Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-2470

Summary
Assigner-WPScan
Assigner Org ID-1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At-30 May, 2023 | 07:49
Updated At-10 Jan, 2025 | 17:37
Rejected At-
Credits

Add to Feedly <= 1.2.11 - Admin+ Stored XSS

The Add to Feedly WordPress plugin through 1.2.11 does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:WPScan
Assigner Org ID:1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At:30 May, 2023 | 07:49
Updated At:10 Jan, 2025 | 17:37
Rejected At:
▼CVE Numbering Authority (CNA)
Add to Feedly <= 1.2.11 - Admin+ Stored XSS

The Add to Feedly WordPress plugin through 1.2.11 does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Affected Products
Vendor
Unknown
Product
Add to Feedly
Collection URL
https://wordpress.org/plugins
Default Status
affected
Versions
Affected
  • From 0 through 1.2.11 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Cross-Site Scripting (XSS)
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Cross-Site Scripting (XSS)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Fioravante Souza (WPScan)
coordinator
WPScan
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/de0adf26-8a0b-4b90-96d5-4bec6e770e04
exploit
vdb-entry
technical-description
Hyperlink: https://wpscan.com/vulnerability/de0adf26-8a0b-4b90-96d5-4bec6e770e04
Resource:
exploit
vdb-entry
technical-description
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/de0adf26-8a0b-4b90-96d5-4bec6e770e04
exploit
vdb-entry
technical-description
x_transferred
Hyperlink: https://wpscan.com/vulnerability/de0adf26-8a0b-4b90-96d5-4bec6e770e04
Resource:
exploit
vdb-entry
technical-description
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:contact@wpscan.com
Published At:30 May, 2023 | 08:15
Updated At:10 Jan, 2025 | 18:15

The Add to Feedly WordPress plugin through 1.2.11 does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CPE Matches
add_to_feedly_project
add_to_feedly_project
>>add_to_feedly>>Versions up to 1.2.11(inclusive)
cpe:2.3:a:add_to_feedly_project:add_to_feedly:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-79
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://wpscan.com/vulnerability/de0adf26-8a0b-4b90-96d5-4bec6e770e04contact@wpscan.com
Exploit
https://wpscan.com/vulnerability/de0adf26-8a0b-4b90-96d5-4bec6e770e04af854a3a-2127-422b-91ae-364da2661108
Exploit
Hyperlink: https://wpscan.com/vulnerability/de0adf26-8a0b-4b90-96d5-4bec6e770e04
Source: contact@wpscan.com
Resource:
Exploit
Hyperlink: https://wpscan.com/vulnerability/de0adf26-8a0b-4b90-96d5-4bec6e770e04
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit

Change History

0
Information is not available yet

Similar CVEs

3520Records found
CVE-2024-49392
Matching Score-4
Assigner-Acronis International GmbH
ShareView Details
Matching Score-4
Assigner-Acronis International GmbH
CVSS Score-5.7||MEDIUM
EPSS-0.32% / 55.17%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 09:48
Updated-18 Oct, 2024 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting (XSS) vulnerability on enrollment invitation page. The following products are affected: Acronis Cyber Files (Windows) before build 9.0.0x24.

Action-Not Available
Vendor-Acronis (Acronis International GmbH)
Product-cyber_filesAcronis Cyber Filescyber_files
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28106
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.07% / 21.38%
||
7 Day CHG~0.00%
Published-16 Mar, 2023 | 16:31
Updated-25 Feb, 2025 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pimcore vulnerable to Cross-site Scripting in UrlSlug Data type

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, an attacker can use cross-site scripting to send a malicious script to an unsuspecting user. Users may upgrade to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually.

Action-Not Available
Vendor-Pimcore
Product-pimcorepimcore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0906
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 46.41%
||
7 Day CHG~0.00%
Published-10 Mar, 2022 | 14:55
Updated-02 Aug, 2024 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unrestricted file upload leads to stored XSS in microweber/microweber

Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.

Action-Not Available
Vendor-Microweber (‘Microweber Academy’ Foundation)
Product-microwebermicroweber/microweber
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4970
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.32% / 55.42%
||
7 Day CHG~0.00%
Published-21 Jun, 2024 | 06:00
Updated-18 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Widget Bundle <= 2.0.0 - Admin+ Stored XSS

The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-devnath_vermaUnknown
Product-widget_bundleWidget Bundle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28636
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.5||MEDIUM
EPSS-1.00% / 77.19%
||
7 Day CHG~0.00%
Published-05 Apr, 2023 | 17:21
Updated-10 Feb, 2025 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GLPI vulnerable to stored Cross-site Scripting in external links

GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7.

