Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-5605

Summary
Assigner-WPScan
Assigner Org ID-1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At-06 Nov, 2023 | 20:42
Updated At-02 Aug, 2024 | 08:07
Rejected At-
Credits

URL Shortify < 1.7.9.1 - Admin+ Stored XSS

The URL Shortify WordPress plugin before 1.7.9.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:WPScan
Assigner Org ID:1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At:06 Nov, 2023 | 20:42
Updated At:02 Aug, 2024 | 08:07
Rejected At:
▼CVE Numbering Authority (CNA)
URL Shortify < 1.7.9.1 - Admin+ Stored XSS

The URL Shortify WordPress plugin before 1.7.9.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affected Products
Vendor
Unknown
Product
URL Shortify
Collection URL
https://wordpress.org/plugins
Default Status
unaffected
Versions
Affected
  • From 0 before 1.7.9.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Cross-Site Scripting (XSS)
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Cross-Site Scripting (XSS)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Bartlomiej Marek and Tomasz Swiadek
coordinator
WPScan
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://wpscan.com/vulnerability/9ec03ef0-0c04-4517-b761-df87af722a64
exploit
vdb-entry
technical-description
Hyperlink: https://wpscan.com/vulnerability/9ec03ef0-0c04-4517-b761-df87af722a64
Resource:
exploit
vdb-entry
technical-description
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://wpscan.com/vulnerability/9ec03ef0-0c04-4517-b761-df87af722a64
exploit
vdb-entry
technical-description
x_transferred
Hyperlink: https://wpscan.com/vulnerability/9ec03ef0-0c04-4517-b761-df87af722a64
Resource:
exploit
vdb-entry
technical-description
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:contact@wpscan.com
Published At:06 Nov, 2023 | 21:15
Updated At:04 Dec, 2023 | 11:15

The URL Shortify WordPress plugin before 1.7.9.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CPE Matches

kaizencoders
kaizencoders
>>url_shortify>>Versions up to 1.7.8(inclusive)
cpe:2.3:a:kaizencoders:url_shortify:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://wpscan.com/vulnerability/9ec03ef0-0c04-4517-b761-df87af722a64contact@wpscan.com
Exploit
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/9ec03ef0-0c04-4517-b761-df87af722a64
Source: contact@wpscan.com
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

3550Records found

CVE-2023-3129
Matching Score-10
Assigner-WPScan
ShareView Details
Matching Score-10
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.47% / 37.28%
||
7 Day CHG~0.00%
Published-10 Jul, 2023 | 12:40
Updated-12 Nov, 2024 | 14:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
URL Shortify < 1.7.0 - Admin+ Cross Site Scripting

The URL Shortify WordPress plugin before 1.7.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-kaizencodersUnknown
Product-url_shortifyURL Shortify
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3130
Matching Score-10
Assigner-WPScan
ShareView Details
Matching Score-10
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.43% / 34.53%
||
7 Day CHG~0.00%
Published-31 Jul, 2023 | 09:37
Updated-21 Oct, 2024 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Short URL < 1.6.5 - Admin+ Cross Site Scripting

The Short URL WordPress plugin before 1.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-kaizencodersUnknown
Product-short_urlShort URL
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1602
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.40% / 31.98%
||
7 Day CHG+0.07%
Published-29 Jun, 2023 | 01:56
Updated-28 Oct, 2024 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Short URL plugin for WordPress is vulnerable to stored Cross-Site Scripting via the 'comment' parameter due to insufficient input sanitization and output escaping in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-kaizencoderskaizencoders
Product-short_urlShort URL
CVE-2024-32138
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.35% / 27.06%
||
7 Day CHG~0.00%
Published-15 Apr, 2024 | 07:05
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Short URL plugin <= 1.6.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KaizenCoders Short URL allows Reflected XSS.This issue affects Short URL: from n/a through 1.6.8.

