Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-6732

Summary
Assigner-WPScan
Assigner Org ID-1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At-16 Jan, 2024 | 15:57
Updated At-02 Jun, 2025 | 15:09
Rejected At-
Credits

Ultimate Maps by Supsystic < 1.2.16 - Admin+ Stored XSS

The Ultimate Maps by Supsystic WordPress plugin before 1.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:WPScan
Assigner Org ID:1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At:16 Jan, 2024 | 15:57
Updated At:02 Jun, 2025 | 15:09
Rejected At:
▼CVE Numbering Authority (CNA)
Ultimate Maps by Supsystic < 1.2.16 - Admin+ Stored XSS

The Ultimate Maps by Supsystic WordPress plugin before 1.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Affected Products
Vendor
Unknown
Product
Ultimate Maps by Supsystic
Collection URL
https://wordpress.org/plugins
Default Status
unaffected
Versions
Affected
  • From 0 before 1.2.16 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Cross-Site Scripting (XSS)
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Cross-Site Scripting (XSS)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Mert Umut
coordinator
WPScan
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/aaf91707-f03b-4f25-bca9-9fac4945002a/
exploit
vdb-entry
technical-description
Hyperlink: https://wpscan.com/vulnerability/aaf91707-f03b-4f25-bca9-9fac4945002a/
Resource:
exploit
vdb-entry
technical-description
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/aaf91707-f03b-4f25-bca9-9fac4945002a/
exploit
vdb-entry
technical-description
x_transferred
Hyperlink: https://wpscan.com/vulnerability/aaf91707-f03b-4f25-bca9-9fac4945002a/
Resource:
exploit
vdb-entry
technical-description
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:contact@wpscan.com
Published At:16 Jan, 2024 | 16:15
Updated At:02 Jun, 2025 | 15:15

The Ultimate Maps by Supsystic WordPress plugin before 1.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Secondary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CPE Matches
supsystic
supsystic
>>ultimate_maps>>Versions before 1.2.16(exclusive)
cpe:2.3:a:supsystic:ultimate_maps:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://wpscan.com/vulnerability/aaf91707-f03b-4f25-bca9-9fac4945002a/contact@wpscan.com
Third Party Advisory
https://wpscan.com/vulnerability/aaf91707-f03b-4f25-bca9-9fac4945002a/af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/aaf91707-f03b-4f25-bca9-9fac4945002a/
Source: contact@wpscan.com
Resource:
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/aaf91707-f03b-4f25-bca9-9fac4945002a/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

3198Records found
CVE-2021-39346
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-4.8||MEDIUM
EPSS-0.43% / 61.77%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 20:59
Updated-31 Mar, 2025 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Google Maps Easy <= 1.9.33 Authenticated Stored Cross-Site Scripting

The Google Maps Easy WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/modules/marker_groups/views/tpl/mgrEditMarkerGroup.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.9.33. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Action-Not Available
Vendor-supsysticGoogle Maps Easy
Product-easy_google_mapsGoogle Maps Easy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-2384
Matching Score-10
Assigner-WPScan
ShareView Details
Matching Score-10
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 43.10%
||
7 Day CHG~0.00%
Published-15 Aug, 2022 | 08:37
Updated-03 Aug, 2024 | 00:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Digital Publications by Supsystic < 1.7.4 - Admin+ Stored Cross-Site Scripting

The Digital Publications by Supsystic WordPress plugin before 1.7.4 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-supsysticUnknown
Product-digital_publications_by_supsysticDigital Publications by Supsystic
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-2114
Matching Score-10
Assigner-WPScan
ShareView Details
Matching Score-10
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.19% / 41.71%
||
7 Day CHG~0.00%
Published-17 Jul, 2022 | 10:36
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Data Tables Generator by Supsystic < 1.10.20 - Admin+ Stored Cross-Site Scripting

The Data Tables Generator by Supsystic WordPress plugin before 1.10.20 does not sanitise and escape some of its Table settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-supsysticUnknown
Product-data_tables_generatorData Tables Generator by Supsystic
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-29921
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.12% / 31.97%
||
7 Day CHG~0.00%
Published-27 Mar, 2024 | 07:14
Updated-10 Mar, 2025 | 15:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Photo Gallery by Supsystic plugin <= 1.15.16 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Supsystic Photo Gallery by Supsystic allows Stored XSS.This issue affects Photo Gallery by Supsystic: from n/a through 1.15.16.

