Authenticated (author or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in PluginlySpeaking Floating Div plugin <= 3.0 at WordPress.
Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Stage Rock Convert plugin <= 2.11.0 on WordPress.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jewel Theme Master Addons for Elementor allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through 2.0.6.2.
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Liam Gladdy / Thirty8 Digital Culture Object plugin <= 4.0.1 at WordPress.
The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not properly sanitized and can lead to cross-site scripting (XSS). This issue was resolved in Velociraptor 0.6.5-2.
Authenticated (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Roman Pronskiy's Search Exclude plugin <= 1.2.6 at WordPress.
Discourse-Chat is an asynchronous messaging plugin for the Discourse open-source discussion platform. Users of Discourse Chat can be affected by admin users inserting HTML into chat titles and descriptions, causing a Cross-Site Scripting (XSS) attack. Version 0.9 contains a patch for this issue.
Library Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /librarian/edit_book_details.php.
BlogEngine v3.3.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /blogengine/api/posts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field.
The Image Hover Effects Css3 WordPress plugin through 4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alpine Press Alpine PhotoTile for Pinterest plugin <= 1.3.1 at WordPress.
Authenticated (author or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in GS Plugins GS Testimonial Slider plugin <= 1.9.5 at WordPress.
Complete Online Job Search System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the CATEGORY parameter at /category/controller.php?action=edit.
The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
A cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 allows remote attackers to inject JavaScript via the "end_date" Parameter
Clinic's Patient Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via update_medicine_details.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Packing text box under the Update Medical Details module.
PowerPath Management Appliance with versions 3.3 & 3.2*, 3.1 & 3.0* contains a Stored Cross-site Scripting Vulnerability. An authenticated admin user could potentially exploit this vulnerability, to hijack user sessions or trick a victim application user into unknowingly send arbitrary requests to the server.
The WP Attachments WordPress plugin before 5.0.5 does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
Authenticated (admin+) Cross-Site Scripting (XSS) vulnerability in wpdevart Poll, Survey, Questionnaire and Voting system plugin <= 1.7.4 at WordPress.
Advanced School Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component ip/school/moudel/update_subject.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Subject text field.
The Highlight Focus WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
A vulnerability was found in SourceCodester Simple Cold Storage Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the component Add New Storage Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-211048.
Authenticated (author+) Stored Cross-Site Scripting (XSS) vulnerability in dmitrylitvinov Uploading SVG, WEBP and ICO files plugin <= 1.0.1 at WordPress.
A vulnerability was found in SourceCodester Simple Cold Storage Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /csms/admin/?page=system_info of the component Setting Handler. The manipulation of the argument System Name/System Short Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-211047.
The Testimonials WordPress plugin before 2.7, super-testimonial-pro WordPress plugin before 1.0.8 do not sanitize and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_time" Parameter.
Blogifier v3.0 was discovered to contain an arbitrary file upload vulnerability at /api/storage/upload/PostImage. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted file.
Complete Online Job Search System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the U_NAME parameter at /category/controller.php?action=edit.
Authenticated (shop manager+) Reflected Cross-Site Scripting (XSS) vulnerability in AlgolPlus Advanced Order Export For WooCommerce plugin <= 3.3.1 at WordPress.
Advanced School Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the address parameter at ip/school/index.php.
A vulnerability was found in SourceCodester Simple Cold Storage Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /csms/admin/?page=user/list of the component Create User Handler. The manipulation of the argument First Name/Last Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-211046 is the identifier assigned to this vulnerability.
An issue was discovered in VERMEG AgileReporter 21.3. Attackers can gain privileges via an XSS payload in an Add Comment action to the Activity log.
The Cab fare calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vehicle title setting in versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WaspThemes Visual CSS Style Editor plugin <= 7.5.8 versions.
The WP Word Count WordPress plugin through 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
The Contact Bank WordPress plugin through 3.0.30 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected fields.
The WP To Do plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Administrator may store malicious code in entity name. This issue has been patched, please upgrade to version 10.0.4.
A stored cross-site scripting (XSS) vulnerability in LightCMS v1.3.11 allows attackers to execute arbitrary web scripts or HTML via uploading a crafted PDF file.
The Retain Live Chat WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
The Add Comments WordPress plugin through 1.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
A stored cross-site scripting (XSS) vulnerability in eyoucms v1.5.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL field under the login page.
The WP Humans.txt WordPress plugin through 1.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Multiple cross-site scripting (XSS) vulnerabilities in /bsms/?page=manage_account of Simple Bakery Shop Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username or Full Name fields.
The LayerSlider WordPress plugin before 7.1.2 does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
The Pet Manager WordPress plugin through 1.4 does not sanitise and escape some of its Pet settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting attacks.
The Official Integration for Billingo WordPress plugin before 3.4.0 does not sanitise and escape some of its settings, which could allow high privilege users with a role as low as Shop Manager to perform Stored Cross-Site Scripting attacks.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JetBackup JetBackup – WP Backup, Migrate & Restore plugin <= 1.6.9.0 versions.
An arbitrary file upload vulnerability in the Update Branding Settings component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file.