Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-4227

Summary
Assigner-WPScan
Assigner Org ID-1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At-26 Dec, 2022 | 12:28
Updated At-14 Apr, 2025 | 14:08
Rejected At-
Credits

Booster for WooCommerce - Reflected Cross-Site Scripting

The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:WPScan
Assigner Org ID:1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At:26 Dec, 2022 | 12:28
Updated At:14 Apr, 2025 | 14:08
Rejected At:
▼CVE Numbering Authority (CNA)
Booster for WooCommerce - Reflected Cross-Site Scripting

The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting

Affected Products
Vendor
Unknown
Product
Booster for WooCommerce
Collection URL
https://wordpress.org/plugins
Default Status
unaffected
Versions
Affected
  • From 0 before 5.6.3 (custom)
Vendor
Unknown
Product
Booster Plus for WooCommerce
Default Status
unaffected
Versions
Affected
  • From 0 before 6.0.0 (custom)
Vendor
Unknown
Product
Booster Elite for WooCommerce
Default Status
unaffected
Versions
Affected
  • From 0 before 6.0.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Cross-Site Scripting (XSS)
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Cross-Site Scripting (XSS)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
WPScan
coordinator
WPScan
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890
exploit
vdb-entry
technical-description
Hyperlink: https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890
Resource:
exploit
vdb-entry
technical-description
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890
exploit
vdb-entry
technical-description
x_transferred
Hyperlink: https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890
Resource:
exploit
vdb-entry
technical-description
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:contact@wpscan.com
Published At:26 Dec, 2022 | 13:15
Updated At:14 Apr, 2025 | 14:15

The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Secondary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CPE Matches
booster
booster
>>booster_elite_for_woocommerce>>Versions before 6.0.0(exclusive)
cpe:2.3:a:booster:booster_elite_for_woocommerce:*:*:*:*:*:wordpress:*:*
booster
booster
>>booster_for_woocommerce>>Versions before 5.6.3(exclusive)
cpe:2.3:a:booster:booster_for_woocommerce:*:*:*:*:*:wordpress:*:*
booster
booster
>>booster_plus_for_woocommerce>>Versions before 6.0.0(exclusive)
cpe:2.3:a:booster:booster_plus_for_woocommerce:*:*:*:*:*:wordpress:*:*
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890contact@wpscan.com
Third Party Advisory
https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890
Source: contact@wpscan.com
Resource:
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/90d3022c-5d35-4ef2-ab87-6919268db890
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

9895Records found
CVE-2021-25031
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.30%
||
7 Day CHG~0.00%
Published-24 Jan, 2022 | 08:01
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Hover Effects Ultimate < 9.7.1 - Reflected Cross-Site Scripting

The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-UnknownBiplob Adhikari (Oxilab Development)
Product-image_hover_effects_ultimateImage Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24909
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.29% / 51.78%
||
7 Day CHG~0.00%
Published-17 Jan, 2022 | 13:00
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ACF Photo Gallery Field < 1.7.5 - Reflected Cross-Site Scripting

The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not sanitise and escape the post parameter in the includes/acf_photo_gallery_metabox_edit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-navzUnknown
Product-acf_photo_gallery_fieldACF Photo Gallery Field
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24910
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-24.22% / 95.95%
||
7 Day CHG+13.85%
Published-22 Aug, 2022 | 14:55
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Transposh WordPress Translation < 1.0.8 - Reflected Cross-Site Scripting

The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a parameter via an AJAX action (available to both unauthenticated and authenticated users when the curl library is installed) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-transposhUnknown
Product-transposh_wordpress_translationTransposh WordPress Translation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-55545
Matching Score-4
Assigner-CyberDanube
ShareView Details
Matching Score-4
Assigner-CyberDanube
CVSS Score-7.1||HIGH
EPSS-0.26% / 48.80%
||
7 Day CHG~0.00%
Published-10 Dec, 2024 | 16:14
Updated-03 Nov, 2025 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected Cross-Site Scripting

Missing input validation in the ORing IAP-420 web-interface allows Cross-Site Scripting (XSS).This issue affects IAP-420 version 2.01e and below.