Action-Not Available
Vendor-supsysticSupsystic
Product-photo_galleryPhoto Gallery by Supsystic
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-49191
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.14% / 33.93%
||
7 Day CHG~0.00%
Published-15 Dec, 2023 | 15:13
Updated-02 Aug, 2024 | 21:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GDPR Cookie Consent by Supsystic Plugin <= 2.1.2 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Supsystic GDPR Cookie Consent by Supsystic allows Stored XSS.This issue affects GDPR Cookie Consent by Supsystic: from n/a through 2.1.2.

Action-Not Available
Vendor-supsysticSupsystic
Product-gdpr_cookie_consentGDPR Cookie Consent by Supsystic
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24274
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-5.51% / 89.86%
||
7 Day CHG~0.00%
Published-05 May, 2021 | 18:28
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Maps by Supsystic < 1.2.5 - Reflected Cross-Site scripting (XSS)

The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

Action-Not Available
Vendor-supsysticSupsystic
Product-ultimate_mapsUltimate Maps by Supsystic
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5219
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 42.25%
||
7 Day CHG~0.00%
Published-02 Jul, 2024 | 06:49
Updated-01 Aug, 2024 | 21:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Google Maps <= 1.11.15 - Authenticated (Author+) Stored Cross-Site Scripting

The Easy Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 1.11.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-supsysticsupsysticcomsupsystic
Product-easy_google_mapsEasy Google Mapseasy_google_maps
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-9393
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-0.26% / 49.04%
||
7 Day CHG~0.00%
Published-25 Feb, 2020 | 18:06
Updated-04 Aug, 2024 | 10:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows XSS.

Action-Not Available
Vendor-supsysticn/a
Product-pricing_table_by_supsysticn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-46782
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 42.22%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 15:50
Updated-04 Aug, 2024 | 05:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pricing Table by Supsystic < 1.9.5 - Reflected Cross-Site Scripting

The Pricing Table by Supsystic WordPress plugin before 1.9.5 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-supsysticUnknown
Product-price_tablePricing Table by Supsystic
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-46780
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 42.22%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 15:50
Updated-04 Aug, 2024 | 05:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Google Maps < 1.9.32 - Reflected Cross-Site Scripting

The Easy Google Maps WordPress plugin before 1.9.32 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-supsysticUnknown
Product-easy_google_mapsEasy Google Maps
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24275
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-5.90% / 90.25%
||
7 Day CHG~0.00%
Published-05 May, 2021 | 18:28
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Popup by Supsystic < 1.10.5 - Reflected Cross-Site scripting (XSS)

The Popup by Supsystic WordPress plugin before 1.10.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

Action-Not Available
Vendor-supsysticSupsystic
Product-popupPopup by Supsystic
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24276
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-8.37% / 91.93%
||
7 Day CHG~0.00%
Published-05 May, 2021 | 18:28
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site scripting (XSS)

The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

Action-Not Available
Vendor-supsysticSupsystic
Product-contact_formContact Form by Supsystic
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29204
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-4.8||MEDIUM
EPSS-0.11% / 30.35%
||
7 Day CHG~0.00%
Published-25 May, 2021 | 13:37
Updated-03 Aug, 2024 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.