Action-Not Available
Vendor-kaizencodersKaizenCoders
Product-short_urlShort URL
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13362
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.28% / 19.46%
||
7 Day CHG~0.00%
Published-01 May, 2026 | 05:29
Updated-01 May, 2026 | 13:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-damian-gorawpsaadessekianicheaddonsbpluginscodesavorysenolsxplodedthemestonyzeoli100pluginswebba-agencymapstersamdanitakanakuihkdigitalagencytobias_conradpagupparetodigitaltripettooceanwppluginswareelliotvsblackandwhitedigitalwpbitsenwebyuriahs-victorsaadiqbalunitecmsgn_themessjavedmohsinofflinehasanazizulgallerycreatorpremmercenitin247themelocationspiderdevsbensibleysebettickerawordpluswpspeedocyclonecodeinaviiseezeeelespareimtiazrayhankofimokomedavidandersonprinceahmedinfornwebgowebsmartymr2pkaizencodersspeedifymeowcrewsmartwpresspluginscafeblocksparemattpramschufer5starpluginsfullworksvinod-dalviinteractivegeomapsmikewire_rocksolidpeterschulznltheafricanbossmihail-barinovjosevegarebelcodewebheadllcpassionatebrainswpdeverlitonice13tobiasbgfoopluginswpjolipluginandplaybouncingsproutwebfactoryprasadkirpekardashlabsltdmhmrajibcyberhobokoen12344cleverpluginsspicethemesinvisnettoddhalfpennyyuvaloplugins360kairainfosatechstreamweaselsmte90wpmagicsBiplob Adhikari (Oxilab Development)AF themes
Product-Post to Google My Business (Google Business Profile)Mapster WP MapsShare This ImageFeatured Images in RSS for Mailchimp & MoreBetter Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private MessagesGo Fetch Jobs (for WP Job Manager)Post Slider and Post Carousel with Post Vertical Scrolling Widget – A Responsive Post SliderMixed Media Gallery BlocksFive-Star Ratings ShortcodeAI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4oAI Puffer – Chat. Create. Automate. (formerly AI Power)Auto-Install Free SSL – Generate & Install Free SSL CertificatesCarousel, Recent Post Slider and Banner SliderDisable Payment Methods based on cart conditions for WooCommerceXT Floating Cart for WooCommercePrimary Addon for ElementorUnlimited Elements For ElementorNotification Bar, Announcement and Cookie Notice WordPress Plugin – FooBarEasy Appointment Booking & Scheduling System – Webba Booking CalendarXT Quick View for WooCommerceWOW Styler for CF7 – Visual Styler for Contact Form 7 FormsEazyDocs – AI Powered Knowledge Base, Wiki, Documentation & FAQ BuilderMessage Filter for Contact Form 7Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile AppTreePress – Easy Family Trees & Ancestor ProfilesEasy Age VerifyRadio Station by netmix® – Manage and play your Show Schedule in WordPress!GA4WP – Analytics Dashboard for the WebsiteEmbedder for Google ReviewsPremmerce Permalink Manager for WooCommerceSolid Testimonials – Testimonial Slider, Video Testimonials & Customer ReviewsWP Notification BellCustom WooCommerce Checkout Fields EditorWP fail2ban – Advanced SecurityInternal Link Juicer: SEO Auto Linker for WordPressAdvanced Classifieds & Directory ProWPBITS Addons For Elementor Page BuilderMenu Image, Icons made easyFile Manager for Google Drive – Integrate Google DriveWP Meta and Date RemoverGeo MashupBlog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, NewsGlossaryEleSpare – News, Magazine and Blog Addons for ElementorJustified GalleryStreamWeasels Twitch IntegrationWP Books Gallery – Build Stunning Book Showcases & Libraries in MinutesPremmerce Product Filter for WooCommerceBulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)Ivory Search – WordPress Search PluginAnnouncement & Notification Banner – BulletinWPIDE – File Manager & Code EditorWP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL ScanbBlocks – Essential Gutenberg Blocks & Patterns CollectionDynamic