Action-Not Available
Vendor-GLPI Project
Product-glpiglpi
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28651
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-4.8||MEDIUM
EPSS-16.25% / 94.91%
||
7 Day CHG~0.00%
Published-01 Jun, 2023 | 00:00
Updated-09 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. If a user who can access the affected product with an administrative privilege configures specially crafted settings, an arbitrary script may be executed on the web browser of the other user who is accessing the affected product with an administrative privilege.

Action-Not Available
Vendor-contecContec Co., Ltd.
Product-conprosys_hmi_systemCONPROSYS HMI System (CHS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-1646
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-30 May, 2022 | 08:36
Updated-03 Aug, 2024 | 00:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Real Estate Pack <= 1.4.8 - Admin+ Stored Cross Site Scripting

The Simple Real Estate Pack WordPress plugin through 1.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-simple_real_estate_pack_projectUnknown
Product-simple_real_estate_packSimple Real Estate Pack
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-49696
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.16% / 36.15%
||
7 Day CHG~0.00%
Published-24 Oct, 2024 | 12:29
Updated-11 May, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Photo Gallery, Images, Slider in Rbs Image Gallery plugin <= 3.2.21 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robosoft Robo Gallery robo-gallery allows Stored XSS.This issue affects Robo Gallery: from n/a through <= 3.2.21.

Action-Not Available
Vendor-robosoftrobosoft
Product-robo_galleryRobo Gallery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-36580
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 40.28%
||
7 Day CHG~0.00%
Published-10 Jun, 2025 | 17:39
Updated-11 Jul, 2025 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection

Action-Not Available
Vendor-Dell Inc.
Product-wyse_management_suiteWyse Management Suite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28790
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.13% / 31.54%
||
7 Day CHG~0.00%
Published-27 Sep, 2023 | 05:14
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple Staff List Plugin <= 2.2.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Brett Shumaker Simple Staff List plugin <= 2.2.3 versions.

Action-Not Available
Vendor-simple_staff_list_projectBrett Shumaker
Product-simple_staff_listSimple Staff List
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-48870
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.2||MEDIUM
EPSS-0.38% / 59.81%
||
7 Day CHG~0.00%
Published-25 Oct, 2024 | 06:18
Updated-05 Nov, 2024 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sharp and Toshiba Tec MFPs improperly validate input data in URI data registration, resulting in a stored cross-site scripting vulnerability. If crafted input is stored by an administrative user, malicious script may be executed on the web browsers of other victim users.

