Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-38870

Summary
Assigner-ManageEngine
Assigner Org ID-0fc0942c-577d-436f-ae8e-945763c79b02
Published At-17 Jul, 2024 | 16:48
Updated At-02 Aug, 2024 | 04:19
Rejected At-
Credits

Stored XSS

Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and OpManager Enterprise Edition versions before 128104, from 128151 before 128238, from 128247 before 128250 are vulnerable to Stored XSS vulnerability in reports module.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:ManageEngine
Assigner Org ID:0fc0942c-577d-436f-ae8e-945763c79b02
Published At:17 Jul, 2024 | 16:48
Updated At:02 Aug, 2024 | 04:19
Rejected At:
▼CVE Numbering Authority (CNA)
Stored XSS

Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and OpManager Enterprise Edition versions before 128104, from 128151 before 128238, from 128247 before 128250 are vulnerable to Stored XSS vulnerability in reports module.

Affected Products
Vendor
ManageEngine (Zoho Corporation Pvt. Ltd.)ManageEngine
Product
OpManager, OpManager Plus, OpManager MSP, OpManager Enterprise Edition
Collection URL
https://www.manageengine.com/network-monitoring/
Default Status
unaffected
Versions
Affected
  • From 0 before 128104 (128104)
  • From 128151 before 128238 (128238)
  • From 128247 before 128250 (128250)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-592CAPEC-592 Stored XSS
CAPEC ID: CAPEC-592
Description: CAPEC-592 Stored XSS
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.manageengine.com/network-monitoring/security-updates/cve-2024-38870.html
N/A
Hyperlink: https://www.manageengine.com/network-monitoring/security-updates/cve-2024-38870.html
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.manageengine.com/network-monitoring/security-updates/cve-2024-38870.html
x_transferred
Hyperlink: https://www.manageengine.com/network-monitoring/security-updates/cve-2024-38870.html
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:0fc0942c-577d-436f-ae8e-945763c79b02
Published At:17 Jul, 2024 | 17:15
Updated At:18 Jul, 2024 | 12:28

Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and OpManager Enterprise Edition versions before 128104, from 128151 before 128238, from 128247 before 128250 are vulnerable to Stored XSS vulnerability in reports module.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Secondary0fc0942c-577d-436f-ae8e-945763c79b02
CWE ID: CWE-79
Type: Secondary
Source: 0fc0942c-577d-436f-ae8e-945763c79b02
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.manageengine.com/network-monitoring/security-updates/cve-2024-38870.html0fc0942c-577d-436f-ae8e-945763c79b02
N/A
Hyperlink: https://www.manageengine.com/network-monitoring/security-updates/cve-2024-38870.html
Source: 0fc0942c-577d-436f-ae8e-945763c79b02
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

95Records found
CVE-2025-5966
Matching Score-6
Assigner-Zohocorp
ShareView Details
Matching Score-6
Assigner-Zohocorp
CVSS Score-8.1||HIGH
EPSS-0.04% / 10.19%
||
7 Day CHG~0.00%
Published-26 Jun, 2025 | 12:22
Updated-26 Jun, 2025 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS

Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)
Product-Exchange Reporter Plus
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5366
Matching Score-6
Assigner-Zohocorp
ShareView Details
Matching Score-6
Assigner-Zohocorp
CVSS Score-8.1||HIGH
EPSS-0.04% / 10.19%
||
7 Day CHG~0.00%
Published-26 Jun, 2025 | 12:21
Updated-26 Jun, 2025 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS

Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)
Product-Exchange Reporter Plus
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-27313
Matching Score-6
Assigner-ManageEngine
ShareView Details
Matching Score-6
Assigner-ManageEngine
CVSS Score-6.3||MEDIUM
EPSS-0.40% / 59.59%
||
7 Day CHG~0.00%
Published-29 May, 2024 | 11:01
Updated-27 Nov, 2024 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS Vulnerability

Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability. This vulnerability is applicable only in the version 6610.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)Zoho Corporation Pvt. Ltd.
Product-manageengine_pam360PAM360pam360
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-41437
Matching Score-6
Assigner-ManageEngine
ShareView Details
Matching Score-6
Assigner-ManageEngine
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.72%
||
7 Day CHG~0.00%
Published-09 Jun, 2025 | 10:44
Updated-09 Jun, 2025 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected XSS

