ByteOS Network

Vulnerability Details :

CVE-2024-13330

Assigner-WPScan

Assigner Org ID-1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81

Published At-04 Feb, 2025 | 06:00

Updated At-04 Feb, 2025 | 16:36

Justrows Free <= 0.2 - Reflected XSS

The JustRows free WordPress plugin through 0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:WPScan

Assigner Org ID:1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81

Published At:04 Feb, 2025 | 06:00

Updated At:04 Feb, 2025 | 16:36

▼CVE Numbering Authority (CNA)

Justrows Free <= 0.2 - Reflected XSS

Affected Products

Vendor

Unknown

Product

JustRows free

Default Status

affected

Versions

Affected

From 0 through 0.2 (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-79	CWE-79 Cross-Site Scripting (XSS)

Type: CWE

CWE ID: CWE-79

Description: CWE-79 Cross-Site Scripting (XSS)

Credits

finder

Hassan Khan Yusufzai - Splint3r7

coordinator

WPScan

References

Hyperlink	Resource
https://wpscan.com/vulnerability/b0360650-8c7a-4e17-8618-b5ef1c71ccbf/	exploit vdb-entry technical-description

Hyperlink: https://wpscan.com/vulnerability/b0360650-8c7a-4e17-8618-b5ef1c71ccbf/

Resource:

exploit

vdb-entry

technical-description

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics

Version	Base score	Base severity	Vector
3.1	7.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Version: 3.1

Base score: 7.1

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Metrics Other Info

References

Hyperlink	Resource
https://wpscan.com/vulnerability/b0360650-8c7a-4e17-8618-b5ef1c71ccbf/	exploit

Hyperlink: https://wpscan.com/vulnerability/b0360650-8c7a-4e17-8618-b5ef1c71ccbf/

Resource:

exploit

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:contact@wpscan.com

Published At:04 Feb, 2025 | 06:15

Updated At:13 May, 2025 | 18:59

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	7.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Type: Secondary

Version: 3.1

Base score: 7.1

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CPE Matches

canaveralstudio>>justrows_free>>Versions up to 0.2(inclusive)

cpe:2.3:a:canaveralstudio:justrows_free:*:*:*:*:*:wordpress:*:*

Weaknesses

CWE ID	Type	Source
CWE-79	Primary	nvd@nist.gov

CWE ID: CWE-79

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://wpscan.com/vulnerability/b0360650-8c7a-4e17-8618-b5ef1c71ccbf/	contact@wpscan.com	Exploit Third Party Advisory
https://wpscan.com/vulnerability/b0360650-8c7a-4e17-8618-b5ef1c71ccbf/	134c704f-9b21-4f2e-91b3-4a467353bcc0	Exploit Third Party Advisory

Hyperlink: https://wpscan.com/vulnerability/b0360650-8c7a-4e17-8618-b5ef1c71ccbf/

Source: contact@wpscan.com

Resource:

Exploit

Third Party Advisory

Hyperlink: https://wpscan.com/vulnerability/b0360650-8c7a-4e17-8618-b5ef1c71ccbf/

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Resource:

Exploit

Third Party Advisory

Similar CVEs

2021Records found

CVE-2025-46456

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.04% / 13.27%

7 Day CHG~0.00%

Published-23 May, 2025 | 12:43

Updated-23 May, 2025 | 15:54

WordPress Theme Blvd Sliders plugin <= 1.2.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jason Theme Blvd Sliders allows Reflected XSS. This issue affects Theme Blvd Sliders: from n/a through 1.2.5.

Vendor-Jason

Product-Theme Blvd Sliders

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40196

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.09% / 26.47%

7 Day CHG~0.00%

Published-04 Sep, 2023 | 11:15

Updated-24 Sep, 2024 | 18:50

WordPress ImageRecycle pdf & image compression Plugin <= 3.1.11 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ImageRecycle ImageRecycle pdf & image compression plugin <= 3.1.11 versions.