Action-Not Available
Vendor-toshibatecsharpToshiba Tec CorporationSharp Corporation
Product-mx-m6050bp-c542wd_firmwaremx-5110n_firmwaremx-c381_firmwaremx-m6070_abp-b547wdmx-m365n_a_firmwaremx-3570n_firmwaremx-m6071_firmwarebp-60c36_firmwarebp-70m31bp-90c80bp-c533wd_firmwaremx-c400p_firmwaremx-3101nmx-4070n_a_firmwaremx-3070v_amx-m3571_firmwaremx-m3571mx-2651_firmwaremx-m464n_firmwaremx-m2651mx-5070v_firmwaremx-3111umx-b355wz_firmwaremx-4140nmx-4060v_firmwarebp-b550wdmx-5140n_firmwaremx-m5051mx-3050v_amx-b376w_firmwaremx-2600gmx-c303wh_firmwarebp-70c55_firmwaremx-2601nmx-m564n_amx-b376whmx-4071s_firmwaremx-3550v_firmwaremx-m3071_firmwaremx-b456whmx-m356uvmx-c311mx-m904bp-50c26mx-m753u_firmwaremx-m264ue-studio1058_firmwaremx-2640nrmx-m315nmx-b400pmx-2314nrbp-30c25z_firmwaremx-3550n_firmwaredx-c401_j_firmwaremx-m315u_firmwaremx-c303mx-2610nmx-m316nvmx-m314nmx-m4070_amx-b476wh_firmwaremx-m6070_firmwarebp-30m28t_firmwaremx-m4070mx-m453u_firmwaremx-m1206_firmwaremx-m265nv_firmwaremx-m3070_firmwaremx-3100gmx-m265ne_firmwaremx-c401_firmwaremx-m315uv_firmwaremx-3070v_firmwaremx-b355wt_firmwaremx-m1055bp-c535wrmx-m623umx-2610n_firmwaremx-m264u_firmwaremx-m314nr_firmwaremx-7040nmx-3571smx-m4071s_firmwaremx-m3551bp-70c55mx-m354n_firmwaremx-c312_firmwaremx-4111n_firmwaree-studio908_firmwaremx-c380mx-m265uvmx-c402sc_firmwarebp-90c80_firmwaredx-c400mx-b356whmx-m315ne_firmwaremx-1810umx-6050v_firmwaremx-4070v_firmwaremx-m754nmx-2615n_firmwarebp-70m75_firmwaremx-2615nmx-4071smx-5000nmx-c303w_firmwaredx-c400_firmwaremx-6580nmx-c304wh_firmwaremx-m365n_abp-50c65_firmwaremx-m7570mx-3060nmx-3610nrmx-b376wmx-7081_firmwarebp-70m36_firmwarebp-50c55_firmwaremx-3110nmx-m1205mx-b402pmx-m4050_firmwaremx-c382scmx-c310_firmwaremx-m503nmx-3115nmx-m565nmx-3070v_a_firmwaredx-2000u_firmwaremx-m1056mx-m3551_firmwaremx-m3051_firmwaremx-m264nr_firmwaremx-m453nmx-c303whmx-2630nmx-m6071mx-c380p_firmwaremx-3050n_abp-70c65bp-30c25tbp-60c31_firmwarebp-70c36_firmwaremx-4051mx-m364nmx-3061mx-5112nmx-b402scmx-7500n_firmwaremx-m356uv_firmwaremx-3101n_firmwaremx-b382p_firmwaremx-m3550_firmwaremx-4110n_firmwaremx-b382scmx-3116n_firmwaremx-m654nbp-b537wr_firmwaremx-m354ubp-50c36mx-2601n_firmwaremx-b382_firmwaremx-3640n_firmwaremx-m6070mx-5000n_firmwaremx-m3571s_firmwaremx-3070n_amx-3640nr_firmwaremx-m3071smx-m363n_firmwaremx-8090nmx-m315uvbp-30m31_firmwaremx-2640n_firmwaremx-3551_firmwaremx-b476w_firmwaremx-m314n_firmwaremx-6071_firmwaremx-m753umx-3110n_a_firmwaremx-b355wzmx-m503umx-m6051_firmwaremx-c301wmx-c381mx-5071mx-m2651_firmwaremx-5110ne-studio1208_firmwaremx-m265v_firmwaremx-m264nmx-m363nmx-c304whmx-2600n_firmwaremx-m365n_firmwaremx-m6070_a_firmwaremx-6050vdx-c381mx-m5050_firmwaremx-3110n_firmwaremx-2614nmx-b402_firmwaremx-b382pmx-m905mx-3610nr_firmwaremx-m3570_firmwarebp-50c31mx-3561mx-m1205_firmwaremx-2600nmx-4070n_amx-c382scb_firmwarebp-b537wrbp-70c31_firmwaremx-m465n_firmwaremx-5051_firmwaremx-b455wmx-c304wmx-5071s_firmwarebp-50m26mx-4141nbp-50m26_firmwaremx-3110n_abp-50m45mx-3570v_firmwaremx-m4070_a_firmwaremx-m265n_firmwaremx-m4071smx-2615_amx-m564nmx-b382bp-c542wdmx-m265umx-c303wmx-m364n_firmwaremx-m316nv_firmwarebp-70m45bp-70m75bp-c535wdmx-6070v_a_firmwaredx-c311_firmwarebp-30m35_firmwaremx-b476whmx-m503u_firmwaremx-m754n_ae-studio1058mx-3071s_firmwaremx-2310u_firmwaremx-m354nrmx-m3550mx-4061smx-4050n_firmwaremx-4060nmx-3561s_firmwarebp-60c31mx-7090n_firmwaremx-m314umx-c380_firmwaredx-c311j_firmwaremx-4071mx-7081mx-m565n_firmwaremx-m356u_firmwaremx-3140nmx-3561_firmwaremx-m453umx-b476wmx-b381dx-c311jmx-3560vmx-m363u_firmwaremx-b455wz_firmwaremx-2616nmx-4101nmx-m5071_firmwaremx-6070n_a_firmwaremx-4071_firmwaremx-2616n_firmwarebp-30c25_firmwaremx-m356nv_firmwaremx-m5050bp-70m65_firmwaremx-m265nvmx-m314nv_firmwaremx-m266nvdx-c310_firmwaremx-5111nmx-b400p_firmwarebp-30m35mx-8081_firmwaremx-3071_firmwarebp-30m31t_firmwaremx-6580n_firmwaremx-2640nr_firmwarebp-b540wrmx-m283nmx-m5070_firmwarebp-30m28tmx-8090n_firmwarebp-c545wdmx-m264nrmx-m316nbp-c533wdmx-1810u_firmwaremx-m3071s_firmwaremx-4050v_firmwarebp-30m31mx-b355wtmx-3114nmx-2314nmx-5071_firmwaremx-b402sc_firmwaremx-m465nmx-3111u_firmwaremx-c303_firmwaremx-m365nmx-4100n_firmwaremx-7500nmx-4101n_firmwarebp-70m90_firmwarebp-90c70mx-3050nbp-60c36mx-b455wt_firmwaremx-4060n_firmwaremx-3070vmx-3050v_a_firmwarebp-50c26_firmwaremx-3570vmx-c304w_firmwaremx-m754n_firmwaremx-m465n_amx-m3050mx-6050n_firmwaremx-3610n_firmwaremx-4110nmx-5070n_firmwaremx-4140n_amx-m5070dx-c401_jmx-m356ubp-50c45_firmwaremx-4061_firmwaremx-4112n_firmwaremx-c382scbmx-3061smx-m315umx-3070n_firmwaremx-m356nvmx-3571s_firmwaremx-3560v_firmwaremx-3061_firmwaremx-m266nv_firmwarebp-30c25mx-b402mx-b455w_firmwaredx-c311mx-3571mx-7580n_firmwaremx-m314u_firmwaremx-m315nvmx-m265vmx-3100nmx-m1206mx-7090nmx-c301w_firmwaremx-3114n_firmwaremx-2600g_firmwarebp-30c25ymx-5141nmx-m4051dx-2500nmx-c301bp-50c55mx-c381bmx-2614n_firmwaremx-4070n_firmwaremx-m3570mx-m654n_firmwarebp-55c26_firmwaremx-5050n_firmwaremx-5070vmx-3140n_a_firmwaremx-m5051_firmwaremx-6071s_firmwaremx-5051mx-c400_firmwaremx-4061s_firmwaremx-3051mx-b456wh_firmwaremx-5141n_firmwaremx-b456we-studio1208mx-m3070mx-m4071_firmwaremx-3060v_firmwaremx-6071mx-4111nmx-m464nbp-30m35t_firmwaremx-m4051_firmwaremx-m6071s_firmwaremx-3140nrmx-m5071mx-2615_a_firmwaremx-4050nbp-70c31mx-m3050_firmwaremx-m4070_firmwaremx-3061s_firmwaremx-m314nrmx-3640nrmx-3070nmx-m356nmx-c301_firmwarebp-b540wr_firmwaremx-m1204mx-4070v_amx-m266n_firmwarebp-70m65mx-c380pmx-c304mx-6500ndx-c401_firmwaremx-b356wh_firmwaremx-3115n_firmwaremx-3551mx-3050v_firmwaremx-2301nbp-70c36mx-3050n_firmwaremx-m6050_firmwaremx-m905_firmwaremx-3100n_firmwaremx-6240n_firmwaremx-b401_firmwaremx-m4071bp-c535wd_firmwaremx-c400pbp-50c45mx-m7570_firmwarebp-30m31tmx-m3571smx-