Zohocorp ManageEngine OpManager, NetFlow Analyzer, Network Configuration Manager, Firewall Analyzer and OpUtils versions 128565 and below are vulnerable to Reflected XSS on the login page.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)
Product-OpManager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-27930
Matching Score-6
Assigner-Zohocorp
ShareView Details
Matching Score-6
Assigner-Zohocorp
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 10.03%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 10:20
Updated-25 Jul, 2025 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS

Zohocorp ManageEngine Applications Manager versions 176600 and prior are vulnerable to stored cross-site scripting in the File/Directory monitor.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)
Product-Applications Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-50053
Matching Score-6
Assigner-ManageEngine
ShareView Details
Matching Score-6
Assigner-ManageEngine
CVSS Score-6.3||MEDIUM
EPSS-0.02% / 3.47%
||
7 Day CHG~0.00%
Published-21 Mar, 2025 | 06:01
Updated-05 May, 2025 | 13:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS

Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)Zoho Corporation Pvt. Ltd.
Product-manageengine_supportcentre_plusmanageengine_servicedesk_plus_mspmanageengine_servicedesk_plusServiceDesk PlusServiceDesk Plus MSPSupportCentre Plus
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41150
Matching Score-6
Assigner-ManageEngine
ShareView Details
Matching Score-6
Assigner-ManageEngine
CVSS Score-6.3||MEDIUM
EPSS-0.64% / 69.69%
||
7 Day CHG~0.00%
Published-23 Aug, 2024 | 14:08
Updated-27 Aug, 2024 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS

An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus: through 14800.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)Zoho Corporation Pvt. Ltd.
Product-manageengine_servicedesk_plusmanageengine_supportcenter_plusmanageengine_servicedesk_plus_mspSupportCenter PlusServiceDesk Plus MSPServiceDesk Plus
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-38869
Matching Score-6
Assigner-ManageEngine
ShareView Details
Matching Score-6
Assigner-ManageEngine
CVSS Score-8.3||HIGH
EPSS-0.08% / 24.86%
||
7 Day CHG~0.00%
Published-23 Aug, 2024 | 14:07
Updated-30 Aug, 2024 | 18:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization

Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.This issue affects Endpoint Central: before 11.3.2416.04 and before 11.3.2400.25.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)Zoho Corporation Pvt. Ltd.
Product-manageengine_servicedesk_plusmanageengine_supportcenter_plusmanageengine_servicedesk_plus_mspEndpoint Centralmanageengine_endpoint_central
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-36038
Matching Score-6
Assigner-ManageEngine
ShareView Details
Matching Score-6
Assigner-ManageEngine
CVSS Score-6.3||MEDIUM
EPSS-0.06% / 16.95%
||
7 Day CHG~0.00%
Published-24 Jun, 2024 | 11:45
Updated-02 Aug, 2024 | 03:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS

Zoho ManageEngine ITOM products versions from 128234 to 128248 are affected by the stored cross-site scripting vulnerability in the proxy server option.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)
Product-OpManager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-27314
Matching Score-6
Assigner-ManageEngine
ShareView Details
Matching Score-6
Assigner-ManageEngine
CVSS Score-2.4||LOW
EPSS-1.93% / 82.62%
||
7 Day CHG~0.00%
Published-27 May, 2024 | 07:03
Updated-17 Jun, 2025 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS Vulnerability

Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request details. This vulnerability can be exploited only by the SDAdmin role users.

Action-Not Available
Vendor-Zoho Corporation Pvt. Ltd.ManageEngine (Zoho Corporation Pvt. Ltd.)
Product-manageengine_supportcenter_plusmanageengine_servicedesk_plusmanageengine_servicedesk_plus_mspServiceDesk Plus, ServiceDesk Plus MSP, SupportCenter Plussupportcenter_plusservicedesk_plusservicedeskplusmsp
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-9490
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-6.1||MEDIUM
EPSS-0.85% / 73.98%
||
7 Day CHG~0.00%
Published-05 Jun, 2018 | 14:00
Updated-06 Aug, 2024 | 02:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ManageEngine Applications Manager versions 12 and 13 suffer from a Reflected Cross-Site Scripting vulnerability

ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from a Reflected Cross-Site Scripting vulnerability. Applications Manager is prone to a Cross-Site Scripting vulnerability in parameter LIMIT, in URL path /DiagAlertAction.do?REQTYPE=AJAX&LIMIT=1233. The URL is also available without authentication.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)
Product-applications_managerApplications Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2220
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.20% / 42.60%
||
7 Day CHG~0.00%
Published-23 May, 2024 | 06:00
Updated-15 May, 2025 | 14:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Button contact VR <= 4.7 - Admin+ Stored XSS