Action-Not Available
Vendor-n/aHP Inc.
Product-proliant_dl360_gen10_serverproliant_dl325_gen10_plus_serverproliant_dl385_gen10_serverproliant_dl580_gen10_serverproliant_dl560_gen10_serverproliant_xl270d_gen10_serverproliant_bl460c_gen10_server_bladesimplivity_2600proliant_dl385_gen10_plus_serverintegrated_lights-out_4proliant_xl170r_gen10_serverproliant_ml350_gen10_serverproliant_dl120_gen10_serverproliant_dl380_gen10_serverproliant_xl450_gen10_serversimplivity_380_gen10_gproliant_ml30_gen10_serverproliant_xl230k_gen10_serverproliant_xl190r_gen10_serverproliant_ml110_gen10_serverintegrated_lights-out_5simplivity_380_gen9proliant_dl160_gen10_serversimplivity_380_gen10proliant_dl180_gen10_serverproliant_dl325_gen10_serverproliant_dl20_gen10_serversimplivity_325simplivity_380_gen10_hHPE Integrated Lights-Out 4 (iLO 4) For HPE Gen9 servers; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-51495
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 25.20%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 15:44
Updated-20 Nov, 2024 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/dev-overview-data.inc.php

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the Device Overview page allows authenticated users to inject arbitrary JavaScript through the "overwrite_ip" parameter when editing a device. This vulnerability results in the execution of malicious code when the device overview page is visited, potentially compromising the accounts of other users. This vulnerability is fixed in 24.10.0.

Action-Not Available
Vendor-LibreNMS
Product-librenmslibrenmslibrenms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3111
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.61% / 68.68%
||
7 Day CHG~0.00%
Published-08 Jan, 2021 | 14:18
Updated-03 Aug, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI.

Action-Not Available
Vendor-concretecmsn/a
Product-concrete_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-6332
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.24% / 46.45%
||
7 Day CHG~0.00%
Published-09 Jan, 2020 | 18:23
Updated-04 Aug, 2024 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential security vulnerability has been identified with certain HP InkJet printers. The vulnerability could be exploited to allow cross-site scripting (XSS). Affected products and versions include: HP DeskJet 2600 All-in-One Printer series model numbers 4UJ28B, V1N01A - V1N08A, Y5H60A - Y5H80A; HP DeskJet Ink Advantage 2600 All-in-One Printer series model numbers V1N02A - V1N02B, Y5Z00A - Y5Z04B; HP DeskJet Ink Advantage 5000 All-in-One Printer series model numbers M2U86A - M2U89B; HP DeskJet Ink Advantage 5200 All-in-One Printer series model numbers M2U76A - M2U78B; HP ENVY 5000 All-in-One Printer series model numbers M2U85A - M2U85B, M2U91A - M2U94B, Z4A54A - Z4A74A; HP ENVY Photo 6200 All-in-One Printer series model numbers K7G18A-K7G26B, K7S21B, Y0K13D - Y0K15A; HP ENVY Photo 7100 All-in-One Printer series model numbers 3XD89A, K7G93A-K7G99A, Z3M37A - Z3M52A; HP ENVY Photo 7800 All-in-One Printer series model numbers K7R96A, K7S00A - K7S10D, Y0G42D - Y0G52B; HP Ink Tank Wireless 410 series model numbers Z4B53A - Z4B55A, Z6Z95A - Z6Z99A, 4DX94A - 4DX95A, 4YF79A, Z7A01A; HP OfficeJet 5200 All-in-One Printer series model numbers M2U75A, M2U81A-M2U84B, Z4B12A - Z4B14A, Z4B27A - Z4B29A; HP Smart Tank Wireless 450 series model numbers Z4B56A, Z6Z96A - Z6Z98A.