Action-Not Available
Vendor-oringnetORing
Product-iap-420_firmwareiap-420IAP-420
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-26039
Matching Score-4
Assigner-Joomla! Project
ShareView Details
Matching Score-4
Assigner-Joomla! Project
CVSS Score-6.1||MEDIUM
EPSS-2.17% / 83.96%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 10:12
Updated-16 Sep, 2024 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20210705] - Core - XSS in com_media imagelist

An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24878
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.37% / 58.20%
||
7 Day CHG-0.50%
Published-07 Feb, 2022 | 15:47
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SupportCandy < 2.2.7 - Reflected Cross-Site Scripting

The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-supportcandyUnknown
Product-supportcandySupportCandy – Helpdesk & Support Ticket System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5638
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-1.83% / 82.56%
||
7 Day CHG-0.54%
Published-08 Jun, 2024 | 05:44
Updated-31 Oct, 2024 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Formula <= 0.5.1 - Reflected Cross-Site Scripting via ti_customizer_notify_dismiss_recommended_plugins

The Formula theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in the 'ti_customizer_notify_dismiss_recommended_plugins' AJAX action in all versions up to, and including, 0.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-A WP Life
Product-formulaFormula
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-56357
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.68% / 71.20%
||
7 Day CHG+0.25%
Published-20 Dec, 2024 | 20:24
Updated-12 Mar, 2025 | 17:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting vulnerability through custom widget URLs and form redirect URLs in grist-core

grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the `javascript:` scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust.

Action-Not Available
Vendor-getgristgristlabs
Product-grist-coregrist-core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25295
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.85% / 74.45%
||
7 Day CHG~0.00%
Published-18 Jan, 2021 | 05:28
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenCATS through 0.9.5-3 has multiple Cross-site Scripting (XSS) issues.

Action-Not Available
Vendor-opencatsn/a
Product-opencatsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-26122
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 43.95%
||
7 Day CHG~0.00%
Published-07 May, 2021 | 11:07
Updated-03 Aug, 2024 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LivingLogic XIST4C before 0.107.8 allows XSS via feedback.htm or feedback.wihtm.

Action-Not Available
Vendor-livinglogicn/a
Product-xist4cn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24967
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-12.13% / 93.63%
||
7 Day CHG~0.00%
Published-27 Dec, 2021 | 10:33
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form & Lead Form Elementor Builder < 1.6.4 - Unauthenticated Stored Cross-Site Scripting

The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads

Action-Not Available
Vendor-themehunkUnknown
Product-contact_form_\&_lead_form_elementor_builderContact Form & Lead Form Elementor Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24955
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 43.91%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 10:41
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ProfilePress < 3.2.3 - Reflected Cross-Site Scripting

The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-profilepressUnknown
Product-user_registration\,_login_form\,_user_profile_\&_membershipUser Registration, Login Form, User Profile & Membership – ProfilePress (Formerly WP User Avatar)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2421
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.09% / 24.70%
||
7 Day CHG~0.00%
Published-29 Apr, 2023 | 01:31
Updated-14 Jan, 2025 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Control iD RHiD department cross site scripting

A vulnerability classified as problematic has been found in Control iD RHiD 23.3.19.0. Affected is an unknown function of the file /v2/#/add/department. The manipulation of the argument Name leads to cross site scripting. It is possible to launch the attack remotely. VDB-227718 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-controlidControl iD
Product-rhidRHiD
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24885
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.30%
||
7 Day CHG~0.00%
Published-25 Oct, 2021 | 13:21
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YOP Poll < 6.1.2 - Reflected Cross-Site Scripting

The YOP Poll WordPress plugin before 6.1.2 does not escape the perpage parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-yop-pollUnknown
Product-yop-pollYOP Poll
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24994
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-3.52% / 87.37%
||
7 Day CHG~0.00%
Published-28 Feb, 2022 | 09:06
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPvivid Backup and Migration Plugin < 0.9.69 - Unauthenticated Stored Cross-Site Scripting

The Migration, Backup, Staging WordPress plugin before 0.9.69 does not have authorisation when adding remote storages, and does not sanitise as well as escape a parameter from such unauthenticated requests before outputting it in admin page, leading to a Stored Cross-Site Scripting issue

Action-Not Available
Vendor-wpvividUnknown
Product-migration\,_backup\,_stagingMigration, Backup, Staging – WPvivid Backup and Migration Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25277
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.29% / 51.56%
||
7 Day CHG~0.00%
Published-19 Mar, 2021 | 16:39
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FTAPI 4.0 - 4.10 allows XSS via a crafted filename to the alternative text hover box in the file submission component.