The Button contact VR WordPress plugin through 4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-buttonizerUnknownvirustran
Product-call_\/_chat_\/_contact_buttonButton contact VRbutton_contact_vr
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-43566
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-3.5||LOW
EPSS-0.05% / 15.24%
||
7 Day CHG~0.00%
Published-19 Sep, 2023 | 16:57
Updated-24 Sep, 2024 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configuration

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-41250
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-3.5||LOW
EPSS-0.16% / 37.95%
||
7 Day CHG~0.00%
Published-25 Aug, 2023 | 12:58
Updated-27 Sep, 2024 | 21:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during user registration

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3619
Matching Score-4
Assigner-Rapid7, Inc.
ShareView Details
Matching Score-4
Assigner-Rapid7, Inc.
CVSS Score-3.5||LOW
EPSS-0.31% / 53.74%
||
7 Day CHG~0.00%
Published-17 Aug, 2021 | 19:07
Updated-17 Sep, 2024 | 03:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rapid7 Velociraptor Notebooks Authenticated Persistent XSS

Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload. This issue was fixed in version 0.6.0. Note that login rights to Velociraptor is nearly always reserved for trusted and verified users with IT security backgrounds.

Action-Not Available
Vendor-Rapid7 LLC
Product-velociraptorVelociraptor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-43952
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-3.3||LOW
EPSS-0.25% / 48.03%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 16:06
Updated-22 Oct, 2024 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiADC version 7.1.1 and below, version 7.0.3 and below, version 6.2.5 and below may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiadcFortiADC
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-46350
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.5||LOW
EPSS-0.05% / 14.26%
||
7 Day CHG~0.00%
Published-29 Apr, 2025 | 17:11
Updated-09 May, 2025 | 13:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Yeswiki Vulnerable to Authenticated Reflected Cross-site Scripting

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4.

Action-Not Available
Vendor-yeswikiYesWiki
Product-yeswikiyeswiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-46618
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-3.5||LOW
EPSS-0.02% / 3.57%
||
7 Day CHG+0.01%
Published-25 Apr, 2025 | 14:32
Updated-29 Apr, 2025 | 13:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab

Action-Not Available
Vendor-JetBrains s.r.o.
Product-TeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-30950
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.10% / 27.89%
||
7 Day CHG~0.00%
Published-17 Apr, 2024 | 00:00
Updated-10 Jun, 2025 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability in FUDforum v3.1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the SQL statements field under /adm/admsql.php.

Action-Not Available
Vendor-fudforumn/afudforum
Product-fudforumn/afudforum
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-27125
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-3.5||LOW
EPSS-0.21% / 43.88%
||
7 Day CHG~0.00%
Published-06 Sep, 2024 | 16:27
Updated-13 Sep, 2024 | 21:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Helpdesk

A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following version: Helpdesk 3.3.1 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-helpdeskHelpdesk
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-25627
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.5||LOW
EPSS-0.34% / 56.17%
||
7 Day CHG~0.00%
Published-16 Feb, 2024 | 20:27
Updated-18 Dec, 2024 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) via File Upload in Alf.io

Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist access by planting an XSS payload. This issue has been addressed in version 2.0-M4-2402. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-alfalfio-eventalfio-event
Product-alfalf.ioalf.io
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-13615
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.04% / 10.02%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 06:00
Updated-06 May, 2025 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Social Media Plugin by Social Snap <= 1.3.6 - Admin+ Stored XSS

The Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap WordPress plugin through 1.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-socialsnapUnknown
Product-social_snapSocial Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13125
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.04% / 10.02%
||
7 Day CHG~0.00%
Published-13 Feb, 2025 | 06:00
Updated-21 May, 2025 | 18:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Everest Forms < 3.0.8.1 - Admin+ Stored XSS

The Everest Forms WordPress plugin before 3.0.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wpeverestUnknown
Product-everest_formsEverest Forms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13121
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.04% / 10.02%
||
7 Day CHG~0.00%
Published-13 Feb, 2025 | 06:00
Updated-21 May, 2025 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Paid Membership Plugin < 4.15.20 - Admin+ Stored XSS

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-properfractionUnknown
Product-profilepressPaid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13314
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.04% / 10.02%
||
7 Day CHG~0.00%
Published-21 Feb, 2025 | 06:00
Updated-07 May, 2025 | 17:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Carousel, Slider, Gallery by WP Carousel < 2.7.4 - Admin+ Stored XSS

