Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-37120

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-22 Jul, 2024 | 09:38
Updated At-28 Apr, 2026 | 16:09
Rejected At-
Credits

WordPress Tabs plugin <= 4.0.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Biplob Adhikari Tabs allows Stored XSS.This issue affects Tabs: from n/a through 4.0.6.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:22 Jul, 2024 | 09:38
Updated At:28 Apr, 2026 | 16:09
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress Tabs plugin <= 4.0.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Biplob Adhikari Tabs allows Stored XSS.This issue affects Tabs: from n/a through 4.0.6.

Affected Products
Vendor
Biplob Adhikari (Oxilab Development)Biplob Adhikari
Product
Tabs
Collection URL
https://wordpress.org/plugins
Package Name
vc-tabs
Default Status
unaffected
Versions
Affected
  • From n/a through 4.0.6 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.15.9MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-592CAPEC-592 Stored XSS
CAPEC ID: CAPEC-592
Description: CAPEC-592 Stored XSS
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Jean Tirstan T (Patchstack Alliance)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/vulnerability/vc-tabs/wordpress-tabs-plugin-4-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/vulnerability/vc-tabs/wordpress-tabs-plugin-4-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/vulnerability/vc-tabs/wordpress-tabs-plugin-4-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve
vdb-entry
x_transferred
Hyperlink: https://patchstack.com/database/vulnerability/vc-tabs/wordpress-tabs-plugin-4-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve
Resource:
vdb-entry
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:22 Jul, 2024 | 10:15
Updated At:25 Jul, 2024 | 19:26

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Biplob Adhikari Tabs allows Stored XSS.This issue affects Tabs: from n/a through 4.0.6.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Secondary3.15.9MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
CPE Matches
Biplob Adhikari (Oxilab Development)
oxilab
>>responsive_tabs>>Versions up to 4.0.6(inclusive)
cpe:2.3:a:oxilab:responsive_tabs:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primaryaudit@patchstack.com
CWE ID: CWE-79
Type: Primary
Source: audit@patchstack.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://patchstack.com/database/vulnerability/vc-tabs/wordpress-tabs-plugin-4-0-6-cross-site-scripting-xss-vulnerability?_s_id=cveaudit@patchstack.com
Third Party Advisory
Hyperlink: https://patchstack.com/database/vulnerability/vc-tabs/wordpress-tabs-plugin-4-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

4245Records found
CVE-2024-37121
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.26% / 17.19%
||
7 Day CHG~0.00%
Published-22 Jul, 2024 | 09:35
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Shortcode Addons plugin <= 3.2.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in biplob018 Shortcode Addons allows Stored XSS.This issue affects Shortcode Addons: from n/a through 3.2.5.

Action-Not Available
Vendor-Biplob Adhikari (Oxilab Development)
Product-shortcode_addonsShortcode Addons
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-37122
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.26% / 17.19%
||
7 Day CHG~0.00%
Published-22 Jul, 2024 | 09:34
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Accordions plugin <= 2.3.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Biplob Adhikari Accordions allows Stored XSS.This issue affects Accordions: from n/a through 2.3.5.

Action-Not Available
Vendor-Biplob Adhikari (Oxilab Development)
Product-accordionsAccordions
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-45082
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-3.4||LOW
EPSS-0.40% / 32.14%
||
7 Day CHG~0.00%
Published-18 Nov, 2022 | 21:59
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Accordions plugin <= 2.0.3 - Multiple Auth. Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerabilities in Accordions plugin <= 2.0.3 on WordPress via &addons-style-name and &accordions_or_faqs_license_key.

Action-Not Available
Vendor-Biplob Adhikari (Oxilab Development)
Product-accordionsAccordions – Multiple Accordions or FAQs Builder (WordPress plugin)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-25962
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.37% / 28.63%
||
7 Day CHG~0.00%
Published-04 May, 2023 | 12:47
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Accordions Plugin <= 2.3.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Biplob Adhikari Accordion – Multiple Accordion or FAQs Builder plugin <= 2.3.0 versions.