Action-Not Available
Vendor-ftapin/a
Product-ftapin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-26030
Matching Score-4
Assigner-Joomla! Project
ShareView Details
Matching Score-4
Assigner-Joomla! Project
CVSS Score-6.1||MEDIUM
EPSS-38.80% / 97.15%
||
7 Day CHG~0.00%
Published-14 Apr, 2021 | 17:34
Updated-16 Sep, 2024 | 20:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20210401] - Core - Escape xss in logo parameter error pages

An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25810
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.61% / 69.28%
||
7 Day CHG~0.00%
Published-29 Apr, 2021 | 15:44
Updated-03 Aug, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross site Scripting (XSS) vulnerability in MERCUSYS Mercury X18G 1.0.5 devices, via crafted values to the 'src_dport_start', 'src_dport_end', and 'dest_port' parameters.

Action-Not Available
Vendor-mercusysn/a
Product-mercury_x18gmercury_x18g_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-56265
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.11% / 29.54%
||
7 Day CHG~0.00%
Published-31 Dec, 2024 | 10:14
Updated-28 Jan, 2026 | 17:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce - PDF Vouchers plugin < 4.9.9 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPWeb WooCommerce PDF Vouchers allows Reflected XSS.This issue affects WooCommerce PDF Vouchers: from n/a before 4.9.9.

Action-Not Available
Vendor-WPWeb Elite
Product-woocommerce_pdf_vouchersWooCommerce PDF Vouchers
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24973
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-4.43% / 88.78%
||
7 Day CHG~0.00%
Published-03 Jan, 2022 | 12:49
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Site Reviews < 5.17.3 - Unauthenticated Stored Cross-Site Scripting

The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parameter of the glsr_action AJAX action (available to unauthenticated and any authenticated users), allowing them to perform Cross-Site Scripting attacks against logged in admins viewing the Tool dashboard of the plugin

Action-Not Available
Vendor-geminilabsUnknown
Product-site_reviewsSite Reviews
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25040
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.30%
||
7 Day CHG~0.00%
Published-03 Jan, 2022 | 12:49
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Booking Calendar < 8.9.2 - Reflected Cross-Site Scripting

The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-UnknownWP Booking Calendar
Product-booking_calendarBooking Calendar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25008
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-3.36% / 87.05%
||
7 Day CHG~0.00%
Published-24 Jan, 2022 | 08:01
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code Snippets < 2.14.3 - Reflected Cross-Site Scripting

The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-codesnippetsUnknown
Product-code_snippetsCode Snippets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-24810
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.22% / 44.25%
||
7 Day CHG~0.00%
Published-22 Feb, 2023 | 19:15
Updated-10 Mar, 2025 | 21:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross site scripting (XSS) vulnerability using authentication callback in Misskey

Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during `miauth` authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 (including 12.x) are affected. This has been fixed in version 13.3.1. Users are advised to upgrade. Users unable to upgrade should not allow authentication of untrusted apps.

Action-Not Available
Vendor-misskeymisskey-dev
Product-misskeymisskey
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25963
Matching Score-4
Assigner-Mend
ShareView Details
Matching Score-4
Assigner-Mend
CVSS Score-6.1||MEDIUM
EPSS-0.40% / 59.87%
||
7 Day CHG~0.00%
Published-30 Sep, 2021 | 07:50
Updated-30 Apr, 2025 | 16:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shuup - Reflected XSS in Error Page

In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped.

Action-Not Available
Vendor-shuupshuup
Product-shuupshuup
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24976
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.30%
||
7 Day CHG~0.00%
Published-24 Jan, 2022 | 08:01
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Smart SEO Tool < 3.0.6 - Reflected Cross-Site Scripting

The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-wboltUnknown
Product-smart_seo_toolSmart SEO Tool – SEO优化插件
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-32509
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.07% / 21.27%
||
7 Day CHG~0.00%
Published-23 Aug, 2023 | 14:27
Updated-25 Sep, 2024 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Order Your Posts Manually Plugin <= 2.2.5 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Rolf van Gelder Order Your Posts Manually plugin <= 2.2.5 versions.

Action-Not Available
Vendor-cagewebdevRolf van Gelder
Product-order_your_posts_manuallyOrder Your Posts Manually
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25012
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.30%
||
7 Day CHG~0.00%
Published-28 Mar, 2022 | 17:21
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pz-LinkCard <= 2.4.4.4 - Reflected Cross-Site Scripting

The Pz-LinkCard WordPress plugin through 2.4.4.4 does not sanitise and escape multiple parameters before outputting them back in admin dashboard pages, leading to Reflected Cross-Site Scripting issues

Action-Not Available
Vendor-popozureUnknown
Product-pz-linkcardPz-LinkCard
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-56918
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.04% / 12.55%
||
7 Day CHG~0.00%
Published-24 Jun, 2025 | 00:00
Updated-30 Jun, 2025 | 14:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Netbox Community 4.1.7, the login page is vulnerable to cross-site scripting (XSS), which allows a privileged, authenticated attacker to exfiltrate user input from the login form.