Copyright YearDisplay Eventbrite EventsRestaurant & Cafe Addon for ElementorSpotlight Social Feeds – Block, Shortcode, and WidgetLogo Showcase – Responsive Logo Carousel, Logo Slider & Logo GridWordPress form builder plugin for contact forms, surveys and quizzes – TripettoWP Coupons and Deals – Coupon Plugin For Affiliate MarketersThank You Page for WooCommerceGoal Tracker – Custom Event Tracking for GA4Post List Designer – Category Post, Recent Post, Post ListWP Data Access – App Builder for Tables, Forms, Charts, Maps & DashboardsRestrict – membership, site, content and user access restrictions for WordPressKikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerceJoli Table Of ContentsCheckout with Cash App on WooCommerceIndependent AnalyticsEvents Addon for ElementorAutomatic Internal Links for SEO by PagupUltimeterPay For Post with WooCommerceTeam Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and MoreYASR – Yet Another Star Rating Plugin for WordPressMaster Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template KitsRole Based Pricing for Woo by Meow CrewOcean ExtraRadio Player – Live Shoutcast, Icecast and Any Audio Stream PlayerMeta Field Block – Display custom fields in the Block Editor without codingOpen User MapTablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, FluentCode ManagerText To Speech TTS AccessibilityAnti-Spam Protection – No API Key, GDPR FriendlyGallery by FooGalleryAutomatic YouTube GalleryStoreCustomizer – A plugin to Customize all WooCommerce PagesWP Page TemplatesAidWP – Donation & Payment Forms (Stripe Powered)WP Post Author – Author Box, Multiple Authors, Guest Authors & Custom AvatarsSecure Gateway for Authorize.net and WooCommerce by Pledged PluginsPayment Gateway for ACBA BANKProduct Layouts for WooCommerceAdvanced Scrollbar – Custom Scrollbar Styling and BehaviorSecurity Ninja – WordPress Security & FirewallXT Variation Swatches for WooCommerceDelete Posts automaticallyWidgets on PagesTablePress – Tables in WordPress made easyContact Form 7 Multi-Step FormsRevivePress – Keep your Old Content EvergreenHTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio PlayerAEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image OptimizationAWCA – The Great Analytics Insights for Your eStoreImage Alt Text Manager – Bulk & Dynamic Alt Tags For image SEO Optimization + AISmart phone field for Gravity FormsBulk Edit Posts and Products in SpreadsheetMarijuana Age VerifyForumax – AI Powered Advanced Community Forum PluginMusic Player for Elementor – Audio Player & Podcast PlayerFull Screen BackgroundMapGeo – Interactive Geo MapsKnowledge Base documentation & wiki plugin – BasePress DocsBlockSpare — News, Magazine and Blog Addons for (Gutenberg) Block EditorCoupon Affiliates – Affiliate Plugin for WooCommercePlace Order Without Payment for WooCommerceLightbox & Modal Popup WordPress Plugin – FooBoxWP Mobile Menu – The Mobile-Friendly Responsive MenuCustom PHP SettingsInavii Social FeedSend Users Email – Email Subscribers, Email Marketing NewsletterWP Shortcodes Plugin — Shortcodes UltimateDracula Dark Mode – Accessibility, Reading Mode & Dark Mode for WordPressPDF Poster – Display PDF Files with Custom ViewerEasy Social Feed – Social Photos Gallery and Post Feed for WordPressTeam Members ShowcaseURL Shortify – Simple and Easy URL ShortenerTopNewsWp – Display Tikcer News, RSS Feed Widget and Many MoreRemove Add to Cart WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-4294
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.73% / 49.98%
||
7 Day CHG~0.00%
Published-11 Sep, 2023 | 19:46
Updated-02 May, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
URL Shortify < 1.7.6 - Unauthenticated Stored XSS via referer header