Action-Not Available
Vendor-HP Inc.
Product-envy_photo_6200_y0k15aink_tank_wireless_410_z6z95a_firmwaredeskjet_ink_advantage_5200_m2u78b_firmwareenvy_photo_7100_k7g99aenvy_photo_6200_y0k13d__firmwareenvy_5000_m2u85b_firmwaredeskjet_ink_advantage_2600_y5z00aenvy_5000_z4a74aofficejet_5200_m2u75a_firmwaredeskjet_ink_advantage_5000_m2u86aofficejet_5200_z4b12aenvy_5000_m2u85adeskjet_ink_advantage_2600_v1n02a_firmwaredeskjet_ink_advantage_2600_v1n02benvy_photo_7100_3xd89aenvy_photo_7800_k7s00a_firmwareenvy_5000_m2u85a_firmwaredeskjet_2600_y5h60aenvy_photo_7800_k7r96a_firmwareenvy_photo_7100_k7g99a_firmwareink_tank_wireless_410_z4b55asmart_tank_wireless_450_z6z96a_firmwareenvy_photo_7100_k7g93a_firmwareink_tank_wireless_410_z7a01a_firmwaredeskjet_2600_v1n01a_firmwareenvy_5000_m2u94bofficejet_5200_m2u84b_firmwareink_tank_wireless_410_z4b53a_firmwareenvy_photo_6200_k7s21bdeskjet_ink_advantage_2600_y5z04bdeskjet_ink_advantage_5200_m2u78bofficejet_5200_z4b27a_firmwaredeskjet_ink_advantage_2600_y5z00a_firmwareenvy_photo_6200_k7g26b_firmwareink_tank_wireless_410_z4b53adeskjet_2600_v1n08adeskjet_ink_advantage_5000_m2u86a_firmwareofficejet_5200_z4b29aenvy_photo_7100_3xd89a_firmwareenvy_5000_z4a74a_firmwareenvy_5000_m2u91adeskjet_ink_advantage_2600_v1n02b_firmwareink_tank_wireless_410_4yf79aofficejet_5200_z4b27aenvy_photo_6200_y0k13d_officejet_5200_z4b14a_firmwareink_tank_wireless_410_z6z95aofficejet_5200_m2u84bdeskjet_2600_v1n01aink_tank_wireless_410_z4b55a_firmwareenvy_photo_6200_k7s21b_firmwaredeskjet_2600_y5h80aofficejet_5200_z4b12a_firmwaresmart_tank_wireless_450_z6z96adeskjet_2600_4uj28bdeskjet_2600_v1n08a_firmwareenvy_5000_m2u94b_firmwaredeskjet_2600_4uj28b_firmwareenvy_photo_7100_z3m52aenvy_photo_7800_y0g52b_firmwareenvy_photo_7800_y0g52bofficejet_5200_m2u81aenvy_photo_6200_y0k15a_firmwaredeskjet_2600_y5h80a_firmwareenvy_photo_7800_y0g42dsmart_tank_wireless_450_z4b56a_firmwaresmart_tank_wireless_450_z6z98a_firmwareink_tank_wireless_410_z6z99adeskjet_ink_advantage_2600_v1n02aenvy_photo_6200_k7g18adeskjet_ink_advantage_5200_m2u76a_firmwareink_tank_wireless_410_4dx95aenvy_photo_7800_y0g42d_firmwaresmart_tank_wireless_450_z6z98aenvy_photo_7100_z3m37adeskjet_2600_y5h60a_firmwareenvy_photo_7100_k7g93aenvy_photo_7800_k7r96aink_tank_wireless_410_4dx94adeskjet_ink_advantage_5200_m2u76a_ink_tank_wireless_410_4yf79a_firmwareenvy_photo_6200_k7g26bofficejet_5200_m2u81a_firmwareink_tank_wireless_410_4dx95a_firmwareofficejet_5200_z4b14adeskjet_ink_advantage_5000_m2u89b_firmwareenvy_5000_m2u85benvy_photo_6200_k7g18a_firmwaresmart_tank_wireless_450_z4b56aink_tank_wireless_410_z7a01aofficejet_5200_m2u75aink_tank_wireless_410_z6z99a_firmwareenvy_photo_7100_z3m52a_firmwareink_tank_wireless_410_4dx94a_firmwareenvy_photo_7800_k7s10d_firmwareenvy_photo_7100_z3m37a_firmwareenvy_5000_m2u91a_firmwareenvy_photo_7800_k7s10denvy_5000_z4a54a_firmwareenvy_photo_7800_k7s00adeskjet_ink_advantage_5000_m2u89benvy_5000_z4a54aofficejet_5200_z4b29a_firmwaredeskjet_ink_advantage_2600_y5z04b_firmwareHP ENVY Photo 7800 All-in-One Printer seriesHP DeskJet Ink Advantage 2600 All-in-One Printer seriesHP ENVY 5000 All-in-One Printer seriesHP DeskJet Ink Advantage 5000 All-in-One Printer seriesHP ENVY Photo 7100 All-in-One Printer seriesHP Ink Tank Wireless 410 seriesHP DeskJet 2600 All-in-One Printer seriesHP OfficeJet 5200 All-in-One Printer seriesHP Smart Tank Wireless 450 seriesHP ENVY Photo 6200 All-in-One Printer seriesHP DeskJet Ink Advantage 5200 All-in-One Printer series
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3647
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.20% / 42.05%
||
7 Day CHG~0.00%
Published-16 Jan, 2024 | 15:54
Updated-20 Jun, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IURNY by INDIGITALL < 3.2.3 - Admin+ Stored XSS