Action-Not Available
Vendor-netboxn/a
Product-netboxn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-16148
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 46.94%
||
7 Day CHG~0.00%
Published-09 Sep, 2019 | 12:20
Updated-05 Aug, 2024 | 01:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sakai through 12.6 allows XSS via a chat user name.

Action-Not Available
Vendor-sakailmsn/a
Product-sakain/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24932
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.30%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 10:41
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Auto Featured Image < 3.9.3 - Reflected Cross-Site Scripting

The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue.

Action-Not Available
Vendor-cm-wpUnknown
Product-auto_featured_imageAuto Featured Image (Auto Post Thumbnail)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25299
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-79.93% / 99.07%
||
7 Day CHG~0.00%
Published-15 Feb, 2021 | 12:32
Updated-03 Aug, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her session cookies or it can be chained with the previous bugs to get one-click remote command execution (RCE) on the Nagios XI server.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-24194
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 45.96%
||
7 Day CHG-0.09%
Published-06 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Online Food Ordering System v2 was discovered to contain a cross-site scripting (XSS) vulnerability via the page parameter in navbar.php.

Action-Not Available
Vendor-online_food_ordering_system_projectn/a
Product-online_food_ordering_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-26032
Matching Score-4
Assigner-Joomla! Project
ShareView Details
Matching Score-4
Assigner-Joomla! Project
CVSS Score-6.1||MEDIUM
EPSS-1.35% / 79.73%
||
7 Day CHG~0.00%
Published-26 May, 2021 | 10:22
Updated-17 Sep, 2024 | 04:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload

An issue was discovered in Joomla! 3.0.0 through 3.9.26. HTML was missing in the executable block list of MediaHelper::canUpload, leading to XSS attack vectors.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24874
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.29% / 51.78%
||
7 Day CHG~0.00%
Published-14 Feb, 2022 | 09:20
Updated-16 Oct, 2024 | 13:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.31 - Reflected Cross-Site Scripting

The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.31 does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Action-Not Available
Vendor-brevoUnknown
Product-newsletter\,_smtp\,_email_marketing_and_subscribeNewsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25038
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.30%
||
7 Day CHG~0.00%
Published-07 Mar, 2022 | 08:16
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multisite User Sync/Unsync < 2.1.2 - Reflected Cross-Site Scripting

The WordPress Multisite User Sync/Unsync WordPress plugin before 2.1.2 does not sanitise and escape the wmus_source_blog and wmus_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Action-Not Available
Vendor-obtaininfotechUnknown
Product-multisite_user_sync\/unsyncWordPress Multisite User Sync/Unsync
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25894
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.40% / 60.00%
||
7 Day CHG~0.00%
Published-02 Apr, 2021 | 11:31
Updated-03 Aug, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Magnolia CMS from 6.1.3 to 6.2.3 contains a stored cross-site scripting (XSS) vulnerability in the /magnoliaPublic/travel/members/login.html mgnlUserId parameter.

Action-Not Available
Vendor-magnolia-cmsn/a
Product-magnolia_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24985
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.35% / 57.22%
||
7 Day CHG~0.00%
Published-24 Jan, 2022 | 08:01
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Forms for Mailchimp < 6.8.6 - Reflected Cross-Site Scripting

The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Action-Not Available
Vendor-yikesincUnknown
Product-easy_forms_for_mailchimpEasy Forms for Mailchimp
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5624
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-5.1||MEDIUM
EPSS-0.90% / 75.24%
||
7 Day CHG~0.00%
Published-29 Aug, 2024 | 08:53
Updated-13 Sep, 2024 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected Cross-Site Scripting (XSS) in Shift Logbook application of B&R APROL

Reflected Cross-Site Scripting (XSS) in Shift Logbook application of B&R APROL <= R 4.4-00P3 may allow a network-based attacker to execute arbitrary JavaScript code in the context of the user's browser session

Action-Not Available
Vendor-B&R Industrial Automation GmbH
Product-industrial_automation_aprolB&R APROL
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-28508
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.45% / 80.46%
||
7 Day CHG~0.00%
Published-04 May, 2022 | 13:50
Updated-03 Aug, 2024 | 05:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XSS issue was discovered in browser_search_plugin.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.