The URL Shortify WordPress plugin before 1.7.6 does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link.

Action-Not Available
Vendor-kaizencodersUnknown
Product-url_shortifyURL Shortify
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12581
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 10.47%
||
7 Day CHG~0.00%
Published-20 Dec, 2025 | 03:20
Updated-08 Apr, 2026 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Attachments Handler <= 1.1.7 - Reflected Cross-Site Scripting

The Attachments Handler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-kaizencoders
Product-Attachments Handler
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-7485
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.39% / 31.14%
||
7 Day CHG~0.00%
Published-06 Aug, 2024 | 01:49
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Traffic Manager <= 1.4.5 - Unauthenticated Stored Cross-Site Scripting

The Traffic Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page' parameter in the 'UserWebStat' AJAX function in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-kaizencoderskaizencoders
Product-Traffic Managertraffic_manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26958
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.46% / 36.54%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 00:00
Updated-02 Aug, 2024 | 12:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Admin Name parameter.

Action-Not Available
Vendor-n/aPHPGurukul LLP
Product-park_ticketing_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2169
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.5||MEDIUM
EPSS-0.49% / 38.61%
||
7 Day CHG~0.00%
Published-19 Apr, 2023 | 09:38
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TaxoPress <= 3.6.4 - Authenticated (Editor+) Stored Cross-Site Scripting

The TaxoPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Related Posts functionality in versions up to, and including, 3.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Editor+ permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-taxopressstevejburge
Product-taxopressTag, Category, and Taxonomy Manager – AI Autotagger with OpenAI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2178
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.77% / 51.25%
||
7 Day CHG~0.00%
Published-27 Jun, 2023 | 13:17
Updated-27 Nov, 2024 | 19:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Aajoda Testimonials < 2.2.2 - Admin+ Stored XSS

The Aajoda Testimonials WordPress plugin before 2.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownAajoda
Product-aajoda_testimonialsAajoda Testimonials
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2155
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-2.4||LOW
EPSS-0.55% / 42.06%
||
7 Day CHG~0.00%
Published-18 Apr, 2023 | 14:31
Updated-05 Feb, 2025 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Air Cargo Management System cross site scripting

A vulnerability was found in SourceCodester Air Cargo Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file classes/Master.php?f=save_cargo_type. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-226276.

Action-Not Available
Vendor-air_cargo_management_system_projectSourceCodester
Product-air_cargo_management_systemAir Cargo Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41826
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-3.5||LOW
EPSS-0.30% / 21.35%
||
7 Day CHG-0.01%
Published-22 Jul, 2024 | 14:50
Updated-07 Aug, 2024 | 20:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2168
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.5||MEDIUM
EPSS-0.52% / 40.44%
||
7 Day CHG~0.00%
Published-19 Apr, 2023 | 09:38
Updated-08 Apr, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TaxoPress <= 3.6.4 - Authenticated (Editor+) Stored Cross-Site Scripting

The TaxoPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Suggest Terms Title field in versions up to, and including, 3.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Editor+ permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-taxopressstevejburge
Product-taxopressTag, Category, and Taxonomy Manager – AI Autotagger with OpenAI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-29496
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-4.8||MEDIUM
EPSS-0.79% / 51.95%
||
7 Day CHG~0.00%
Published-04 Jan, 2021 | 21:15
Updated-17 Sep, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with high privileges could exploit this vulnerability to store malicious HTML or JavaScript code while creating the Enduser. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application.

Action-Not Available
Vendor-Dell Inc.
Product-wyse_management_suiteWyse Management Suite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2225
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.47% / 37.44%
||
7 Day CHG~0.00%
Published-16 Aug, 2023 | 11:03
Updated-08 Oct, 2024 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SEO ALert <= 1.59 - Admin+ Stored XSS