Action-Not Available
Vendor-Biplob Adhikari (Oxilab Development)
Product-accordionsAccordion – Multiple Accordion or FAQs Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-29424
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-4.8||MEDIUM
EPSS-0.49% / 38.22%
||
7 Day CHG~0.00%
Published-20 May, 2022 | 19:57
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Image Hover Effects Ultimate plugin <= 9.7.1 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated (admin or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in Biplob Adhikari's Image Hover Effects Ultimate plugin <= 9.7.1 at WordPress.

Action-Not Available
Vendor-Biplob Adhikari (Oxilab Development)
Product-image_hover_effects_ultimateImage Hover Effects Ultimate (WordPress plugin)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-2935
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.48% / 37.46%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 17:19
Updated-07 Feb, 2025 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Hover Effects Ultimate <= 9.7.3 - Authenticated Stored Cross-Site Scripting via Media URL

The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Media Image URL value that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.

Action-Not Available
Vendor-Biplob Adhikari (Oxilab Development)
Product-image_hover_effects_ultimateImage Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-2937
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.47% / 36.86%
||
7 Day CHG~0.00%
Published-23 Sep, 2022 | 13:54
Updated-31 Jan, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Hover Effects Ultimate <= 9.7.3 - Authenticated Stored Cross-Site Scripting via Title & Description

The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.

Action-Not Available
Vendor-Biplob Adhikari (Oxilab Development)
Product-image_hover_effects_ultimateImage Hover Effects Ultimate
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-37546
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 14.54%
||
7 Day CHG~0.00%
Published-06 Jul, 2024 | 14:29
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Image Hover Effects for Elementor with Lightbox and Flipbox plugin <= 3.0.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in biplob018 Image Hover Effects - Caption Hover with Carousel allows Stored XSS.This issue affects Image Hover Effects - Caption Hover with Carousel: from n/a through 3.0.2.

Action-Not Available
Vendor-Biplob Adhikari (Oxilab Development)
Product-image_hover_effects_for_elementor_with_lightbox_and_flipboxImage Hover Effects - Caption Hover with Carousel
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25031
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.89% / 54.60%
||
7 Day CHG~0.00%
Published-24 Jan, 2022 | 08:01
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Hover Effects Ultimate < 9.7.1 - Reflected Cross-Site Scripting