Vendor-imagerecycle ImageRecycle

Product-imagerecycle_pdf_\&_image_compression ImageRecycle pdf & image compression

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40333

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.18% / 39.31%

7 Day CHG~0.00%

Published-27 Sep, 2023 | 11:25

Updated-23 Sep, 2024 | 12:50

WordPress Bridge Core Plugin <= 3.0.9 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Qode Interactive Bridge Core plugin <= 3.0.9 versions.

Vendor-qodeinteractive Qode Interactive

Product-bridge_core Bridge Core

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40330

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.18% / 39.31%

7 Day CHG~0.00%

Published-27 Sep, 2023 | 05:35

Updated-23 Sep, 2024 | 18:17

WordPress GD Security Headers Plugin <= 1.6.1 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Milan Petrovic GD Security Headers plugin <= 1.6.1 versions.

Vendor-dev4press Milan Petrovic

Product-gd_security_headers GD Security Headers

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-39918

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-04 Sep, 2023 | 10:05

Updated-24 Sep, 2024 | 18:52

WordPress Booking Package Plugin <= 1.6.01 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in SAASPROJECT Booking Package Booking Package plugin <= 1.6.01 versions.

Vendor-saasproject SAASPROJECT Booking Package

Product-booking_package Booking Package

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40601

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.17% / 38.24%

7 Day CHG~0.00%

Published-06 Sep, 2023 | 08:45

Updated-24 Sep, 2024 | 18:47

WordPress Mortgage Calculator Estatik Plugin <= 2.0.7 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Estatik Estatik Mortgage Calculator plugin <= 2.0.7 versions.

Vendor-estatik Estatik

Product-estatik_mortgage_calculator Estatik Mortgage Calculator

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-39926

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.19% / 41.48%

7 Day CHG~0.00%

Published-16 Nov, 2023 | 19:24

Updated-04 Sep, 2024 | 20:28

WordPress Under Construction / Maintenance Mode from Acurax Plugin <= 2.6 is vulnerable to Cross Site Scripting (XSS)

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Acurax Under Construction / Maintenance Mode from Acurax plugin <= 2.6 versions.

Vendor-Acurax Technologies

Product-under_construction_\/_maintenance_mode Under Construction / Maintenance Mode from Acurax

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-40664

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.19% / 41.48%

7 Day CHG~0.00%

Published-27 Sep, 2023 | 05:50

Updated-23 Sep, 2024 | 13:29

WordPress Donations Made Easy – Smart Donations Plugin <= 4.0.12 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RedNao Donations Made Easy – Smart Donations plugin <= 4.0.12 versions.

Vendor-rednao RedNao

Product-smart_donations Donations Made Easy – Smart Donations

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-30547

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.03% / 4.98%

7 Day CHG-0.04%

Published-01 Apr, 2025 | 05:31

Updated-01 Apr, 2025 | 20:26

WordPress WP Cards plugin <= 1.5.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Tufts WP Cards allows Reflected XSS. This issue affects WP Cards: from n/a through 1.5.1.

Vendor-David Tufts

Product-WP Cards

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-38474

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.19% / 41.48%

7 Day CHG~0.00%

Published-30 Nov, 2023 | 12:26

Updated-20 Nov, 2024 | 21:08

WordPress Campaign Monitor for WordPress Plugin <= 2.8.12 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Campaign Monitor Campaign Monitor for WordPress allows Reflected XSS.This issue affects Campaign Monitor for WordPress: from n/a through 2.8.12.

Vendor-campaignmonitor Campaign Monitor

Product-campaign_monitor Campaign Monitor for WordPress

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-39314

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-10 Aug, 2023 | 12:46

Updated-25 Sep, 2024 | 15:03

WordPress Leyka Plugin <= 3.30.2 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Teplitsa of social technologies Leyka plugin <= 3.30.2 versions.

Vendor-te-st Teplitsa of social technologies

Product-leyka Leyka

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-43836

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.04% / 13.27%

7 Day CHG~0.00%

Published-19 May, 2025 | 18:22

Updated-21 May, 2025 | 20:25

WordPress Syndicate Out <= 0.9 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in confuzzledduck Syndicate Out allows Reflected XSS.This issue affects Syndicate Out: from n/a through 0.9.