The SEO ALert WordPress plugin through 1.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-pottieUnknown
Product-seo_alertSEO ALert
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20257
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.36% / 27.84%
||
7 Day CHG~0.00%
Published-17 Jan, 2024 | 16:55
Updated-17 Jun, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct cross-site scripting attacks. This vulnerability is due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by submitting malicious input containing script or HTML content within requests that would stored within the application interface. A successful exploit could allow the attacker to conduct cross-site scripting attacks against other users of the affected application.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-prime_infrastructureevolved_programmable_network_managerCisco Evolved Programmable Network Manager (EPNM)Cisco Prime Infrastructure
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20208
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.46% / 36.89%
||
7 Day CHG~0.00%
Published-21 Nov, 2023 | 18:48
Updated-02 Aug, 2024 | 09:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct an XSS attack against a user of the web-based management interface of an affected device.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-identity_services_engineCisco Identity Services Engine Software
CWE ID-CWE-87
Improper Neutralization of Alternate XSS Syntax
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2113
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.47% / 37.30%
||
7 Day CHG~0.00%
Published-30 May, 2023 | 07:49
Updated-10 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Autoptimize < 3.1.7 - Admin+ Stored Cross-Site Scripting via Settings Import

The Autoptimize WordPress plugin before 3.1.7 does not sanitise and escape the settings imported from a previous export, allowing high privileged users (such as an administrator) to inject arbitrary javascript into the admin panel, even when the unfiltered_html capability is disabled, such as in a multisite setup.

Action-Not Available
Vendor-autoptimizeUnknown
Product-autoptimizeAutoptimize
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-42901
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.40% / 32.03%
||
7 Day CHG~0.00%
Published-03 Sep, 2024 | 00:00
Updated-03 Jul, 2025 | 13:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file.

Action-Not Available
Vendor-limesurveyn/alimesurvey
Product-limesurveyn/alimesurvey
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2029
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.61% / 44.86%
||
7 Day CHG~0.00%
Published-10 Jul, 2023 | 12:41
Updated-13 Feb, 2025 | 16:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PrePost SEO <= 3.0 - Admin+ Stored Cross-Site Scripting

The PrePost SEO WordPress plugin through 3.0 does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-enzipeUnknown
Product-prepost_seoPrePost SEO
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-42771
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.42% / 34.17%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 00:00
Updated-30 Apr, 2025 | 16:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stored Cross Site Scripting (XSS) vulnerability was found in " /admin/edit_room_controller.php" of the Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via "room_name" parameter.

Action-Not Available
Vendor-jayeshn/aKashipara Group
Product-hotel_management_systemn/ahotel_management_system
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41842
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-4.8||MEDIUM
EPSS-0.30% / 21.34%
||
7 Day CHG~0.00%
Published-23 Aug, 2024 | 16:53
Updated-07 Oct, 2024 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerAdobe Experience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2026
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.52% / 40.48%
||
7 Day CHG~0.00%
Published-10 Jul, 2023 | 12:40
Updated-02 Aug, 2024 | 06:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Protector <= 1.1 - Admin+ Stored Cross-Site Scripting

The Image Protector WordPress plugin through 1.1 does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-image_protector_projectUnknown
Product-image_protectorImage Protector
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9883
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.36% / 27.82%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 06:00
Updated-06 Nov, 2024 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pods < 3.2.7.1 - Admin+ Stored XSS

The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-podsfoundationUnknownpodsfoundation
Product-podsPodspods
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2028
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.42% / 34.09%
||
7 Day CHG~0.00%
Published-10 Jul, 2023 | 12:40
Updated-02 Aug, 2024 | 06:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Call Now Accessibility Button < 1.1 - Admin+ Stored Cross Site Scripting

The Call Now Accessibility Button WordPress plugin before 1.1 does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-stpetedesignUnknown
Product-call_now_accessibility_buttonCall Now Accessibility Button
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-2325
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.49% / 38.77%
||
7 Day CHG~0.00%
Published-01 Aug, 2022 | 12:52
Updated-03 Aug, 2024 | 00:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Invitation Based Registrations <= 2.2.84 - Admin+ Stored Cross-Site Scripting

The Invitation Based Registrations WordPress plugin through 2.2.84 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-securebitUnknown
Product-invitation_based_registrationsInvitation Based Registrations
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-28457
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.2||HIGH
EPSS-0.87% / 54.48%
||
7 Day CHG~0.00%
Published-15 Dec, 2020 | 15:35
Updated-16 Sep, 2024 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS)

This affects the package s-cart/core before 4.4. The search functionality of the admin dashboard in core/src/Admin/Controllers/AdminOrderController.phpindex is vulnerable to XSS.