The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-UnknownBiplob Adhikari (Oxilab Development)
Product-image_hover_effects_ultimateImage Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13362
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.28% / 19.24%
||
7 Day CHG~0.00%
Published-01 May, 2026 | 05:29
Updated-01 May, 2026 | 13:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-pluginswaresenolsgallerycreatormikewire_rocksolidtheafricanbossinfornwebstreamweaselssamdanithemelocationsebetblocksparepremmercespeedifysjavedmattpramschufer100pluginsdamian-gorafullworkstonyzeolitripettotobias_conradcyberhobonicheaddonspagupwpjolidavidandersonwebheadllcplugins360peterschulznlmapstertoddhalfpennycyclonecodemohsinofflinepluginscafewpmagicsnitin247yuvalomihail-barinovbouncingsproutmte90infosatechpassionatebrainstakanakuiinteractivegeomapspluginandplaygowebsmartymeowcrewblackandwhitedigitalwebfactoryessekiabpluginsrebelcodefoopluginstobiasbglitonice13kofimokomeinvisnetwpbitsprasadkirpekarvinod-dalvign_themesseezeeunitecmswpspeedooceanwpmr2penwebysaadiqbalprinceahmedsmartwpresskoen12344cleverpluginswebba-agencytickeraelliotvskaizencoderswpdeverspicethemescodesavoryelesparewordplushasanazizulinaviiwpsaadkairaimtiazrayhanhkdigitalagencyxplodedthemesjosevegamhmrajibdashlabsltdparetodigitaluriahs-victorbensibleyspiderdevs5starpluginsBiplob Adhikari (Oxilab Development)AF themes
Product-Post to Google My Business (Google Business Profile)Mapster WP MapsShare This ImageFeatured Images in RSS for Mailchimp & MoreBetter Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private MessagesGo Fetch Jobs (for WP Job Manager)Post Slider and Post Carousel with Post Vertical Scrolling Widget – A Responsive Post SliderMixed Media Gallery BlocksFive-Star Ratings ShortcodeAI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4oAI Puffer – Chat. Create. Automate. (formerly AI Power)Auto-Install Free SSL – Generate & Install Free SSL CertificatesCarousel, Recent Post Slider and Banner SliderDisable Payment Methods based on cart conditions for WooCommerceXT Floating Cart for WooCommercePrimary Addon for ElementorUnlimited Elements For ElementorNotification Bar, Announcement and Cookie Notice WordPress Plugin – FooBarEasy Appointment Booking & Scheduling System – Webba Booking CalendarXT Quick View for WooCommerceWOW Styler for CF7 – Visual Styler for Contact Form 7 FormsEazyDocs – AI Powered Knowledge Base, Wiki, Documentation & FAQ BuilderMessage Filter for Contact Form 7Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile AppTreePress – Easy Family Trees & Ancestor ProfilesEasy Age VerifyRadio Station by netmix® – Manage and play your Show Schedule in WordPress!GA4WP – Analytics Dashboard for the WebsiteEmbedder for Google ReviewsPremmerce Permalink Manager for WooCommerceSolid Testimonials – Testimonial Slider, Video Testimonials & Customer ReviewsWP Notification BellCustom WooCommerce Checkout Fields EditorWP fail2ban – Advanced SecurityInternal Link Juicer: SEO Auto Linker for WordPressAdvanced Classifieds & Directory ProWPBITS Addons For Elementor Page BuilderMenu Image, Icons made easyFile Manager for Google Drive – Integrate Google DriveWP Meta and Date RemoverGeo MashupBlog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, NewsGlossaryEleSpare – News, Magazine and Blog Addons for ElementorJustified GalleryStreamWeasels Twitch IntegrationWP Books Gallery – Build Stunning Book Showcases & Libraries in MinutesPremmerce Product Filter for WooCommerceBulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)Ivory Search – WordPress Search PluginAnnouncement & Notification Banner – BulletinWPIDE – File Manager & Code EditorWP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL ScanbBlocks – Essential Gutenberg Blocks & Patterns CollectionDynamic Copyright YearDisplay Eventbrite EventsRestaurant & Cafe Addon for ElementorSpotlight Social Feeds – Block, Shortcode, and WidgetLogo Showcase – Responsive Logo Carousel, Logo Slider & Logo GridWordPress form builder plugin for contact forms, surveys and quizzes – TripettoWP Coupons and Deals – Coupon Plugin For Affiliate MarketersThank You Page for WooCommerceGoal Tracker – Custom Event Tracking for GA4Post List Designer – Category Post, Recent Post, Post ListWP Data Access – App Builder for Tables, Forms, Charts, Maps & DashboardsRestrict – membership, site, content and user access restrictions for WordPressKikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerceJoli Table Of ContentsCheckout with Cash App on WooCommerceIndependent AnalyticsEvents Addon for ElementorAutomatic Internal Links for SEO by PagupUltimeterPay For Post with WooCommerceTeam Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and MoreYASR – Yet Another Star Rating Plugin for WordPressMaster Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template KitsRole Based Pricing for Woo by Meow CrewOcean ExtraRadio Player – Live Shoutcast, Icecast and Any Audio Stream PlayerMeta Field Block – Display custom fields in the Block Editor without codingOpen User MapTablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, FluentCode ManagerText To Speech TTS AccessibilityAnti-Spam Protection – No API Key, GDPR FriendlyGallery by FooGalleryAutomatic YouTube GalleryStoreCustomizer – A plugin to Customize all WooCommerce PagesWP Page TemplatesAidWP – Donation & Payment Forms (Stripe Powered)WP Post Author – Author Box, Multiple Authors, Guest Authors & Custom AvatarsSecure Gateway for Authorize.net and WooCommerce by Pledged PluginsPayment Gateway for ACBA BANKProduct Layouts for WooCommerceAdvanced Scrollbar – Custom Scrollbar Styling and BehaviorSecurity Ninja – WordPress Security & FirewallXT Variation Swatches for WooCommerceDelete Posts automaticallyWidgets on PagesTablePress – Tables in WordPress made easyContact Form 7 Multi-Step FormsRevivePress – Keep your Old Content EvergreenHTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio PlayerAEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image OptimizationAWCA – The Great Analytics Insights for Your eStoreImage Alt Text Manager – Bulk & Dynamic Alt Tags For image SEO Optimization + AISmart phone field for Gravity FormsBulk Edit Posts and Products in SpreadsheetMarijuana Age VerifyForumax – AI Powered Advanced Community Forum PluginMusic Player for Elementor – Audio Player & Podcast PlayerFull Screen BackgroundMapGeo – Interactive Geo MapsKnowledge Base documentation & wiki plugin – BasePress DocsBlockSpare — News, Magazine and Blog Addons for (Gutenberg) Block EditorCoupon Affiliates – Affiliate Plugin for WooCommercePlace Order Without Payment for WooCommerceLightbox & Modal Popup WordPress Plugin – FooBoxWP Mobile Menu – The Mobile-Friendly Responsive MenuCustom PHP SettingsInavii Social FeedSend Users Email – Email Subscribers, Email Marketing NewsletterWP Shortcodes Plugin — Shortcodes UltimateDracula Dark Mode – Accessibility, Reading Mode & Dark Mode for WordPressPDF Poster – Display PDF Files with Custom ViewerEasy Social Feed – Social Photos Gallery and Post Feed for WordPressTeam Members ShowcaseURL Shortify – Simple and Easy URL ShortenerTopNewsWp – Display Tikcer News, RSS Feed Widget and Many MoreRemove Add to Cart WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5001
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.32% / 23.74%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 02:02
Updated-08 Apr, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Hover Effects for Elementor with Lightbox and Flipbox <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via _id, oxi_addons_f_title_tag, and content_description_tag Parameters

