

The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured).

Action-Not Available
Vendor-youtube_embed_projectUnknown
Product-youtube_embedYouTube Embed
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24594
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-08 Nov, 2021 | 17:34
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Translate WordPress - Google Language Translator < 6.0.12 - Admin+ Stored Cross-Site Scripting

The Translate WordPress – Google Language Translator WordPress plugin before 6.0.12 does not sanitise and escape some of its settings before outputting it in various pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-gtranslateUnknown
Product-google_language_translatorTranslate WordPress – Google Language Translator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24622
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.22% / 45.11%
||
7 Day CHG~0.00%
Published-18 Oct, 2021 | 13:45
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Ticket < 5.10.4 - Admin+ Stored Cross-Site Scripting

The Customer Service Software & Support Ticket System WordPress plugin before 5.10.4 does not sanitize or escape form fields before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-emarketdesignUnknown
Product-customer_service_software_\&_support_ticket_systemCustomer Service Software & Support Ticket System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24773
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 08:46
Updated-21 Mar, 2025 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Download Manager < 3.2.16 - Admin+ Stored Cross-Site Scripting

The WordPress Download Manager WordPress plugin before 3.2.16 does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-UnknownW3 Eden, Inc.WordPress Download Manager Pro
Product-download_managerWordPress Download Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24830
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.28% / 51.62%
||
7 Day CHG~0.00%
Published-23 Nov, 2021 | 19:16
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advanced Access Manager < 6.8.0 - Admin+ Stored Cross-Site Scripting

The Advanced Access Manager WordPress plugin before 6.8.0 does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-vasyltechUnknown
Product-advanced_access_managerAdvanced Access Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24476
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Steam Group Viewer <= 2.1 - Authenticated Stored Cross-Site Scripting (XSS)

The Steam Group Viewer WordPress plugin through 2.1 does not sanitise or escape its "Steam Group Address" settings before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue

Action-Not Available
Vendor-steam_group_viewer_projectUnknown
Product-steam_group_viewerSteam Group Viewer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 278
  • 279
  • Next
Details not found