4100nmx-8081mx-2630n_firmwaremx-b355w_firmwarebp-70m31_firmwaremx-4112nbp-50m31mx-m453n_firmwaremx-2301n_firmwaremx-3140n_firmwaremx-m654n_a_firmwaremx-m266nmx-6070n_firmwarebp-30c25y_firmwaremx-3570nbp-70m55bp-30m28_firmwaremx-m264nvmx-5050vmx-m654n_amx-4140n_firmwaremx-5071sbp-c533wrmx-b455wtmx-m3050_a_firmwaremx-3060vmx-5001nmx-c312mx-m265uv_firmwaremx-3140nr_firmwaremx-m753n_firmwaremx-m3071mx-4060vbp-55c26mx-3071smx-3560n_firmwaremx-b455wzmx-2310rmx-m465n_a_firmwarebp-c535wr_firmwaremx-m315vmx-m316n_firmwarebp-50c31_firmwaremx-5070nmx-m1056_firmwaremx-c304_firmwarebp-c545wd_firmwaremx-2310umx-m264nv_firmwarebp-50m36_firmwaredx-c401bp-70m90mx-3610nmx-7580nbp-b550wd_firmwaremx-4061dx-c310bp-50m45_firmwarebp-50m55_firmwaremx-6070v_amx-m363umx-b401mx-3140n_abp-30c25t_firmwaremx-2314nr_firmwaremx-2310r_firmwaremx-3560nbp-50m31_firmwaremx-b376wh_firmwarebp-70m45_firmwaremx-m354nmx-6050nmx-6500n_firmwaremx-4050vmx-m2630_a_firmwaremx-3050vmx-m315nv_firmwaremx-m753nbp-90c70_firmwaremx-c311_firmwaremx-5111n_firmwaremx-3571_firmwaremx-m1054_firmwaremx-c310mx-4070vmx-m754n_a_firmwaremx-m356n_firmwaremx-m265u_firmwaremx-m265nemx-m623u_firmwaremx-m2630_ae-studio908mx-2640nbp-30c25zmx-6240nmx-c401mx-m623n_firmwaremx-m3070_a_firmwaremx-m264n_firmwaremx-2010umx-3051_firmwaremx-6051mx-6070n_amx-b380p_firmwaremx-m3051mx-m5071s_firmwaremx-m4050mx-m2630_firmwarebp-b547wd_firmwaremx-m3070_amx-3071mx-m6051mx-m265nbp-50m55mx-m1055_firmwaremx-m354u_firmwarebp-70c65_firmwarebp-60c45mx-m1054mx-c382sc_firmwaremx-4140n_a_firmwaremx-6051_firmwarebp-50c36_firmwaremx-b456w_firmwaremx-5141n_abp-70c45bp-30m28mx-6071smx-4051_firmwaremx-m564n_firmwaremx-m315nemx-4141n_firmwaremx-4070v_a_firmwaremx-3100g_firmwaredx-2500n_firmwaredx-2000umx-b380pbp-50c65bp-50m50_firmwaremx-b356wmx-m503n_firmwaremx-b355wmx-5001n_firmwaremx-m314nvmx-m1204_firmwaremx-2314n_firmwaremx-5050nbp-70m55_firmwaremx-b381_firmwaremx-3550nmx-3070n_a_firmwaremx-3640nmx-2651mx-m2630mx-2010u_firmwarebp-70c45_firmwaremx-6070v_firmwaremx-4070nbp-30m35tmx-c400mx-5112n_firmwaremx-7040n_firmwarebp-60c45_firmwaremx-3550vmx-m3050_amx-5140nmx-b382sc_firmwaremx-c381b_firmwaremx-m6570_firmwaremx-b402p_firmwaremx-m283n_firmwaremx-b356w_firmwarebp-c533wr_firmwaredx-c381_firmwarebp-70m36mx-5141n_a_firmwaremx-5050v_firmwaremx-m564n_a_firmwaremx-6070vmx-m6570mx-c402scmx-3050n_a_firmwaremx-m315n_firmwaremx-m354nr_firmwaremx-3060n_firmwaremx-m5071sbp-50m50mx-m623nmx-m6071smx-6070nmx-m904_firmwarebp-50m36mx-3561smx-m315v_firmwaremx-3116ne-STUDIO 1208e-STUDIO 908e-STUDIO 1058Sharp Digital Full-color MFPs and Monochrome MFPs
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-36139
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.02% / 5.78%
||
7 Day CHG~0.00%
Published-18 Sep, 2025 | 15:13
Updated-25 Sep, 2025 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM watsonx.data cross-site scripting