The Image Hover Effects for Elementor with Lightbox and Flipbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_id', 'oxi_addons_f_title_tag', and 'content_description_tag' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-37546 may be a duplicate of this issue.

Action-Not Available
Vendor-Biplob Adhikari (Oxilab Development)
Product-image_hover_effects_for_elementor_with_lightbox_and_flipboxImage Hover Effects for Elementor with Lightbox and Flipbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5092
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.21% / 10.94%
||
7 Day CHG~0.00%
Published-20 Nov, 2025 | 06:38
Updated-08 Apr, 2026 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple Plugins and Themes <= (Various Versions) - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via lightGallery JavaScript Library

Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-famethemesvowelwebwpsoftsgalaxyweblinkslightgalleryteamtpluginsBiplob Adhikari (Oxilab Development)Royal Elementor Addons
Product-Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier )OnePressRoyal Addons for Elementor – Addons and Templates Kit for ElementorIbtana – WordPress Website BuilderTP WooCommerce Product GalleryLightGallery WPPortfolio, Gallery, Product Catalog – Grid KIT PortfolioGallery with thumbnail slider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-45831
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.41% / 32.49%
||
7 Day CHG~0.00%
Published-28 Mar, 2023 | 07:15
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Image Hover Effects - Caption Hover with Carousel Plugin <= 2.8 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in biplob018 Image Hover Effects for Elementor with Lightbox and Flipbox plugin <= 2.8 versions.

Action-Not Available
Vendor-Biplob Adhikari (Oxilab Development)
Product-image_hover_effects_for_elementor_with_lightbox_and_flipboxImage Hover Effects for Elementor with Lightbox and Flipbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-40215
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-3.4||LOW
EPSS-0.41% / 32.67%
||
7 Day CHG~0.00%
Published-23 Sep, 2022 | 15:22
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Tabs plugin <= 3.7.1 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in Tabs plugin <= 3.7.1 at WordPress.

Action-Not Available
Vendor-Biplob Adhikari (Oxilab Development)
Product-tabsTabs (WordPress plugin)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-2936
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.49% / 38.21%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 17:19
Updated-07 Feb, 2025 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Hover Effects Ultimate <= 9.7.3 - Authenticated Stored Cross-Site Scripting via Video Link

The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Video Link values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.

Action-Not Available
Vendor-Biplob Adhikari (Oxilab Development)
Product-image_hover_effects_ultimateImage Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-9271
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.14% / 3.64%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 06:00
Updated-12 Jun, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
KeepInMind - Dashboard Notes < 0.8.4.2 - Contributor+ Stored XSS

Vulnerability Title

Action-Not Available
Vendor-Unknown
Product-KeepInMind Dashboard Notes
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23366
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 34.01%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 17:41
Updated-01 Jun, 2026 | 17:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Org.jboss.hal:hal-console: wildfly hal console cross-site scripting

A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.