Vendor-confuzzledduck

Product-Syndicate Out

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-30544

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.03% / 4.98%

7 Day CHG-0.04%

Published-01 Apr, 2025 | 05:31

Updated-01 Apr, 2025 | 20:26

WordPress OK Poster Group plugin <= 1.1 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound OK Poster Group allows Reflected XSS. This issue affects OK Poster Group: from n/a through 1.1.

Vendor-NotFound

Product-OK Poster Group

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-39164

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-04 Sep, 2023 | 09:30

Updated-24 Sep, 2024 | 18:55

WordPress Molongui Plugin <= 4.6.19 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Molongui Author Box for Authors, Co-Authors, Multiple Authors and Guest Authors – Molongui plugin <= 4.6.19 versions.

Vendor-amitzy Molongui

Product-molongui Author Box for Authors, Co-Authors, Multiple Authors and Guest Authors – Molongui

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-46537

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.04% / 13.27%

7 Day CHG~0.00%

Published-23 May, 2025 | 12:43

Updated-23 May, 2025 | 15:55

WordPress Section Widget plugin <= 3.3.1 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ctltwp Section Widget allows Reflected XSS. This issue affects Section Widget: from n/a through 3.3.1.

Vendor-ctltwp

Product-Section Widget

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-39306

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.17% / 38.64%

7 Day CHG~0.00%

Published-27 Mar, 2024 | 05:42

Updated-05 Aug, 2024 | 16:45

WordPress Avada Builder plugin <= 3.11.1 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Fusion Builder allows Reflected XSS.This issue affects Fusion Builder: from n/a through 3.11.1.

Vendor-Avada (ThemeFusion)

Product-Fusion Builder

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-39162

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-04 Sep, 2023 | 09:46

Updated-24 Sep, 2024 | 18:54

WordPress User Email Verification for WooCommerce Plugin <= 3.5.0 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in XLPlugins User Email Verification for WooCommerce plugin <= 3.5.0 versions.

Vendor-xlplugins XLPlugins

Product-woo-confirmation-email User Email Verification for WooCommerce

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-37977

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-27 Jul, 2023 | 14:16

Updated-19 Feb, 2025 | 16:29

WordPress WPFunnels Plugin <= 2.7.16 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPFunnels Team Drag & Drop Sales Funnel Builder for WordPress – WPFunnels plugin <= 2.7.16 versions.

Vendor-getwpfunnels WPFunnels Team

Product-wpfunnels Drag & Drop Sales Funnel Builder for WordPress – WPFunnels

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-46500

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.04% / 10.71%

7 Day CHG~0.00%

Published-16 Jul, 2025 | 11:28

Updated-16 Jul, 2025 | 18:49

WordPress Wordpress Auto Spinner plugin <= 3.25.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ValvePress Wordpress Auto Spinner allows Reflected XSS. This issue affects Wordpress Auto Spinner: from n/a through 3.25.0.

Vendor-ValvePress

Product-Wordpress Auto Spinner

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-38384

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-08 Aug, 2023 | 12:30

Updated-25 Sep, 2024 | 16:47

WordPress eaSYNC Plugin <= 1.3.7 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Syntactics, Inc. EaSYNC plugin <= 1.3.7 versions.

Vendor-syntacticsinc Syntactics, Inc.

Product-easync eaSYNC

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-43832

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.04% / 13.27%

7 Day CHG~0.00%

Published-19 May, 2025 | 18:45

Updated-21 May, 2025 | 20:25

WordPress Remote Images Grabber plugin <= 0.6 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in andreyk Remote Images Grabber allows Reflected XSS.This issue affects Remote Images Grabber: from n/a through 0.6.

Vendor-andreyk

Product-Remote Images Grabber

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-37988

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-14.42% / 94.17%

7 Day CHG~0.00%

Published-10 Aug, 2023 | 10:39

Updated-13 Feb, 2025 | 17:01

WordPress Contact Form Generator Plugin <= 2.5.5 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Creative Solutions Contact Form Generator plugin <= 2.5.5 versions.