The IURNY by INDIGITALL WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-indigitallUnknown
Product-iurnyIURNY by INDIGITALL
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-7185
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 43.33%
||
7 Day CHG~0.00%
Published-05 Dec, 2019 | 16:48
Updated-04 Aug, 2024 | 20:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This cross-site scripting (XSS) vulnerability in Music Station allows remote attackers to inject and execute scripts on the administrator’s management console. To fix this vulnerability, QNAP recommend updating Music Station to their latest versions.

Action-Not Available
Vendor-n/aQNAP Systems, Inc.
Product-music_stationqtsQNAP NAS devices running Music Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-51947
Matching Score-4
Assigner-Environmental Systems Research Institute, Inc.
ShareView Details
Matching Score-4
Assigner-Environmental Systems Research Institute, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 8.62%
||
7 Day CHG~0.00%
Published-03 Mar, 2025 | 19:38
Updated-10 Apr, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS vulnerability in Rest Services under Layer name

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Action-Not Available
Vendor-Environmental Systems Research Institute, Inc. ("Esri")
Product-arcgis_serverArcGIS Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35779
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-19 Jun, 2023 | 13:21
Updated-10 Oct, 2024 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Seed Fonts Plugin 2.3.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Seed Webs Seed Fonts plugin <= 2.3.1 versions.

Action-Not Available
Vendor-seedwebsSeed Webs
Product-seed_fontsSeed Fonts
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-36692
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.68%
||
7 Day CHG~0.00%
Published-08 Aug, 2023 | 10:05
Updated-19 Feb, 2025 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP-Cirrus Plugin <= 0.6.11 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Christian Kramer & Hendrik Thole WP-Cirrus plugin <= 0.6.11 versions.

Action-Not Available
Vendor-wp-cirrus_projectChristian Kramer & Hendrik Thole
Product-wp-cirrusWP-Cirrus
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-30899
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 43.17%
||
7 Day CHG~0.00%
Published-08 Jun, 2022 | 15:51
Updated-03 Aug, 2024 | 07:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross Site Scripting vulnerabilty exists in PartKeepr 1.4.0 via the 'name' field in /api/part_categories.

Action-Not Available
Vendor-partkeeprn/a
Product-partkeeprn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3645
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 25.31%
||
7 Day CHG~0.00%
Published-14 Aug, 2023 | 19:10
Updated-09 Oct, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form Builder by Bit Form < 2.2.0 - Admin+ Stored XSS

The Contact Form Builder by Bit Form WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-bitappsUnknown
Product-contact_form_builderContact Form Builder by Bit Form
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35878
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.12% / 31.00%
||
7 Day CHG~0.00%
Published-20 Jun, 2023 | 07:57
Updated-10 Oct, 2024 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Extra User Details Plugin <= 0.5 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Vadym K. Extra User Details plugin <= 0.5 versions.