IBM Lakehouse (watsonx.data 2.2) is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Action-Not Available
Vendor-IBM Corporation
Product-watsonx.datawatsonx.data
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4755
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4||MEDIUM
EPSS-0.08% / 24.52%
||
7 Day CHG~0.00%
Published-21 Jun, 2024 | 06:00
Updated-01 Aug, 2024 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Google CSE <= 1.0.7 - Admin+ Stored XSS

The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-erikengUnknownerikeng
Product-google_cseGoogle CSEgoogle_cse
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-37185
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.5||MEDIUM
EPSS-0.06% / 18.98%
||
7 Day CHG~0.00%
Published-14 Jan, 2026 | 16:20
Updated-20 Jan, 2026 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface and thereby make unauthorized arbitrary configuration changes to the host.

Action-Not Available
Vendor-Aruba NetworksHewlett Packard Enterprise (HPE)
Product-edgeconnect_sd-wan_orchestratorEdgeConnect SD-WAN Orchestrator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28751
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.44%
||
7 Day CHG~0.00%
Published-23 Jun, 2023 | 12:26
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Wp Ultimate Review Plugin <= 2.0.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Wpmet Wp Ultimate Review plugin <= 2.0.3 versions.

Action-Not Available
Vendor-wpmetWpmet
Product-wp_ultimate_reviewWp Ultimate Review
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26515
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.44%
||
7 Day CHG~0.00%
Published-16 Jun, 2023 | 10:41
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple Slug Translate Plugin <= 2.7.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ko Takagi Simple Slug Translate plugin <= 2.7.2 versions.

Action-Not Available
Vendor-simple_slug_translate_projectKo Takagi
Product-simple_slug_translateSimple Slug Translate
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-48239
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.11% / 29.44%
||
7 Day CHG~0.00%
Published-25 Oct, 2024 | 00:00
Updated-17 Apr, 2025 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in WTCMS 1.0. In the plupload method in \AssetController.class.php, the app parameters aren't processed, resulting in Cross Site Scripting (XSS).

Action-Not Available
Vendor-wtcms_projectn/awtcms_project
Product-wtcmsn/awtcms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-48652
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-34.84% / 97.09%
||
7 Day CHG~0.00%
Published-22 Oct, 2024 | 00:00
Updated-25 Oct, 2024 | 16:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field.

Action-Not Available
Vendor-tuzition/atuzitio
Product-camaleon_cmsn/acamaleon_cms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-47759
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.68% / 71.81%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 17:42
Updated-23 Jan, 2025 | 14:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GLPI has a stored XSS via document upload

GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any user will try to see the document contents. Upgrade to 10.0.17.

Action-Not Available
Vendor-GLPI Project
Product-glpiglpi
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26958
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.24% / 47.58%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 00:00
Updated-02 Aug, 2024 | 12:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Admin Name parameter.

Action-Not Available
Vendor-n/aPHPGurukul LLP
Product-park_ticketing_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-48233
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.11% / 28.53%
||
7 Day CHG~0.00%
Published-25 Oct, 2024 | 00:00
Updated-07 Jul, 2025 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

mipjz 5.0.5 is vulnerable to Cross Site Scripting (XSS) in \app\setting\controller\ApiAdminSetting.php via the ICP parameter.

Action-Not Available
Vendor-mipjz_projectn/amipjz_project
Product-mipjzn/amipjz
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4812
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 24.22%
||
7 Day CHG~0.00%
Published-05 Jun, 2024 | 15:06
Updated-20 Nov, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Katello: potential cross-site scripting exploit in ui

A flaw was found in the Katello plugin for Foreman, where it is possible to store malicious JavaScript code in the "Description" field of a user. This code can be executed when opening certain pages, for example, Host Collections.

Action-Not Available
Vendor-katello_projectRed Hat, Inc.
Product-satellitekatelloRed Hat Satellite 6
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3385
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.26% / 49.89%
||
7 Day CHG+0.13%
Published-07 Apr, 2025 | 21:31
Updated-29 Apr, 2025 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LinZhaoguan pb-cms Classification Management Page cross site scripting

A vulnerability was found in LinZhaoguan pb-cms 2.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Classification Management Page. The manipulation of the argument Classification name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-pb-cms_projectLinZhaoguan
Product-pb-cmspb-cms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-27614
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.21% / 42.88%
||
7 Day CHG~0.00%
Published-23 Apr, 2023 | 10:54
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Motor Racing League Plugin <= 1.9.9 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Ian Haycox Motor Racing League plugin <= 1.9.9 versions.

Action-Not Available
Vendor-motor_racing_league_projectIan Haycox
Product-motor_racing_leagueMotor Racing League
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-36000
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.4||MEDIUM
EPSS-0.03% / 10.00%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 19:39
Updated-14 Aug, 2025 | 01:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere Application Server Liberty cross-site scripting

IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server Liberty
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-47184
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-1.42% / 80.80%
||
7 Day CHG~0.00%
Published-27 Sep, 2024 | 14:05
Updated-04 Oct, 2024 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ampache vulnerable to Stored XSS via Democratic Playlist Name

Ampache is a web based audio/video streaming application and file manager. Prior to version 6.6.0, the Democratic Playlist Name is vulnerable to a stored cross-site scripting. Version 6.6.0 fixes this issue.