Action-Not Available
Vendor-n/aMantis Bug Tracker (MantisBT)
Product-mantisbtn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24924
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.30%
||
7 Day CHG~0.00%
Published-06 Dec, 2021 | 15:55
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Email Log < 2.4.8 - Reflected Cross-Site Scripting

The Email Log WordPress plugin before 2.4.8 does not escape the d parameter before outputting it back in an attribute in the Log page, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-email_log_projectUnknown
Product-email_logEmail Log
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-27103
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.31% / 53.45%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 12:11
Updated-03 Aug, 2024 | 05:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

element-plus 2.0.5 is vulnerable to Cross Site Scripting (XSS) via el-table-column.

Action-Not Available
Vendor-element-plusn/a
Product-element-plusn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25035
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.30%
||
7 Day CHG~0.00%
Published-24 Jan, 2022 | 08:01
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Backup and Staging by WP Time Capsule < 1.22.7 - Reflected Cross-Site Scripting

The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-revmakxUnknown
Product-backup_and_staging_by_wp_time_capsuleBackup and Staging by WP Time Capsule
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-26227
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 44.51%
||
7 Day CHG~0.00%
Published-22 Jul, 2021 | 16:49
Updated-03 Aug, 2024 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to inject arbitrary web script or HTML via the student information parameters to edit_stud.php.

Action-Not Available
Vendor-casap_automated_enrollment_system_projectn/a
Product-casap_automated_enrollment_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-26078
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-6.1||MEDIUM
EPSS-0.56% / 67.67%
||
7 Day CHG~0.00%
Published-07 Jun, 2021 | 22:25
Updated-17 Oct, 2024 | 14:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.

Action-Not Available
Vendor-Atlassian
Product-data_centerjira_serverjiraJira ServerJira Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25099
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-2.41% / 84.75%
||
7 Day CHG~0.00%
Published-21 Feb, 2022 | 10:45
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Give < 2.17.3 - Unauthenticated Reflected Cross-Site Scripting

The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-UnknownGiveWP
Product-givewpGiveWP – Donation Plugin and Fundraising Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-55268
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 39.68%
||
7 Day CHG~0.00%
Published-06 Dec, 2024 | 00:00
Updated-11 Dec, 2024 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Reflected Cross Site Scripting (XSS) vulnerability was found in /covidtms/registered-user-testing.php in PHPGurukul COVID 19 Testing Management System 1.0 which allows remote attackers to execute arbitrary code via the regmobilenumber parameter.

Action-Not Available
Vendor-n/aPHPGurukul LLP
Product-covid_19_testing_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-53943
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.10% / 27.14%
||
7 Day CHG~0.00%
Published-03 Feb, 2025 | 00:00
Updated-05 Feb, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in NRadio N8-180 NROS-1.9.2.n3.c5 devices. The /cgi-bin/luci/nradio/basic/radio endpoint is vulnerable to XSS via the 2.4 GHz and 5 GHz name parameters, allowing an attacker to execute JavaScript within the context of the current user by injecting JavaScript into the SSID field. If an administrator logs into the device, the injected script runs in their browser, executing the malicious payload.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26599
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.46% / 63.80%
||
7 Day CHG~0.00%
Published-19 Apr, 2023 | 00:00
Updated-05 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XSS vulnerability in TripleSign in Tripleplay Platform releases prior to Caveman 3.4.0 allows attackers to inject client-side code to run as an authenticated user via a crafted link.

Action-Not Available
Vendor-uniguestn/a
Product-tripleplayn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-54045
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-6.1||MEDIUM
EPSS-0.59% / 68.64%
||
7 Day CHG~0.00%
Published-10 Dec, 2024 | 20:42
Updated-15 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)

Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

Action-Not Available
Vendor-Adobe Inc.
Product-connectAdobe Connect
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24975
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-3.52% / 87.37%
||
7 Day CHG~0.00%
Published-01 Feb, 2022 | 12:21
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NextScripts: Social Networks Auto-Poster < 4.3.24 - Unauthenticated Stored XSS

The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.24 does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue

Action-Not Available
Vendor-nextscriptsUnknown
Product-social_networks_auto_posterNextScripts: Social Networks Auto-Poster
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • ...
  • 6
  • 7
  • 8
  • ...
  • 197
  • 198
  • Next
Details not found