Action-Not Available
Vendor-extra_user_details_projectVadym K.
Product-extra_user_detailsExtra User Details
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3650
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-1.23% / 78.33%
||
7 Day CHG~0.00%
Published-07 Aug, 2023 | 14:31
Updated-15 Oct, 2024 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bubble Menu < 3.0.5 - Admin+ Stored XSS

The Bubble Menu WordPress plugin before 3.0.5 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

Action-Not Available
Vendor-wow-companyUnknown
Product-bubble_menuBubble Menu
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-44767
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.13% / 32.72%
||
7 Day CHG~0.00%
Published-24 Oct, 2023 | 00:00
Updated-11 Sep, 2024 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A File upload vulnerability in RiteCMS 3.0 allows a local attacker to upload a SVG file with XSS content.

Action-Not Available
Vendor-ritecmsn/a
Product-ritecmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-36530
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 11:52
Updated-25 Sep, 2024 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SP Project & Document Manager Plugin <= 4.67 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Smartypants SP Project & Document Manager plugin <= 4.67 versions.

Action-Not Available
Vendor-smartypantspluginsSmartypants
Product-sp_project_\&_document_managerSP Project & Document Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-20700
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.32% / 54.54%
||
7 Day CHG~0.00%
Published-27 Jul, 2021 | 22:19
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross site scripting (XSS) vulnerability in /app/form_add/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Title Entry text box.

Action-Not Available
Vendor-s-cmsn/a
Product-s-cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-30003
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 43.72%
||
7 Day CHG~0.00%
Published-02 Apr, 2021 | 04:29
Updated-03 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Nokia G-120W-F 3FE46606AGAB91 devices. There is Stored XSS in the administrative interface via urlfilter.cgi?add url_address.

Action-Not Available
Vendor-n/aNokia Corporation
Product-g-120w-fg-120w-f_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-36382
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-04 Sep, 2023 | 09:27
Updated-19 Feb, 2025 | 21:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Media Library Categories Plugin <= 2.0.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jeffrey-WP Media Library Categories plugin <= 2.0.0 versions.

Action-Not Available
Vendor-jeffrey-wpJeffrey-WP
Product-media_library_categoriesMedia Library Categories
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3043
Matching Score-4
Assigner-Palo Alto Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Palo Alto Networks, Inc.
CVSS Score-7.5||HIGH
EPSS-0.16% / 37.44%
||
7 Day CHG~0.00%
Published-15 Jul, 2021 | 16:45
Updated-17 Sep, 2024 | 01:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prisma Cloud: Cross-Site Scripting (XSS) Vulnerability in Prisma Cloud Compute Web Console

A reflected cross-site scripting (XSS) vulnerability exists in the Prisma Cloud Compute web console that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console while an authenticated administrator is using that web interface. Prisma Cloud Compute SaaS versions were automatically upgraded to the fixed release. No additional action is required for these instances. This issue impacts: Prisma Cloud Compute 20.12 versions earlier than Prisma Cloud Compute 20.12.552; Prisma Cloud Compute 21.04 versions earlier than Prisma Cloud Compute 21.04.439.

Action-Not Available
Vendor-Palo Alto Networks, Inc.
Product-prisma_cloudPrisma Cloud Compute
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-36376
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.07% / 21.88%
||
7 Day CHG~0.00%
Published-10 Jul, 2023 | 00:00
Updated-02 Aug, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-Site Scripting (XSS) vulnerability in Hostel Management System v.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the add course section.

Action-Not Available
Vendor-n/aPHPGurukul LLP
Product-hostel_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-36940
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.09% / 25.98%
||
7 Day CHG~0.00%
Published-10 Jul, 2023 | 00:00
Updated-02 Aug, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting (XSS) vulnerability in PHPGurukul Online Fire Reporting System Using PHP and MySQL v.1.2 allows attackers to execute arbitrary code via a crafted payload injected into the search field.