Action-Not Available
Vendor-Red Hat, Inc.
Product-hal_management_consoleRed Hat JBoss Enterprise Application Platform 8Red Hat JBoss Data Grid 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 7
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-20840
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.45% / 35.50%
||
7 Day CHG~0.00%
Published-10 Nov, 2022 | 17:41
Updated-26 Nov, 2024 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-secure_firewall_management_centerCisco Firepower Management Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-33598
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.36% / 27.97%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 07:17
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Annual Archive plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Twinpictures Annual Archive allows Stored XSS.This issue affects Annual Archive: from n/a through 1.6.0.

Action-Not Available
Vendor-Twinpictures
Product-Annual Archive
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22734
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.27% / 19.11%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 15:23
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Posts Footer Manager Plugin <= 2.1.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Data443 Risk Mitigation, Inc. Posts Footer Manager intelly-posts-footer-manager allows Stored XSS.This issue affects Posts Footer Manager: from n/a through <= 2.1.0.

Action-Not Available
Vendor-Data443 Risk Mitigation, Inc.
Product-Posts Footer Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22664
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.23% / 13.59%
||
7 Day CHG~0.00%
Published-04 Feb, 2025 | 14:21
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Survey Maker Plugin <= 5.1.3.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Survey Maker survey-maker allows Stored XSS.This issue affects Survey Maker: from n/a through <= 5.1.3.5.

Action-Not Available
Vendor-AYS Pro Extensions
Product-survey_makerSurvey Maker
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22762
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.22% / 12.72%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 15:23
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Octrace Support Pro plugin <= 1.2.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Octrace WordPress HelpDesk & Support Ticket System Plugin – Octrace Support octrace-support allows Stored XSS.This issue affects WordPress HelpDesk & Support Ticket System Plugin – Octrace Support: from n/a through <= 1.2.7.

Action-Not Available
Vendor-Octrace
Product-WordPress HelpDesk & Support Ticket System Plugin – Octrace Support
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-20389
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.59% / 43.60%
||
7 Day CHG~0.00%
Published-23 Jun, 2021 | 14:35
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting (XSS) vulnerability in GetSimpleCMS 3.4.0a in admin/edit.php.

Action-Not Available
Vendor-get-simplen/a
Product-getsimplecmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22641
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.22% / 13.02%
||
7 Day CHG~0.00%
Published-04 Feb, 2025 | 14:21
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FM Notification Bar plugin <= 1.0.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Prem Tiwari FM Notification Bar fm-notification-bar allows Stored XSS.This issue affects FM Notification Bar: from n/a through <= 1.0.4.

Action-Not Available
Vendor-Prem Tiwari
Product-FM Notification Bar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-46852
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.40% / 31.32%
||
7 Day CHG~0.00%
Published-03 May, 2023 | 14:04
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Table Builder – WordPress Table Plugin Plugin <= 1.4.6 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WP Table Builder plugin <= 1.4.6 versions.

Action-Not Available
Vendor-dotcampWP Table Builder
Product-wp_table_builderWP Table Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22738
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.31% / 22.53%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 15:23
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP ULike plugin <= 4.7.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alimir WP ULike wp-ulike allows Stored XSS.This issue affects WP ULike: from n/a through <= 4.7.6.

Action-Not Available
Vendor-wpulikeAlimir
Product-wp_ulikeWP ULike
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2340
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.35% / 27.05%
||
7 Day CHG~0.00%
Published-16 Mar, 2025 | 13:31
Updated-26 Aug, 2025 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
otale Tale Blog Site Settings save saveOptions cross site scripting

A vulnerability was found in otale Tale Blog 2.0.5. It has been declared as problematic. This vulnerability affects the function saveOptions of the file /options/save of the component Site Settings. The manipulation of the argument Site Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

Action-Not Available
Vendor-otaleotale
Product-tale_blogTale Blog
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-47131
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.41% / 32.46%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows an attacker to arbitrarily create a page.

Action-Not Available
Vendor-n/aCreativeitem
Product-academy_lmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2279
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.21% / 11.65%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 06:00
Updated-29 Apr, 2025 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Maps - Google Maps <= 1.0.6 - Contributor+ Stored XSS

The Maps WordPress plugin through 1.0.6 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-robosoftUnknown
Product-mapsMaps
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22788
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.22% / 12.72%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 15:23
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CoDesigner plugin <= 4.29 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codexpert, Inc CoDesigner woolementor allows Stored XSS.This issue affects CoDesigner: from n/a through <= 4.29.