Action-Not Available
Vendor-s-cartn/a
Product-s-carts-cart/core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2102
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.8||MEDIUM
EPSS-0.50% / 39.34%
||
7 Day CHG~0.00%
Published-15 Apr, 2023 | 00:00
Updated-06 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in alextselegidis/easyappointments

Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

Action-Not Available
Vendor-easyappointmentsalextselegidis
Product-easyappointmentsalextselegidis/easyappointments
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20222
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.38% / 29.53%
||
7 Day CHG~0.00%
Published-16 Aug, 2023 | 21:39
Updated-02 Aug, 2024 | 09:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-prime_infrastructureevolved_programmable_network_managerCisco Prime InfrastructureCisco Evolved Programmable Network Manager (EPNM)
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20188
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.48% / 38.18%
||
7 Day CHG~0.00%
Published-28 Jun, 2023 | 00:00
Updated-02 Aug, 2024 | 09:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco Small Business 200 Series Smart Switches, Cisco Small Business 300 Series Managed Switches, and Cisco Small Business 500 Series Stackable Managed Switches could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to view a page containing malicious HTML or script content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need to have valid credentials to access the web-based management interface of the affected device. Cisco has not released software updates to address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-sf500-48psf200-24psg500-52p_firmwaresg500x-24mpp_firmwaresf500-48p_firmwaresg300-10p_firmwaresf500-24mp_firmwaresg300-52_firmwaresg300-28mpsf302-08mp_firmwaresg500-52mp_firmwaresf302-08sg300-28pp_firmwaresf200-24sg300-52sg500x-48psg200-26sg500-28sg500x-48sf302-08mpp_firmwaresg200-50p_firmwaresg200-26_firmwaresg500x-48mppsg500x-48p_firmwaresg200-18_firmwaresg200-08psf200-24_firmwaresg300-20sg500-28psf500-48mpsg300-10psg300-52p_firmwaresf300-48ppsg500x-24_firmwaresf200-48sf302-08_firmwaresg300-10mp_firmwaresg500x-24psg200-08p_firmwaresf200-24fp_firmwaresg300-10mpsf300-24_firmwaresf300-48psf300-08sg500-52sg300-10ppsf300-24mp_firmwaresg500-28mpp_firmwaresg200-08sg500-52psg500-52_firmwaresg500x-48mpp_firmwaresg200-10fpsf300-24ppsg200-26fpsg200-26p_firmwaresg300-28sg200-10fp_firmwaresg300-10mpp_firmwaresg500-28p_firmwaresg300-10_firmwaresg500x-24sf300-24p_firmwaresg200-50sg300-52mpsg200-50fp_firmwaresg500x-24p_firmwaresg300-10pp_firmwaresf200-48p_firmwaresf302-08p_firmwaresg200-26fp_firmwaresg200-50psf500-24sg500-52mpsg300-10sf300-48p_firmwaresf200-24fpsg300-52psg300-10mppsg300-28psf300-24sf300-24psf200-48psg200-26psg300-20_firmwaresg200-08_firmwaresf500-24p_firmwaresf302-08mppsg300-28sfpsf302-08mpsg500x-24mppsf300-48pp_firmwaresf500-48sf300-24mpsg300-10sfpsg300-28mp_firmwaresf500-24mpsg200-50fpsf302-08psg300-28_firmwaresf500-24psg500-28mppsf302-08pp_firmwaresf200-24p_firmwaresf302-08ppsf300-48sg300-52mp_firmwaresg200-18sg200-50_firmwaresg500x-48_firmwaresf300-08_firmwaresf200-48_firmwaresg300-10sfp_firmwaresg300-28sfp_firmwaresg500-28_firmwaresf500-24_firmwaresf500-48mp_firmwaresg300-28ppsf300-48_firmwaresf500-48_firmwaresf300-24pp_firmwaresg300-28p_firmwareCisco Small Business Smart and Managed Switches
CWE ID-CWE-87
Improper Neutralization of Alternate XSS Syntax
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2014
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.3||MEDIUM
EPSS-0.48% / 38.23%
||
7 Day CHG~0.00%
Published-13 Apr, 2023 | 00:00
Updated-06 Feb, 2025 | 21:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Generic in microweber/microweber

Cross-site Scripting (XSS) - Generic in GitHub repository microweber/microweber prior to 1.3.3.