Action-Not Available
Vendor-ampacheampacheampache
Product-ampacheampacheampache
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3503
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.5||MEDIUM
EPSS-0.19% / 40.12%
||
7 Day CHG~0.00%
Published-01 May, 2025 | 06:00
Updated-07 May, 2025 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Maps < 4.7.2 - Admin+ Stored XSS

The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wepluginsUnknown
Product-wp_mapsWP Maps
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-27624
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.48% / 65.56%
||
7 Day CHG-0.19%
Published-13 Jun, 2023 | 15:04
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Redirect After Login Plugin <= 0.1.9 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Marcelotorres Redirect After Login plugin <= 0.1.9 versions.

Action-Not Available
Vendor-redirect_after_login_projectMarcelotorres
Product-redirect_after_loginRedirect After Login
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3502
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.17% / 37.23%
||
7 Day CHG~0.00%
Published-01 May, 2025 | 06:00
Updated-07 May, 2025 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Maps < 4.7.2 - Admin+ Stored XSS

The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wepluginsUnknown
Product-wp_mapsWP Maps
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-47058
Matching Score-4
Assigner-Mautic
ShareView Details
Matching Score-4
Assigner-Mautic
CVSS Score-2.9||LOW
EPSS-0.19% / 40.06%
||
7 Day CHG~0.00%
Published-18 Sep, 2024 | 21:00
Updated-27 Sep, 2024 | 15:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - stored (edit form HTML field)

With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session.

Action-Not Available
Vendor-acquiaMautic
Product-mauticMautic
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-46654
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.12% / 30.04%
||
7 Day CHG~0.00%
Published-20 Sep, 2024 | 00:00
Updated-28 Apr, 2025 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability in the Add Scheduled Task module of Maccms10 v2024.1000.4040 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Action-Not Available
Vendor-maccmsn/amaccms
Product-maccmsn/amaccms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-47103
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.14% / 33.68%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 15:24
Updated-05 Mar, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Sterling B2B Integrator cross-site scripting

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Action-Not Available
Vendor-IBM Corporation
Product-sterling_b2b_integratorSterling B2B Integrator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4664
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.20% / 41.25%
||
7 Day CHG~0.00%
Published-27 Jun, 2024 | 06:00
Updated-01 Aug, 2024 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Chat App < 3.6.5 - Admin+ Stored XSS

The WP Chat App WordPress plugin before 3.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

Action-Not Available
Vendor-UnknownNinjaTeam
Product-wp_chat_appWP Chat Appwp_chat_app
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-27622
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.13% / 31.54%
||
7 Day CHG~0.00%
Published-27 Sep, 2023 | 07:53
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GuruWalk Affiliates Plugin <= 1.0.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Abel Ruiz GuruWalk Affiliates plugin <= 1.0.0 versions.

Action-Not Available
Vendor-guruwalkAbel Ruiz
Product-guruwalk_affiliatesGuruWalk Affiliates
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3584
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.17% / 37.23%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 06:00
Updated-05 Jun, 2025 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Newsletter < 8.8.2 - Admin+ Stored XSS via Subscription

The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-thenewsletterpluginUnknown
Product-newsletterNewsletter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-27427
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.44%
||
7 Day CHG~0.00%
Published-23 Jun, 2023 | 12:21
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CRM Memberships Plugin <= 1.6 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in NTZApps CRM Memberships plugin <= 1.6 versions.

Action-Not Available
Vendor-ntzappsNTZApps
Product-crm_membershipsCRM Memberships
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-46410
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.27% / 50.53%
||
7 Day CHG~0.00%
Published-08 Oct, 2024 | 00:00
Updated-23 Apr, 2025 | 01:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PublicCMS V4.0.202406.d was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted script to the Category Managment feature

Action-Not Available
Vendor-publiccmsn/apubliccms
Product-publiccmsn/apubliccms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-47313
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.1||MEDIUM
EPSS-0.13% / 32.19%
||
7 Day CHG~0.00%
Published-06 Oct, 2024 | 11:23
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Catch Base theme <= 3.4.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchthemes Catch Base catch-base allows Stored XSS.This issue affects Catch Base: from n/a through <= 3.4.6.

Action-Not Available
Vendor-catchthemescatchthemes
Product-catch_baseCatch Base
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-27617
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.13% / 31.54%
||
7 Day CHG~0.00%
Published-27 Sep, 2023 | 05:22
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RSVPMarker Plugin <= 10.6.6 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in David F. Carr RSVPMaker plugin <= 10.6.6 versions.

Action-Not Available
Vendor-carrcommunicationsDavid F. Carr
Product-rsvpmakerRSVPMaker
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26534
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 24.25%
||
7 Day CHG~0.00%
Published-22 Jun, 2023 | 11:51
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Repost Plugin <= 0.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in OneWebsite WP Repost plugin <= 0.1 versions.