Action-Not Available
Vendor-Codexpert, Inc
Product-CoDesigner
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22855
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-2.6||LOW
EPSS-0.30% / 21.84%
||
7 Day CHG~0.00%
Published-08 Apr, 2025 | 14:02
Updated-23 Jul, 2025 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Fortinet FortiClient before 7.4.1 may allow the EMS administrator to send messages containing javascript code.

Action-Not Available
Vendor-Fortinet, Inc.
Product-forticlientemsFortiClientEMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-15948
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.59% / 43.60%
||
7 Day CHG~0.00%
Published-28 Oct, 2017 | 00:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Perch Content Management System 3.0.3 allows unrestricted file upload (with resultant XSS) via the Asset Title field in conjunction with the Select File field. This is exploitable with a Limited Admin account.

Action-Not Available
Vendor-grabaperchn/a
Product-perchn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45665
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.42% / 33.38%
||
7 Day CHG~0.00%
Published-26 Dec, 2021 | 00:26
Updated-04 Aug, 2024 | 04:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects EAX20 before 1.0.0.36, EAX80 before 1.0.1.62, EX3700 before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, RBW30 before 2.6.1.4, RBK752 before 3.2.16.6, RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, RBS850 before 3.2.16.6, and RBS40V before 2.6.1.4.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-rbs40v_firmwareeax20_firmwarerbs40veax80ex7500rbw30_firmwareex6130_firmwarerbs750_firmwarerbs850_firmwarerbr850ex3800_firmwarerbr750_firmwareeax20rbw30ex3700ex7500_firmwarerbs850rbk752_firmwareex3800rbk752rbr750rbs750eax80_firmwareex3700_firmwareex6120rbk852_firmwarerbk852ex6130ex6120_firmwarerbr850_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2210
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.45% / 35.67%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 22:00
Updated-21 May, 2025 | 18:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aitangbao springboot-manager add cross site scripting

A vulnerability has been found in aitangbao springboot-manager 3.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /sysJob/add. The manipulation of the argument name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-aitangbaoaitangbao
Product-springboot-managerspringboot-manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-2162
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.32% / 23.43%
||
7 Day CHG~0.00%
Published-18 Apr, 2025 | 06:00
Updated-28 May, 2025 | 17:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MapPress Maps for WordPress < 2.94.10 - Admin+ Stored XSS

The MapPress Maps for WordPress plugin before 2.94.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-mappressproUnknown
Product-mappressMapPress Maps for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22132
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.3||HIGH
EPSS-0.41% / 32.94%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 22:04
Updated-13 Feb, 2025 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WeGIA has a Cross-Site Scripting (XSS) in File Upload Field

WeGIA is a web manager for charitable institutions. A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. By uploading a file containing malicious JavaScript code, an attacker can execute arbitrary scripts in the context of a victim's browser. This can lead to information theft, session hijacking, and other forms of client-side exploitation. This vulnerability is fixed in 3.2.7.

Action-Not Available
Vendor-wegianilsonLazarin
Product-wegiaWeGIA
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2211
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.45% / 35.67%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 22:00
Updated-21 May, 2025 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aitangbao springboot-manager add cross site scripting

A vulnerability was found in aitangbao springboot-manager 3.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /sysDictDetail/add. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-aitangbaoaitangbao
Product-springboot-managerspringboot-manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-2205
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.40% / 31.76%
||
7 Day CHG~0.00%
Published-12 Mar, 2025 | 03:21
Updated-08 Apr, 2026 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GDPR Cookie Compliance <= 4.15.6 - Authenticated (Admin+) Stored Cross-Site Scripting

The GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.15.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-mooveagencymooveagency
Product-gdpr_cookie_complianceGDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice for CCPA, EU Cookie Law
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-44742
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.8||MEDIUM
EPSS-0.39% / 30.91%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 11:33
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Community Events Plugin <= 1.4.8 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting vulnerability in Yannick Lefebvre Community Events plugin <= 1.4.8 versions.