Vendor-creative-solutions Creative Solutions

Product-contact_form_generator Contact Form Generator

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-37976

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-27 Jul, 2023 | 14:21

Updated-25 Sep, 2024 | 16:57

WordPress Radio Forge Muses Player with Skins Plugin <= 2.5 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Radio Forge Muses Player with Skins plugin <= 2.5 versions.

Vendor-radioforge Radio Forge

Product-radio_forge_muses_player_with_skins Radio Forge Muses Player with Skins

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-37975

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-27 Jul, 2023 | 14:25

Updated-25 Sep, 2024 | 16:52

WordPress Variation Swatches for WooCommerce Plugin <= 2.3.7 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RadiusTheme Variation Swatches for WooCommerce plugin <= 2.3.7 versions.

Vendor-variation_swatches_for_woocommerce_project RadiusTheme

Product-variation_swatches_for_woocommerce Variation Swatches for WooCommerce

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-46502

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.06% / 20.32%

7 Day CHG+0.02%

Published-24 Apr, 2025 | 16:08

Updated-29 Apr, 2025 | 13:52

WordPress LSD Custom taxonomy and category meta plugin <= 1.3.2 - CSRF to XSS vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bas Matthee LSD Custom taxonomy and category meta allows Cross Site Request Forgery. This issue affects LSD Custom taxonomy and category meta: from n/a through 1.3.2.

Vendor-Bas Matthee

Product-LSD Custom taxonomy and category meta

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-37997

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.09% / 26.47%

7 Day CHG~0.00%

Published-01 Sep, 2023 | 11:47

Updated-24 Sep, 2024 | 18:57

WordPress Post List With Featured Image Plugin <= 1.2 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Dharmesh Patel Post List With Featured Image plugin <= 1.2 versions.

Vendor-dharmeshpatel Dharmesh Patel

Product-post_list_with_featured_image Post List With Featured Image

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-37979

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-45.01% / 97.50%

7 Day CHG~0.00%

Published-27 Jul, 2023 | 14:08

Updated-13 Feb, 2025 | 17:01

WordPress Ninja Forms Plugin <= 3.6.25 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions.

Vendor-Saturday Drive, INC

Product-ninja_forms Ninja Forms Contact Form

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-38400

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.19% / 41.48%

7 Day CHG~0.00%

Published-30 Nov, 2023 | 16:57

Updated-02 Aug, 2024 | 17:39

WordPress Enfold Theme <= 5.6.4 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold - Responsive Multi-Purpose Theme allows Reflected XSS.This issue affects Enfold - Responsive Multi-Purpose Theme: from n/a through 5.6.4.

Vendor-kriesi Kriesi

Product-enfold Enfold - Responsive Multi-Purpose Theme

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-37981

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-27 Jul, 2023 | 13:50

Updated-25 Sep, 2024 | 16:58

WordPress Authors List Plugin <= 2.0.2 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPKube Authors List plugin <= 2.0.2 versions.

Vendor-wpkube WPKube

Product-authors_list Authors List

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-38392

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-07 Aug, 2023 | 12:45

Updated-25 Sep, 2024 | 16:52

WordPress Custom Field Template Plugin <= 2.5.9 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Hiroaki Miyashita Custom Field Template plugin <= 2.5.9 versions.

Vendor-wpgogo Hiroaki Miyashita

Product-custom_field_template Custom Field Template

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-46526

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.04% / 13.27%

7 Day CHG~0.00%

Published-23 May, 2025 | 12:43

Updated-23 May, 2025 | 15:54

WordPress My Custom Widgets plugin <= 2.0.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in janekniefeldt My Custom Widgets allows Reflected XSS. This issue affects My Custom Widgets: from n/a through 2.0.5.

Vendor-janekniefeldt

Product-My Custom Widgets

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-36384

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-18 Jul, 2023 | 14:17

Updated-25 Sep, 2024 | 17:01

WordPress Booking Calendar Contact Form Plugin <= 1.2.40 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin <= 1.2.40 versions.