Action-Not Available
Vendor-n/aPHPGurukul LLP
Product-online_fire_reporting_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34183
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 13:07
Updated-24 Sep, 2024 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Unite Gallery Lite Plugin <= 1.7.61 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Valiano Unite Gallery Lite plugin <= 1.7.61 versions.

Action-Not Available
Vendor-unitegalleryValiano
Product-unite_gallery_liteUnite Gallery Lite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34374
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 12.73%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 11:24
Updated-25 Sep, 2024 | 15:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AnsPress – Question and answer Plugin <= 4.3.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Rahul Aryan AnsPress plugin <= 4.3.0 versions.

Action-Not Available
Vendor-anspressRahul Aryan
Product-anspressAnsPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3445
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-3.5||LOW
EPSS-0.10% / 27.38%
||
7 Day CHG~0.00%
Published-28 Jun, 2023 | 13:22
Updated-06 Nov, 2024 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in spinacms/spina

Cross-site Scripting (XSS) - Stored in GitHub repository spinacms/spina prior to 2.15.1.

Action-Not Available
Vendor-denkgrootspinacmsdenkgroot
Product-spinaspinacms/spinaspina
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34657
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.06% / 18.31%
||
7 Day CHG~0.00%
Published-19 Jun, 2023 | 00:00
Updated-12 Dec, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability in Eyoucms v1.6.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the web_recordnum parameter.

Action-Not Available
Vendor-eyoucmsn/a
Product-eyoucmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35095
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-20 Jun, 2023 | 13:30
Updated-10 Oct, 2024 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Flo Forms Plugin <= 1.0.40 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Flothemes Flo Forms – Easy Drag & Drop Form Builder plugin <= 1.0.40 versions.

Action-Not Available
Vendor-flothemesFlothemes
Product-flo_formsFlo Forms – Easy Drag & Drop Form Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34369
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.09%
||
7 Day CHG~0.00%
Published-25 Jul, 2023 | 13:02
Updated-26 Sep, 2024 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Login Configurator Plugin <= 2.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in GrandSlambert Login Configurator plugin <= 2.1 versions.

Action-Not Available
Vendor-login_configurator_projectGrandSlambert
Product-login_configuratorLogin Configurator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34173
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 14:04
Updated-24 Sep, 2024 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Yandex Metrica Counter Plugin <= 1.4.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alexander Semikashev Yandex Metrica Counter plugin <= 1.4.3 versions.

Action-Not Available
Vendor-yandex_metrica_counter_projectAlexander Semikashev
Product-yandex_metric_counterYandex Metrica Counter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34187
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 13:00
Updated-24 Sep, 2024 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Call Now Icon Animate Plugin <= 0.1.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alan Tien Call Now Icon Animate plugin <= 0.1.0 versions.

Action-Not Available
Vendor-Alan Tiến
Product-call_now_icon_animateCall Now Icon Animate
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20242
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.12% / 32.12%
||
7 Day CHG~0.00%
Published-16 Aug, 2023 | 20:59
Updated-02 Aug, 2024 | 09:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-unified_communications_manager_im_and_presence_serviceunified_communications_managerCisco Unified Communications Manager / Cisco Unity ConnectionCisco Unified Communications ManagerCisco Unified Communications Manager IM and Presence Service
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34368
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.09%
||
7 Day CHG~0.00%
Published-22 Jun, 2023 | 12:12
Updated-02 Aug, 2024 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Kanban Boards for WordPress Plugin <= 2.5.20 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Kanban for WordPress Kanban Boards for WordPress plugin <= 2.5.20 versions.

Action-Not Available
Vendor-kanbanwpKanban for WordPress
Product-kanban_boardsKanban Boards for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34372
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 15:04
Updated-24 Sep, 2024 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Download SpamReferrerBlock Plugin <= 2.22 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Didier Sampaolo SpamReferrerBlock plugin <= 2.22 versions.