Action-Not Available
Vendor-community_events_projectYannick Lefebvre
Product-community_eventsCommunity Events
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2206
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.47% / 37.21%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 20:00
Updated-26 May, 2025 | 02:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aitangbao springboot-manager permission cross site scripting

A vulnerability classified as problematic has been found in aitangbao springboot-manager 3.0. This affects an unknown part of the file /sys/permission. The manipulation of the argument name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-aitangbaoaitangbao
Product-springboot-managerspringboot-manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-2207
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.47% / 37.21%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 20:00
Updated-21 May, 2025 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aitangbao springboot-manager dept cross site scripting

A vulnerability classified as problematic was found in aitangbao springboot-manager 3.0. This vulnerability affects unknown code of the file /sys/dept. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-aitangbaoaitangbao
Product-springboot-managerspringboot-manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-2213
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.35% / 26.78%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 23:00
Updated-29 Jan, 2026 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Castlenet CBW383G2N Wireless Menu wlanPrimaryNetwork.asp cross site scripting

A vulnerability was found in Castlenet CBW383G2N up to 20250301. It has been declared as problematic. This vulnerability affects unknown code of the file /wlanPrimaryNetwork.asp of the component Wireless Menu. The manipulation of the argument SSID with the input <img/src/onerror=prompt(8)> leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-castlenetCastlenet
Product-cbw383g2n_firmwarecbw383g2nCBW383G2N
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-18404
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.34% / 25.69%
||
7 Day CHG~0.00%
Published-27 Jun, 2023 | 00:00
Updated-04 Dec, 2024 | 21:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in espcms version P8.18101601. There is a cross site scripting (XSS) vulnerability that allows arbitrary code to be executed via the title parameter.

Action-Not Available
Vendor-ecispn/a
Product-espcmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22245
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-5.9||MEDIUM
EPSS-0.22% / 12.32%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 19:32
Updated-14 Jul, 2025 | 17:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the router port due to improper input validation.

Action-Not Available
Vendor-Broadcom Inc.VMware (Broadcom Inc.)
Product-vmware_nsxcloud_foundationtelco_cloud_platformtelco_cloud_infrastructureVMware NSX
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-32831
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 23.53%
||
7 Day CHG~0.00%
Published-03 May, 2024 | 07:23
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Accessibility Widget plugin <= 2.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lorna Timbah (webgrrrl) Accessibility Widget allows Stored XSS.This issue affects Accessibility Widget: from n/a through 2.2.

Action-Not Available
Vendor-Lorna Timbah (webgrrrl)
Product-Accessibility Widget
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2209
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.45% / 35.67%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 21:31
Updated-21 May, 2025 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aitangbao springboot-manager add cross site scripting

A vulnerability, which was classified as problematic, was found in aitangbao springboot-manager 3.0. Affected is an unknown function of the file /sysDict/add. The manipulation of the argument name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-aitangbaoaitangbao
Product-springboot-managerspringboot-manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-21603
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-4.8||MEDIUM
EPSS-0.28% / 19.96%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 03:30
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability exists in MZK-DP300N firmware versions 1.05 and earlier. If an attacker logs in to the affected product and manipulates the device settings, an arbitrary script may be executed on the logged-in user's web browser when accessing a crafted URL.

Action-Not Available
Vendor-PLANEX COMMUNICATIONS INC.
Product-MZK-DP300N
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-20280
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 10.71%
||
7 Day CHG~0.00%
Published-03 Sep, 2025 | 17:40
Updated-09 Sep, 2025 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-prime_infrastructureevolved_programmable_network_managerCisco Prime InfrastructureCisco Evolved Programmable Network Manager (EPNM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-44735
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.8||MEDIUM
EPSS-0.39% / 30.90%
||
7 Day CHG~0.00%
Published-18 Apr, 2023 | 12:56
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Clictracker Plugin <= 1.0.5 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gus Sevilla WP Clictracker plugin <= 1.0.5 versions.

Action-Not Available
Vendor-wp_clictracker_projectGus Sevilla
Product-wp_clictrackerWP Clictracker
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-45012
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.49% / 38.44%
||
7 Day CHG~0.00%
Published-21 Nov, 2022 | 00:00
Updated-29 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the Modify Page module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Source field.

Action-Not Available
Vendor-wbcen/a
Product-wbce_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 84
  • 85
  • Next
Details not found