The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-techeartyUnknown
Product-carousel\,_slider\,_gallery_by_wp_carouselCarousel, Slider, Gallery by WP Carousel
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13123
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 5.64%
||
7 Day CHG-0.02%
Published-25 Mar, 2025 | 06:00
Updated-01 Apr, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AFI < 1.100.0 - Admin+ Stored XSS

The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-advancedformintegrationUnknown
Product-advanced_form_integrationAFI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13124
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.40%
||
7 Day CHG~0.00%
Published-24 Mar, 2025 | 06:00
Updated-13 May, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Photo Gallery by 10Web < 1.8.33 - Admin+ Stored XSS

The Photo Gallery by 10Web WordPress plugin before 1.8.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-photo_galleryPhoto Gallery by 10Web
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13381
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.05% / 13.54%
||
7 Day CHG~0.00%
Published-01 May, 2025 | 06:00
Updated-07 May, 2025 | 20:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Calculated Fields Form < 5.2.62 - Admin+ Stored XSS

The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownCodePeople
Product-calculated_fields_formCalculated Fields Form
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12273
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.05% / 13.54%
||
7 Day CHG~0.00%
Published-29 Apr, 2025 | 06:00
Updated-29 Apr, 2025 | 21:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Calculated Fields Form < 5.2.62 - Admin+ Stored XSS

The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownCodePeople
Product-calculated_fields_formCalculated Fields Form
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12173
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.04% / 10.02%
||
7 Day CHG~0.00%
Published-19 Feb, 2025 | 06:00
Updated-15 May, 2025 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Master Slider < 3.10.5 - Editor+ Stored XSS

The Master Slider WordPress plugin before 3.10.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownDepicter (Averta)
Product-master_sliderMaster Slider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12769
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.00%
||
7 Day CHG-0.02%
Published-25 Mar, 2025 | 06:00
Updated-29 Apr, 2025 | 17:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Banner < 3.0.4 - Admin+ Stored XSS

The Simple Banner WordPress plugin before 3.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-simple_banner_projectUnknown
Product-simple_bannerSimple Banner
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11140
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.04% / 10.35%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Real WP Shop Lite Ajax eCommerce Shopping Cart <= 2.0.8 - Admin+ Stored XSS

The Real WP Shop Lite Ajax eCommerce Shopping Cart WordPress plugin through 2.0.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-vk011Unknown
Product-real_wp_shop_lite_ajax_ecommerce_shopping_cartReal WP Shop Lite Ajax eCommerce Shopping Cart
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10558
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.70%
||
7 Day CHG~0.00%
Published-24 Mar, 2025 | 06:00
Updated-13 May, 2025 | 13:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Form Maker by 10Web < 1.15.30 - Admin+ Stored XSS

The Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-form_makerForm Maker by 10Web
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10710
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.06% / 17.59%
||
7 Day CHG+0.01%
Published-25 Nov, 2024 | 06:00
Updated-15 May, 2025 | 15:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YaDisk Files <= 1.2.5 - Admin+ Stored XSS

The YaDisk Files WordPress plugin through 1.2.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-antongorodezkiyUnknownyadisk_files
Product-yadisk_filesYaDisk Filesyadisk_files
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10560
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.00%
||
7 Day CHG-0.02%
Published-25 Mar, 2025 | 06:00
Updated-03 Apr, 2025 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Form Maker by 10Web < 1.15.30 - Admin+ Stored XSS

The Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-form_makerForm Maker by 10Web
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10515
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.06% / 17.59%
||
7 Day CHG~0.00%
Published-20 Nov, 2024 | 06:00
Updated-31 Mar, 2025 | 19:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SEO Plugin by Squirrly SEO < 12.3.21 - Editor+ Stored XSS

In the process of testing the SEO Plugin by Squirrly SEO WordPress plugin before 12.3.21, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor

Action-Not Available
Vendor-squirrlyUnknownsquirrly
Product-seo_plugin_by_squirrly_seoSEO Plugin by Squirrly SEOseo_plugin_by_squirrly_seo
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-5901
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-3.5||LOW
EPSS-0.15% / 36.56%
||
7 Day CHG~0.00%
Published-01 Nov, 2023 | 00:00
Updated-02 Aug, 2024 | 08:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting in pkp/pkp-lib

Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

Action-Not Available
Vendor-sfupkp
Product-pkp_web_application_librarypkp/pkp-lib
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-21434
Matching Score-4
Assigner-OTRS AG
ShareView Details
Matching Score-4
Assigner-OTRS AG
CVSS Score-3.5||LOW
EPSS-0.31% / 53.59%
||
7 Day CHG~0.00%
Published-08 Feb, 2021 | 10:55
Updated-17 Sep, 2024 | 03:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in Survey Module

Survey administrator can craft a survey in such way that malicious code can be executed in the agent interface (i.e. another agent who wants to make changes in the survey). This issue affects: OTRS AG Survey 6.0.x version 6.0.20 and prior versions; 7.0.x version 7.0.19 and prior versions.