Action-Not Available
Vendor-onewebsiteOneWebsite
Product-wp_repostWP Repost
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4621
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.17% / 37.81%
||
7 Day CHG~0.00%
Published-07 Jun, 2024 | 06:00
Updated-01 May, 2025 | 19:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ArForms < 6.6 - Admin+ Stored XSS

The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-reputeinfosystemsUnknownreputeinfosystems
Product-arformsARForms - Premium WordPress Form Builder Pluginarforms_form_builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-46538
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.3||CRITICAL
EPSS-83.65% / 99.30%
||
7 Day CHG~0.00%
Published-22 Oct, 2024 | 00:00
Updated-30 Oct, 2024 | 20:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php.

Action-Not Available
Vendor-netgaten/apfsense
Product-pfsensen/apfsense
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-47381
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.13% / 32.19%
||
7 Day CHG~0.00%
Published-05 Oct, 2024 | 14:58
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Slider & Popup Builder by Depicter plugin <= 3.2.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in averta Depicter Slider depicter allows Stored XSS.This issue affects Depicter Slider: from n/a through <= 3.2.2.

Action-Not Available
Vendor-Depicter (Averta)
Product-depicter_sliderDepicter Slider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-46980
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.13% / 32.46%
||
7 Day CHG~0.00%
Published-14 Oct, 2024 | 17:41
Updated-16 Oct, 2024 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tuleap vulnerable to XSS in the HTML mail content of the cross reference field

Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.37, Tuleap Enterprise Edition 15.13-3, and Tuleap Enterprise Edition 15.12-6, a site administrator could create an artifact link type with a forward label allowing them to execute uncontrolled code (or at least achieve content injection) in a mail client. Tuleap Community Edition 15.13.99.37, Tuleap Enterprise Edition 15.13-3, and Tuleap Enterprise Edition 15.12-6 fix this issue.

Action-Not Available
Vendor-Enalean SAS
Product-tuleaptuleap
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2707
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.09% / 25.47%
||
7 Day CHG~0.00%
Published-27 Nov, 2023 | 16:22
Updated-05 Jun, 2025 | 13:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Appointment booking addon for Gravity Forms <= 1.9.5.1 - Admin+ Stored XSS

The gAppointments WordPress plugin through 1.9.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-gappointmentsUnknowngappointments
Product-gappointmentsgAppointmentsgappointments
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-1819
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-2.4||LOW
EPSS-0.35% / 57.38%
||
7 Day CHG~0.00%
Published-24 May, 2022 | 05:25
Updated-15 Apr, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Student Information System Student Roll Module cross site scripting

A vulnerability, which was classified as problematic, was found in Student Information System 1.0. Affected is admin/?page=students of the Student Roll module. The manipulation with the input <script>alert(1)</script> leads to authenticated cross site scripting. Exploit details have been disclosed to the public.

Action-Not Available
Vendor-student_information_system_projectunspecified
Product-student_information_systemStudent Information System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3504
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.17% / 37.23%
||
7 Day CHG~0.00%
Published-01 May, 2025 | 06:00
Updated-07 May, 2025 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Maps < 4.7.2 - Admin+ Stored XSS

The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wepluginsUnknown
Product-wp_mapsWP Maps
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26541
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.44%
||
7 Day CHG~0.00%
Published-16 Jun, 2023 | 08:56
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress asMember Plugin <= 1.5.4 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alexander Suess asMember plugin <= 1.5.4 versions.

Action-Not Available
Vendor-asmember_projectAlexander Suess
Product-asmemberasMember
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-46237
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.15% / 35.20%
||
7 Day CHG~0.00%
Published-09 Oct, 2024 | 00:00
Updated-22 Oct, 2024 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHPGurukul Hospital Management System 4.0 is vulnerable to Cross Site Scripting (XSS) via the patname, pataddress, and medhis parameters in doctor/add-patient.php and doctor/edit-patient.php.

Action-Not Available
Vendor-n/aPHPGurukul LLP
Product-hospital_management_systemn/ahospital_management_system
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3581
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.17% / 37.23%
||
7 Day CHG~0.00%
Published-09 Jun, 2025 | 06:00
Updated-12 Jun, 2025 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Newsletter < 8.8.5 - Admin+ Stored XSS via Widget

The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-thenewsletterpluginUnknown
Product-newsletterNewsletter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 70
  • 71
  • Next
Details not found