Action-Not Available
Vendor-didcodeDidier Sampaolo
Product-spamreferrerblockSpamReferrerBlock
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20201
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 15.09%
||
7 Day CHG~0.00%
Published-16 Aug, 2023 | 21:39
Updated-02 Aug, 2024 | 09:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by persuading a user of an affected interface to view a page containing malicious HTML or script content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid credentials to access the web-based management interface of the affected device.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-prime_infrastructureevolved_programmable_network_managerCisco Prime InfrastructureCisco Evolved Programmable Network Manager (EPNM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34855
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.06% / 18.88%
||
7 Day CHG~0.00%
Published-12 Jun, 2023 | 00:00
Updated-03 Jan, 2025 | 23:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross Site Scripting (XSS) vulnerability in Youxun Electronic Equipment (Shanghai) Co., Ltd AC Centralized Management Platform v1.02.040 allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /upfile.cgi.

Action-Not Available
Vendor-ac_centralized_management_platform_projectn/a
Product-ac_centralized_management_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34412
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 9.96%
||
7 Day CHG~0.00%
Published-17 Aug, 2023 | 13:07
Updated-02 Aug, 2024 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XXS vulnerability in mbnet, mbnet.rokey, REX 200 and REX 250

A vulnerability in Red Lion Europe mbNET/mbNET.rokey and Helmholz REX 200 and REX 250 devices with firmware lower 7.3.2 allows an authenticated remote attacker with high privileges to inject malicious HTML or JavaScript code (XSS).

Action-Not Available
Vendor-redlionhelmholzRed Lion EuropeHelmholz
Product-mbnet_mdh_876mbnet_mdh_811mbnet_mdh_876_firmwarembnet_mdh_841mbnet_mdh_831_firmwarerex_200mbnet_mdh_811_firmwarembnet_mdh_871_firmwarembnet_mdh_835rex_200_firmwarembnet_mdh_835_firmwarembnet.rokey_rkh_259mbnet_mdh_858rex_250_firmwarembnet_mdh_859mbnet_mdh_871mbnet_mdh_859_firmwarerex_250mbnet.rokey_rkh_259_firmwarembnet.rokey_rkh_235_firmwarembnet_mdh_816_firmwarembnet.rokey_rkh_216mbnet.rokey_rkh_235mbnet_mdh_841_firmwarembnet_mdh_816mbnet_mdh_850_firmwarembnet.rokey_rkh_210mbnet_mdh_858_firmwarembnet.rokey_rkh_210_firmwarembnet_mdh_855_firmwarembnet.rokey_rkh_216_firmwarembnet_mdh_850mbnet_mdh_831mbnet_mdh_855mbNETREX 200REX 250mbNET.rokey
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35092
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 15:19
Updated-24 Sep, 2024 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress breadcrumb simple Plugin <= 1.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Abhay Yadav Breadcrumb simple plugin <= 1.3 versions.

Action-Not Available
Vendor-abhayrajmcaAbhay Yadav
Product-breadcrumb_simpleBreadcrumb simple
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34172
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 14:12
Updated-02 Aug, 2024 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WordPress Social Login Plugin <= 3.0.4 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Miled WordPress Social Login plugin <= 3.0.4 versions.

Action-Not Available
Vendor-miledMiled
Product-wordpress_social_loginWordPress Social Login
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34170
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-22 Jun, 2023 | 14:26
Updated-19 Feb, 2025 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Quick/Bulk Order Form for WooCommerce Plugin <= 3.5.7 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WP Overnight Quick/Bulk Order Form for WooCommerce plugin <= 3.5.7 versions.

Action-Not Available
Vendor-wpovernightWP Overnight
Product-download_quick\/bulk_order_form_for_woocommerceQuick/Bulk Order Form for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 63
  • 64
  • Next
Details not found