Vendor-WP Booking Calendar CodePeople

Product-booking_calendar Booking Calendar Contact Form

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-46515

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.04% / 13.27%

7 Day CHG~0.00%

Published-23 May, 2025 | 12:43

Updated-23 May, 2025 | 15:54

WordPress Category Widget plugin <= 2.0.2 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M A Vinoth Kumar Category Widget allows Reflected XSS. This issue affects Category Widget: from n/a through 2.0.2.

Vendor-M A Vinoth Kumar

Product-Category Widget

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-36823

Matching Score-4

Assigner-GitHub, Inc.

View Details

Matching Score-4

Assigner-GitHub, Inc.

CVSS Score-7.1||HIGH

EPSS-0.33% / 55.42%

7 Day CHG~0.00%

Published-06 Jul, 2023 | 15:06

Updated-13 Feb, 2025 | 16:56

Sanitize vulnerable to Cross-site Scripting via insufficient neutralization of `style` element content

Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to version 6.0.2 when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows `style` elements and one or more CSS at-rules. This could result in cross-site scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. Sanitize 6.0.2 performs additional escaping of CSS in `style` element content, which fixes this issue. Users who are unable to upgrade can prevent this issue by using a Sanitize config that doesn't allow `style` elements, using a Sanitize config that doesn't allow CSS at-rules, or by manually escaping the character sequence `</` as `<\/` in `style` element content.

Vendor-sanitize_project rgrove Debian GNU/Linux

Product-debian_linux sanitize sanitize

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-36501

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.09% / 25.91%

7 Day CHG~0.00%

Published-25 Jul, 2023 | 13:23

Updated-26 Sep, 2024 | 15:11

WordPress teachPress Plugin <= 9.0.2 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Michael Winkler teachPress plugin <= 9.0.2 versions.

Vendor-mtrv Michael Winkler

Product-teachpress teachPress

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-46234

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.06% / 20.32%

7 Day CHG+0.02%

Published-24 Apr, 2025 | 16:08

Updated-29 Apr, 2025 | 13:52

WordPress Control Listings plugin <= 1.0.4.1 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Habibur Rahman Razib Control Listings allows Reflected XSS. This issue affects Control Listings: from n/a through 1.0.4.1.

Vendor-Habibur Rahman Razib

Product-Control Listings

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-36689

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-05 Aug, 2023 | 22:22

Updated-25 Sep, 2024 | 16:56

WordPress WPFactory Helper Plugin <= 1.5.2 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPFactory WPFactory Helper plugin <= 1.5.2 versions.

Vendor-wpfactory WPFactory

Product-wpfactory_helper WPFactory Helper

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-36385

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.10% / 27.59%

7 Day CHG~0.00%

Published-25 Jul, 2023 | 13:44

Updated-25 Sep, 2024 | 16:59

WordPress PostX – Gutenberg Blocks for Post Grid Plugin <= 2.9.9 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in wpxpo PostX – Gutenberg Post Grid Blocks plugin <= 2.9.9 versions.

Vendor-wpxpo wpxpo

Product-postx PostX – Gutenberg Post Grid Blocks

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-36502

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.10% / 27.59%

7 Day CHG~0.00%

Published-25 Jul, 2023 | 13:26

Updated-26 Sep, 2024 | 15:09

WordPress Balkon Theme <= 1.3.2 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cththemes Balkon plugin <= 1.3.2 versions.

Vendor-cththemes cththemes

Product-balkon Balkon

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-46437

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.04% / 13.27%

7 Day CHG~0.00%

Published-23 May, 2025 | 12:43

Updated-23 May, 2025 | 15:54

WordPress Tayori Form plugin <= 1.2.9 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tayoricom Tayori Form allows Reflected XSS. This issue affects Tayori Form: from n/a through 1.2.9.

Vendor-tayoricom

Product-Tayori Form

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-36686

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-05 Aug, 2023 | 22:28

Updated-25 Sep, 2024 | 16:56

WordPress CartFlows Pro Plugin <= 1.11.11 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CartFlows Pro plugin <= 1.11.11 versions.