Action-Not Available
Vendor-Microweber (‘Microweber Academy’ Foundation)
Product-microwebermicroweber/microweber
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20242
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.39% / 31.34%
||
7 Day CHG~0.00%
Published-16 Aug, 2023 | 20:59
Updated-02 Aug, 2024 | 09:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-unified_communications_manager_im_and_presence_serviceunified_communications_managerCisco Unified Communications Manager / Cisco Unity ConnectionCisco Unified Communications ManagerCisco Unified Communications Manager IM and Presence Service
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4256
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-2.4||LOW
EPSS-0.52% / 40.33%
||
7 Day CHG~0.00%
Published-27 Apr, 2024 | 15:31
Updated-23 Jun, 2025 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Techkshetra Info Solutions Savsoft Quiz Category Page editCategory cross site scripting

A vulnerability was found in Techkshetra Info Solutions Savsoft Quiz 6.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /public/index.php/Qbank/editCategory of the component Category Page. The manipulation of the argument category_name with the input ><script>alert('XSS')</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-262148. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-techkshetrainfoTechkshetra Info Solutions
Product-savsoft_quizSavsoft Quiz
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1982
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.38% / 29.90%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 14:22
Updated-01 Oct, 2024 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Front Editor <= 4.0.4 - Admin+ Stored XSS

The Front Editor WordPress plugin through 4.0.4 does not sanitize and escape some of its form settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-aleksanaharonyanUnknown
Product-front_editorGuest posting / Frontend Posting wordpress plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1400
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.50% / 39.23%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 15:37
Updated-23 Apr, 2025 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Modern Events Calendar lite < 6.5.2 - Admin+ Stored XSS

The Modern Events Calendar Lite WordPress plugin before 6.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-webnusUnknown
Product-modern_events_calendar_liteModern Events Calendar Lite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1159
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4||MEDIUM
EPSS-0.37% / 29.32%
||
7 Day CHG~0.00%
Published-02 Jun, 2023 | 06:06
Updated-20 Dec, 2024 | 23:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via service titles in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-booking-wp-pluginladela
Product-booklyWordPress Online Booking and Scheduling Plugin – Bookly
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1839
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.46% / 36.74%
||
7 Day CHG~0.00%
Published-15 May, 2023 | 12:15
Updated-24 Jan, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Product Addons & Fields for WooCommerce < 32.0.6 - Admin+ Stored Cross-Site Scripting

The Product Addons & Fields for WooCommerce WordPress plugin before 32.0.6 does not sanitize and escape some of its setting fields, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

Action-Not Available
Vendor-UnknownThemeisle
Product-product_addons_\&_fields_for_woocommerceProduct Addons & Fields for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1772
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.60% / 44.37%
||
7 Day CHG~0.00%
Published-31 Mar, 2023 | 11:31
Updated-11 Feb, 2025 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DataGear Diagram Type cross site scripting

A vulnerability was found in DataGear up to 4.5.1. It has been classified as problematic. This affects an unknown part of the component Diagram Type Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-224673 was assigned to this vulnerability.

Action-Not Available
Vendor-datagearn/a
Product-datagearDataGear
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1081
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.7||MEDIUM
EPSS-0.43% / 34.86%
||
7 Day CHG~0.00%
Published-28 Feb, 2023 | 00:00
Updated-02 Aug, 2024 | 05:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in microweber/microweber

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.

Action-Not Available
Vendor-Microweber (‘Microweber Academy’ Foundation)
Product-microwebermicroweber/microweber
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1841
Matching Score-4
Assigner-Honeywell International Inc.
ShareView Details
Matching Score-4
Assigner-Honeywell International Inc.
CVSS Score-8.1||HIGH
EPSS-0.37% / 29.20%
||
7 Day CHG~0.00%
Published-29 Feb, 2024 | 05:09
Updated-04 Mar, 2025 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Honeywell MPA2 Web Application XSS vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.This issue affects MPA2 Access Panel all version prior to R1.00.08.05.  Honeywell released firmware update package MPA2 firmware R1.00.08.05 which addresses this vulnerability. This version and all later versions correct the reported vulnerability.

Action-Not Available
Vendor-Honeywell International Inc.
Product-mpa2mpa2_firmwareMPA2 Access Panelmpa2_access_panel
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1120
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.44% / 35.50%
||
7 Day CHG~0.00%
Published-10 Apr, 2023 | 13:18
Updated-11 Feb, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Giveaways < 2.45.1 - Admin+ Stored XSS

The Simple Giveaways WordPress plugin before 2.45.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-ibenicUnknown
Product-simple_giveawaysSimple Giveaways
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1988
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.65% / 46.51%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 18:31
Updated-02 Aug, 2024 | 06:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Online Computer and Laptop Store cross site scripting

A vulnerability was found in SourceCodester Online Computer and Laptop Store 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/?page=maintenance/brand. The manipulation of the argument Brand Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-225536.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-online_computer_and_laptop_storeOnline Computer and Laptop Store
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41960
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.8||LOW
EPSS-0.31% / 22.52%
||
7 Day CHG~0.00%
Published-05 Aug, 2024 | 19:59
Updated-19 Sep, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) via Relay Hosts Configuration in mailcow: dockerized

mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scripts in the context of the user's browser. This could lead to data theft, or further exploitation. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-mailcowmailcow
Product-mailcow\mailcow-dockerized
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1090
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.53% / 41.23%
||
7 Day CHG~0.00%
Published-02 May, 2023 | 07:04
Updated-30 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP SMTP Mailing Queue < 2.0.1 - Admin+ Stored XSS

The SMTP Mailing Queue WordPress plugin before 2.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-smtp_mailing_queue_projectUnknown
Product-smtp_mailing_queueSMTP Mailing Queue
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1649
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.44% / 35.51%
||
7 Day CHG~0.00%
Published-08 May, 2023 | 13:58
Updated-12 May, 2025 | 15:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ChatBot < 4.5.1 - Admin+ Stored XSS

The AI ChatBot WordPress plugin before 4.5.1 does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-quantumcloudUnknown
Product-wpbotAI ChatBot
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1614
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.50% / 39.23%
||
7 Day CHG~0.00%
Published-02 May, 2023 | 07:04
Updated-30 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Custom Author URL < 1.0.5 - Admin+ Stored XSS

The WP Custom Author URL WordPress plugin before 1.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wp_custom_author_url_projectUnknown
Product-wp_custom_author_urlWP Custom Author URL
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1212
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.9||MEDIUM
EPSS-0.47% / 37.52%
||
7 Day CHG~0.00%
Published-06 Mar, 2023 | 00:00
Updated-06 Mar, 2025 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in phpipam/phpipam

Cross-site Scripting (XSS) - Stored in GitHub repository phpipam/phpipam prior to v1.5.2.

Action-Not Available
Vendor-phpipamphpipam
Product-phpipamphpipam/phpipam
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1525
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.50% / 39.23%
||
7 Day CHG~0.00%
Published-02 May, 2023 | 07:04
Updated-30 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Site Reviews < 6.7.1 - Admin+ Stored XSS

The Site Reviews WordPress plugin before 6.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-geminilabsUnknown
Product-site_reviewsSite Reviews
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1517
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4||MEDIUM
EPSS-0.40% / 32.12%
||
7 Day CHG~0.00%
Published-20 Mar, 2023 | 00:00
Updated-26 Feb, 2025 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - DOM in pimcore/pimcore

Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.19.

Action-Not Available
Vendor-Pimcore
Product-pimcorepimcore/pimcore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 70
  • 71
  • Next
Details not found