Action-Not Available
Vendor-OTRS AG
Product-surveySurvey
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1203
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.00%
||
7 Day CHG~0.00%
Published-24 Mar, 2025 | 06:00
Updated-24 Mar, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Slider, Gallery, Carousel by MetaSlider < 3.95.0 - Editor+ Stored XSS

The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.95.0 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-Unknown
Product-Slider, Gallery, and Carousel by MetaSlider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13122
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 5.64%
||
7 Day CHG-0.02%
Published-25 Mar, 2025 | 06:00
Updated-01 Apr, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AFI < 1.100.0 - Admin+ Stored XSS

The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-advancedformintegrationUnknown
Product-advanced_form_integrationAFI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12683
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 5.64%
||
7 Day CHG-0.02%
Published-26 Mar, 2025 | 06:00
Updated-06 May, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Smart Maintenance Mode < 1.5.2 - Admin+ Stored XSS

The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-brijeshk89Unknown
Product-smart_maintenance_modeSmart Maintenance Mode
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11924
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.06% / 19.50%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 06:00
Updated-29 Apr, 2025 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Email Subscribers < 5.7.52 - Admin+ Stored XSS

The Icegram Express formerly known as Email Subscribers WordPress plugin before 5.7.52 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-icegramUnknown
Product-icegram_expressIcegram Express formerly known as Email Subscribers
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0429
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.08% / 23.60%
||
7 Day CHG~0.00%
Published-21 Feb, 2023 | 08:50
Updated-12 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Watu Quiz < 3.3.8.3 - Admin+ Stored XSS

The Watu Quiz WordPress plugin before 3.3.8.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-kibokolabsUnknown
Product-watu_quizWatu Quiz
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10545
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.04% / 10.02%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 06:00
Updated-15 May, 2025 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NextGEN Gallery < 3.59.9 - Admin+ Stored XSS

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.9 does not sanitise and escape some of its Image settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-UnknownImagely, LLC (Imagely)
Product-nextgen_galleryPhoto Gallery, Sliders, Proofing and Themes
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10554
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.00%
||
7 Day CHG-0.02%
Published-25 Mar, 2025 | 06:00
Updated-15 May, 2025 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP-Advanced-Search < 3.3.9.3 - Admin+ Stored XSS

The WordPress WP-Advanced-Search WordPress plugin before 3.3.9.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-internet-formationUnknown
Product-wp-advanced-searchWordPress WP-Advanced-Search
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3504
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.05% / 13.54%
||
7 Day CHG~0.00%
Published-01 May, 2025 | 06:00
Updated-07 May, 2025 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Maps < 4.7.2 - Admin+ Stored XSS

The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wepluginsUnknown
Product-wp_mapsWP Maps
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3502
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.05% / 13.54%
||
7 Day CHG~0.00%
Published-01 May, 2025 | 06:00
Updated-07 May, 2025 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Maps < 4.7.2 - Admin+ Stored XSS

The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wepluginsUnknown
Product-wp_mapsWP Maps
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3513
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.05% / 13.54%
||
7 Day CHG~0.00%
Published-02 May, 2025 | 06:00
Updated-28 May, 2025 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SureForms < 1.4.4 - Admin+ Stored XSS

The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownBrainstorm Force
Product-sureformsSureForms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3583
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.05% / 13.54%
||
7 Day CHG~0.00%
Published-05 May, 2025 | 06:00
Updated-07 May, 2025 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Newsletter < 8.7.1 - Admin+ Stored XSS

The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-thenewsletterpluginUnknown
Product-newsletterNewsletter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3514
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.05% / 13.54%
||
7 Day CHG~0.00%
Published-02 May, 2025 | 06:00
Updated-28 May, 2025 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SureForms < 1.4.4 - Admin+ Stored XSS

The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownBrainstorm Force
Product-sureformsSureForms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • Next
Details not found