Vendor-cartflows CartFlows

Product-cartflows CartFlows Pro

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-46446

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.04% / 13.27%

7 Day CHG~0.00%

Published-23 May, 2025 | 12:43

Updated-23 May, 2025 | 15:54

WordPress Libro de Reclamaciones <= 1.0.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ivanrojas Libro de Reclamaciones allows Stored XSS. This issue affects Libro de Reclamaciones: from n/a through 1.0.1.

Vendor-ivanrojas

Product-Libro de Reclamaciones

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-35884

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.17% / 38.24%

7 Day CHG~0.00%

Published-20 Jun, 2023 | 06:50

Updated-10 Oct, 2024 | 18:35

WordPress EventPrime Plugin <= 3.0.5 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in EventPrime plugin <= 3.0.5 versions.

Vendor-Metagauss Inc.

Product-eventprime EventPrime

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-35918

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-22 Jun, 2023 | 11:47

Updated-10 Oct, 2024 | 17:23

WordPress WooCommerce Bulk Stock Management Plugin <= 2.2.33 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce Bulk Stock Management plugin <= 2.2.33 versions.

Vendor-WooCommerce

Product-bulk_stock_management Bulk Stock Management

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-35772

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.08% / 24.99%

7 Day CHG~0.00%

Published-19 Jun, 2023 | 13:54

Updated-10 Oct, 2024 | 18:35

WordPress Google Map Shortcode Plugin <= 3.1.2 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Alain Gonzalez Google Map Shortcode plugin <= 3.1.2 versions.

Vendor-Alain Gonzalez

Product-google_map_shortcode Google Map Shortcode

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-35098

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.17% / 38.24%

7 Day CHG~0.00%

Published-20 Jun, 2023 | 09:01

Updated-02 Aug, 2024 | 16:23

WordPress NextGen GalleryView Plugin <= 0.5.5 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in John Brien WordPress NextGen GalleryView plugin <= 0.5.5 versions.

Vendor-wordpress_nextgen_galleryview_project John Brien

Product-wordpress_nextgen_galleryview WordPress NextGen GalleryView

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-35043

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.09% / 25.91%

7 Day CHG~0.00%

Published-25 Jul, 2023 | 12:57

Updated-25 Sep, 2024 | 16:59

WordPress Recent Posts Slider Plugin <= 1.1 is vulnerable to Cross Site Scripting (XSS)

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Neha Goel Recent Posts Slider plugin <= 1.1 versions.

Vendor-recent_posts_slider_project Neha Goel

Product-recent_posts_slider Recent Posts Slider

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-46440

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.04% / 13.27%

7 Day CHG~0.00%

Published-23 May, 2025 | 12:43

Updated-23 May, 2025 | 15:54

WordPress kStats Reloaded plugin <= 0.7.4 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark kStats Reloaded allows Reflected XSS. This issue affects kStats Reloaded: from n/a through 0.7.4.

Vendor-Mark

Product-kStats Reloaded

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-25124

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.04% / 13.02%

7 Day CHG~0.00%

Published-03 Mar, 2025 | 13:30

Updated-03 Mar, 2025 | 17:35

WordPress Status Updater Plugin <= 9.21 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in devu Status Updater allows Reflected XSS. This issue affects Status Updater: from n/a through 1.9.2.

Vendor-devu

Product-Status Updater

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-35097

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.1||HIGH

EPSS-0.17% / 38.24%

7 Day CHG~0.00%

Published-20 Jun, 2023 | 09:05

Updated-19 Feb, 2025 | 21:29

WordPress WP Affiliate Links Plugin <= 0.1.1 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Internet Marketing Dojo WP Affiliate Links plugin <= 0.1.1 versions.

Vendor-Internet Marketing Dojo Dojo (OpenJS Foundation)

Product-wp_affiliate_links WP Affiliate Links

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2024-13330

Credits

Justrows Free <= 0.2 - Reflected XSS

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs