Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-5317

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-05 Jun, 2024 | 01:56
Updated At-01 Aug, 2024 | 21:11
Rejected At-
Credits

Newsletter <= 8.3.4 - Unauthenticated Stored Cross-Site Scripting via np1

The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'np1' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:05 Jun, 2024 | 01:56
Updated At:01 Aug, 2024 | 21:11
Rejected At:
▼CVE Numbering Authority (CNA)
Newsletter <= 8.3.4 - Unauthenticated Stored Cross-Site Scripting via np1

The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'np1' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected Products
Vendor
satollo
Product
Newsletter – Send awesome emails from WordPress
Default Status
unaffected
Versions
Affected
  • From * through 8.3.4 (semver)
Problem Types
TypeCWE IDDescription
N/AN/ACWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: N/A
CWE ID: N/A
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Arkadiusz Hydzik
Timeline
EventDate
Vendor Notified2024-05-28 00:00:00
Disclosed2024-06-04 00:00:00
Event: Vendor Notified
Date: 2024-05-28 00:00:00
Event: Disclosed
Date: 2024-06-04 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/4876e05e-efa6-46c6-832b-9ecc42934998?source=cve
N/A
https://plugins.trac.wordpress.org/changeset/3095002/newsletter
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/4876e05e-efa6-46c6-832b-9ecc42934998?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3095002/newsletter
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
newsletter
Product
newsletter_send_awesome_emails
CPEs
  • cpe:2.3:a:newsletter:newsletter_send_awesome_emails:*:*:*:*:*:*:*:*
Default Status
unaffected
Versions
Affected
  • From 0 through 8.3.4 (semver)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/4876e05e-efa6-46c6-832b-9ecc42934998?source=cve
x_transferred
https://plugins.trac.wordpress.org/changeset/3095002/newsletter
x_transferred
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/4876e05e-efa6-46c6-832b-9ecc42934998?source=cve
Resource:
x_transferred
Hyperlink: https://plugins.trac.wordpress.org/changeset/3095002/newsletter
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:05 Jun, 2024 | 02:15
Updated At:11 Jun, 2024 | 17:22

The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'np1' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Secondary3.16.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CPE Matches
thenewsletterplugin
thenewsletterplugin
>>newsletter>>Versions before 8.3.5(exclusive)
cpe:2.3:a:thenewsletterplugin:newsletter:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/changeset/3095002/newslettersecurity@wordfence.com
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/4876e05e-efa6-46c6-832b-9ecc42934998?source=cvesecurity@wordfence.com
Third Party Advisory
Hyperlink: https://plugins.trac.wordpress.org/changeset/3095002/newsletter
Source: security@wordfence.com
Resource:
Patch
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/4876e05e-efa6-46c6-832b-9ecc42934998?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

10806Records found
CVE-2024-13224
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.04% / 8.76%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 06:00
Updated-12 May, 2025 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SlideDeck 1 Lite Content Slider <= 1.4.8 - Reflected XSS

The SlideDeck 1 Lite Content Slider WordPress plugin through 1.4.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-dtelepathyUnknown
Product-slidedeck_1_lite_content_sliderSlideDeck 1 Lite Content Slider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13366
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.13% / 33.48%
||
7 Day CHG+0.01%
Published-17 Jan, 2025 | 07:01
Updated-12 Feb, 2025 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sandbox <= 0.4 - Reflected Cross-Site Scripting

The Sandbox plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'debug' parameter in all versions up to, and including, 0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-barteled
Product-Sandbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12732
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 15.29%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-22 May, 2025 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AffiliateImporterEb <= 1.0.6 - Reflected XSS

The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-cr1000Unknown
Product-affiliateimporterebAffiliateImporterEb
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12462
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 14.11%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 04:21
Updated-07 Jan, 2025 | 16:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YOGO Booking <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The YOGO Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'yogo-calendar' shortcode in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-andersyogo
Product-YOGO Booking
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12736
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.01% / 1.14%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 06:00
Updated-12 Jun, 2025 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BU Section Editing <= 0.9.9 - Reflected XSS

The BU Section Editing WordPress plugin through 0.9.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-buUnknown
Product-bu_section_editingBU Section Editing
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-19003
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 58.10%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 19:46
Updated-05 Aug, 2024 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ABB eSOMS: HTTPOnly flag not set

For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. This can allow Javascript to access the cookie contents, which in turn might enable Cross Site Scripting.

Action-Not Available
Vendor-Hitachi Energy Ltd.ABB
Product-esomseSOMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-16
Not Available
CVE-2018-19955
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 60.82%
||
7 Day CHG~0.00%
Published-02 Nov, 2020 | 15:57
Updated-16 Sep, 2024 | 20:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10.

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-photo_stationPhoto Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2024-12449
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 12.79%
||
7 Day CHG~0.00%
Published-18 Dec, 2024 | 03:22
Updated-18 Dec, 2024 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Video Share VOD – Turnkey Video Site Builder Script <= 2.6.30 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_player_html' shortcode in all versions up to, and including, 2.6.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-videowhisper
Product-Video Share VOD – Turnkey Video Site Builder Script
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13082
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 14.74%
||
7 Day CHG~0.00%
Published-31 Dec, 2024 | 21:00
Updated-06 Jan, 2025 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Land Record System search-property.php cross site scripting

A vulnerability was found in PHPGurukul Land Record System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/search-property.php. The manipulation of the argument Search By leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-land_record_systemLand Record System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2019-19288
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-6.1||MEDIUM
EPSS-0.36% / 57.38%
||
7 Day CHG~0.00%
Published-14 Dec, 2020 | 21:05
Updated-05 Aug, 2024 | 02:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link.

Action-Not Available
Vendor-Siemens AG
Product-xhqXHQ
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12883
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.02% / 3.17%
||
7 Day CHG~0.00%
Published-21 Dec, 2024 | 13:00
Updated-10 Jan, 2025 | 21:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Job Recruitment _email.php cross site scripting

A vulnerability was found in code-projects Job Recruitment 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /_email.php. The manipulation of the argument email leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-anishaSource Code & Projects
Product-job_recruitmentJob Recruitment
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-12980
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.06% / 18.43%
||
7 Day CHG~0.00%
Published-27 Dec, 2024 | 05:00
Updated-18 Feb, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Job Recruitment _all_edits.php fln_update cross site scripting

A vulnerability was found in code-projects Job Recruitment 1.0. It has been classified as problematic. Affected is the function fln_update of the file /_parse/_all_edits.php. The manipulation of the argument fname/lname leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-anishaSource Code & Projects
Product-job_recruitmentJob Recruitment
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-36303
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 44.42%
||
7 Day CHG~0.00%
Published-19 Jul, 2022 | 18:20
Updated-03 Aug, 2024 | 10:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the handle_file_upload function at /web/api/v1/upload/UploadHandler.php.

Action-Not Available
Vendor-vestacpn/a
Product-vesta_control_paneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-34025
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 44.42%
||
7 Day CHG~0.00%
Published-19 Jul, 2022 | 18:20
Updated-03 Aug, 2024 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the post function at /web/api/v1/upload/UploadHandler.php.

Action-Not Available
Vendor-vestacpn/a
Product-vesta_control_paneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-22822
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-6.1||MEDIUM
EPSS-0.53% / 66.08%
||
7 Day CHG~0.00%
Published-28 Jan, 2022 | 19:09
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-79 Improper Neutralization of Input During Web Page Generation (�Cross-site Scripting�) vulnerability exists that could allow an attacker to impersonate the user who manages the charging station or carry out actions on their behalf when crafted malicious parameters are submitted to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)

Action-Not Available
Vendor-n/a
Product-evlink_city_evc1s22p4evlink_parking_evf2evlink_parking_evp2pe_firmwareevlink_parking_evf2_firmwareevlink_parking_evw2evlink_parking_evp2peevlink_city_evc1s22p4_firmwareevlink_city_evc1s7p4_firmwareevlink_smart_wallbox_evb1a_firmwareevlink_smart_wallbox_evb1aevlink_parking_evw2_firmwareevlink_city_evc1s7p4n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13157
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 17.66%
||
7 Day CHG+0.01%
Published-31 Jan, 2025 | 08:21
Updated-31 Jan, 2025 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar <= 5.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Podcast RSS Feed

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Podcast RSS Feed in all versions up to, and including, 5.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-sonaar
Product-MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12696
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 15.41%
||
7 Day CHG+0.01%
Published-18 Jan, 2025 | 07:05
Updated-21 Jan, 2025 | 21:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Picture Gallery – Frontend Image Uploads, AJAX Photo List <= 1.5.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via videowhisper_picture_upload_guest Shortcode

The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's videowhisper_picture_upload_guest shortcode in all versions up to, and including, 1.5.22 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-videowhisper
Product-Picture Gallery – Frontend Image Uploads, AJAX Photo List
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-31145
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 41.07%
||
7 Day CHG~0.00%
Published-15 May, 2023 | 20:58
Updated-22 Jan, 2025 | 21:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected XSS vulnerability in CollaboraOnline

Collabora Online is a collaborative online office suite based on LibreOffice technology. This vulnerability report describes a reflected XSS vulnerability with full CSP bypass in Nextcloud installations using the recommended bundle. The vulnerability can be exploited to perform a trivial account takeover attack. The vulnerability allows attackers to inject malicious code into web pages, which can be executed in the context of the victim's browser session. This means that an attacker can steal sensitive data, such as login credentials or personal information, or perform unauthorized actions on behalf of the victim, such as modifying or deleting data. In this specific case, the vulnerability allows for a trivial account takeover attack. An attacker can exploit the vulnerability to inject code into the victim's browser session, allowing the attacker to take over the victim's account without their knowledge or consent. This can lead to unauthorized access to sensitive information and data, as well as the ability to perform actions on behalf of the victim. Furthermore, the fact that the vulnerability bypasses the Content Security Policy (CSP) makes it more dangerous, as CSP is an important security mechanism used to prevent cross-site scripting attacks. By bypassing CSP, attackers can circumvent the security measures put in place by the web application and execute their malicious code. This issue has been patched in versions 22.05.13, 21.11.9, and 6.4.27. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-collaboraCollaboraOnline
Product-onlineonline
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13221
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.04% / 8.76%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 06:00
Updated-14 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fantastic Elasticsearch <= 4.1.0 - Reflected XSS

The Fantastic ElasticSearch WordPress plugin through 4.1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-Unknown
Product-Fantastic ElasticSearch
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-20003
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.38% / 58.53%
||
7 Day CHG~0.00%
Published-17 Jan, 2020 | 15:01
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Feldtech easescreen Crystal 9.0 Web-Services 9.0.1.16265 allows Stored XSS via the Debug-Log and Display-Log components. This could be exploited when an attacker sends an crafted string for FTP authentication.

Action-Not Available
Vendor-dicuben/a
Product-easescreen_crystaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12458
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 15.67%
||
7 Day CHG~0.00%
Published-14 Dec, 2024 | 04:23
Updated-16 Dec, 2024 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Smart PopUp Blaster <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Smart PopUp Blaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spb-button' shortcode in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-devnethr
Product-Smart PopUp Blaster
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12597
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.03% / 7.02%
||
7 Day CHG~0.00%
Published-04 Feb, 2025 | 06:41
Updated-05 Feb, 2025 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HT Mega <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via block_css and inner_css

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_css' and 'inner_css' parameters in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-HasTech IT Limited (HasThemes)
Product-ht_megaHT Mega – Absolute Addons For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12491
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 11.39%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 11:11
Updated-09 Jan, 2025 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SimplyRETS Real Estate IDX <= 2.11.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The SimplyRETS Real Estate IDX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sr_search_form' shortcode in all versions up to, and including, 2.11.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-reichertbrothers
Product-SimplyRETS Real Estate IDX
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12519
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 14.11%
||
7 Day CHG~0.00%
Published-11 Jan, 2025 | 07:21
Updated-13 Jan, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TCBD Auto Refresher <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The TCBD Auto Refresher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tcbd_auto_refresh' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-tcoder
Product-TCBD Auto Refresher
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-22676
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 40.88%
||
7 Day CHG~0.00%
Published-10 Aug, 2021 | 14:02
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

UserExcelOut.asp within WebAccess/SCADA is vulnerable to cross-site scripting (XSS), which could allow an attacker to send malicious JavaScript code. This could result in hijacking of cookie/session tokens, redirection to a malicious webpage, and unintended browser action on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccess\/scadaWebAccess/SCADA
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-4245
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.34% / 56.29%
||
7 Day CHG~0.00%
Published-28 Oct, 2019 | 14:33
Updated-07 Aug, 2024 | 03:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

pootle 2.0.5 has XSS via 'match_names' parameter

Action-Not Available
Vendor-translatehousen/a
Product-pootlen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12772
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.01% / 1.13%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 06:00
Updated-28 Mar, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ninja Tables < 5.0.17 - Admin+ Stored XSS

The Ninja Tables WordPress plugin before 5.0.17 does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, leading to a Cross Site Scripting vulnerability.

Action-Not Available
Vendor-wpmanageninjaUnknown
Product-ninja_tablesNinja Tables
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12814
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 17.20%
||
7 Day CHG~0.00%
Published-24 Dec, 2024 | 06:59
Updated-24 Dec, 2024 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Loan Comparison <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Loan Comparison plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'loancomparison' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Aerin (Quick Plugins)
Product-Loan Comparison
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12515
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 11.39%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 11:11
Updated-09 Jan, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Muslim Prayer Time-Salah/Iqamah <= 1.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Muslim Prayer Time-Salah/Iqamah plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Masjid ID parameter in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-masjidal
Product-Muslim Prayer Time-Salah/Iqamah
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-22227
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.11% / 29.31%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 10:40
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12921
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 12.52%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 05:23
Updated-30 Jan, 2025 | 15:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EthereumICO <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via ethereum-ico Shortcode

The EthereumICO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ethereum-ico shortcode in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-ethereumicoio
Product-EthereumICO
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12817
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 11.91%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 07:24
Updated-27 Jan, 2025 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Etsy Importer <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Etsy Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'product_link' shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-coreymcollins
Product-Etsy Importer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12422
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 43.16%
||
7 Day CHG~0.00%
Published-14 Dec, 2024 | 05:34
Updated-16 Dec, 2024 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Import Eventbrite Events <= 1.7.4 - Reflected Cross-Site Scripting

The Import Eventbrite Events plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-xylus
Product-Import Eventbrite Events
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12496
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.05% / 15.41%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 11:10
Updated-09 Jan, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linear <= 2.7.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Linear plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linear_block_buy_commissions' shortcode in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-linearoy
Product-Linear
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12508
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 11.39%
||
7 Day CHG~0.00%
Published-17 Jan, 2025 | 07:01
Updated-12 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Glofox Shortcodes <= 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Glofox Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'glofox' and 'glofox_lead_capture ' shortcodes in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-glofoxwebdev
Product-Glofox Shortcodes
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12733
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 15.29%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-22 May, 2025 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AffiliateImporterEb <= 1.0.6 - Reflected XSS via Search

The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-cr1000Unknown
Product-affiliateimporterebAffiliateImporterEb
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-19942
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.27% / 50.17%
||
7 Day CHG~0.00%
Published-16 Apr, 2021 | 01:10
Updated-16 Sep, 2024 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting Vulnerability in File Station

A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QTS 4.5.1.1456 build 20201015 (and later) QTS 4.3.6.1446 build 20200929 (and later) QTS 4.3.4.1463 build 20201006 (and later) QTS 4.3.3.1432 build 20201006 (and later) QTS 4.2.6 build 20210327 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) QuTScloud c4.5.4.1601 build 20210309 (and later) QuTScloud c4.5.3.1454 build 20201013 (and later)

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqutscloudqtsQuTScloudQuTS heroQTS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2024-1328
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.18% / 39.52%
||
7 Day CHG~0.00%
Published-12 Mar, 2024 | 08:34
Updated-13 Mar, 2025 | 01:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Newsletter2Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 4.0.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-newsletter2gonewsletter2go
Product-newsletter2goNewsletter2Go
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12499
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 11.39%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 06:40
Updated-07 Jan, 2025 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP jQuery DataTable <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP jQuery DataTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_jdt' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-biztechc
Product-WP jQuery DataTable
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12475
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 10.18%
||
7 Day CHG~0.00%
Published-04 Jan, 2025 | 11:16
Updated-25 Feb, 2025 | 22:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Multi Store Locator <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Multi Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-wpexpertswpexpertsio
Product-wp_multi_store_locatorWP Multi Store Locator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12502
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.04% / 12.79%
||
7 Day CHG~0.00%
Published-14 Dec, 2024 | 04:23
Updated-16 Dec, 2024 | 20:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
My IDX Home Search <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The My IDX Home Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'homeasap-idx-landing' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-homeasap
Product-My IDX Home Search
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-18914
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.50% / 64.87%
||
7 Day CHG~0.00%
Published-09 Nov, 2021 | 14:10
Updated-05 Aug, 2024 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential security vulnerability has been identified for certain HP printers and MFPs that would allow redirection page Cross-Site Scripting in a client’s browser by clicking on a third-party malicious link.

Action-Not Available
Vendor-n/aHP Inc.
Product-laserjet_enterprise_m605_l3u54alaserjet_managed_flow_mfp_e82540_x3a82alaserjet_enterprise_flow_mfp_m680_cz248alaserjet_managed_mfp_e52645_1pv64alaserjet_enterprise_mfp_m776_t3u55alaserjet_managed_mfp_m630_b3g85apagewide_managed_flow_mfp_e77660z_j7z07alaserjet_managed_flow_mfp_e77825_z8z0alaserjet_managed_mfp_e72530_z8z09alaserjet_enterprise_m552_b5l23alaserjet_managed_mfp_e87640_x3a86alaserjet_managed_mfp_e82540_z8z22alaserjet_enterprise_flow_mfp_m880z_a2w75alaserjet_managed_mfp_e62555_j8j74alaserjet_managed_mfp_e77428_5cm77alaserjet_managed_e60075_m0p33alaserjet_managed_flow_mfp_e72525_z8z08alaserjet_managed_flow_mfp_m575_l3u45alaserjet_enterprise_mfp_m577_b5l48alaserjet_managed_flow_mfp_e82560_x3a74alaserjet_managed_flow_mfp_e67560_l3u70alaserjet_managed_flow_mfp_e57540_3gy25alaserjet_enterprise_m609_k0q22alaserjet_managed_mfp_e77428_5cm79alaserjet_managed_flow_mfp_m630_p7z47alaserjet_managed_flow_mfp_e72525_x3a62alaserjet_managed_flow_mfp_m880zm_d7p71alaserjet_enterprise_700_m712_cf235alaserjet_enterprise_m506_f2a66alaserjet_managed_flow_mfp_m680_l3u47alaserjet_managed_flow_mfp_e62565_j8j79alaserjet_managed_mfp_e87650_z8z15alaserjet_managed_flow_mfp_m630_l3u62alaserjet_managed_flow_mfp_e82540_z8z23alaserjet_enterprise_m507_1pv88alaserjet_enterprise_m652_j7z99alaserjet_managed_mfp_e72525_x3a66alaserjet_enterprise_m506_f2a70apagewide_enterprise_flow_mfp_586z_g1w41alaserjet_managed_mfp_e72525_z8z08alaserjet_managed_flow_mfp_e62555_j8j74alaserjet_managed_mfp_e72530_x3a65alaserjet_managed_mfp_e62555_j8j67alaserjet_managed_flow_mfp_e62565_j8j80alaserjet_enterprise_flow_mfp_m631_j8j63alaserjet_enterprise_flow_mfp_m630_b3g86aofficejet_managed_mfp_x585_b5l04alaserjet_managed_mfp_e72530_z8z08alaserjet_enterprise_mfp_m633_j8j78apagewide_managed_flow_mfp_e77650_j7z14alaserjet_managed_mfp_e82550_az8z20apagewide_managed_mfp_p77950_2gp22alaserjet_managed_mfp_e82540_z8z19laserjet_managed_mfp_e82550_x3a68alaserjet_enterprise_flow_mfp_m681_j8a12apagewide_managed_mfp_p77950_2gp26alaserjet_managed_e60055_m0p39alaserjet_managed_mfp_e77822_x3a84alaserjet_managed_mfp_e52645_1pv67alaserjet_managed_e75245_t3u64alaserjet_managed_flow_mfp_e87650_z8z16alaserjet_enterprise_m855_a2w77alaserjet_managed_m506_f2a69alaserjet_enterprise_500_m551_cf081alaserjet_managed_flow_mfp_e72535_z8z08apagewide_managed_mfp_p77950_5zn98alaserjet_managed_flow_mfp_e67550_l3u70alaserjet_managed_mfp_e82560_z8z22apagewide_managed_mfp_p77940_y3z68alaserjet_managed_mfp_e52545_3gy19alaserjet_managed_mfp_e77428_5cm78alaserjet_enterprise_mfp_m632_j8j72alaserjet_managed_mfp_e57540_3gy26alaserjet_enterprise_mfp_m577_b5l46alaserjet_managed_flow_mfp_e72535_z8z06alaserjet_managed_flow_mfp_e82550_z8z23alaserjet_managed_mfp_e72530_x3a60alaserjet_managed_flow_mfp_e82540_x3a69alaserjet_enterprise_mfp_m631_j8j65aofficejet_enterprise_mfp_x585_l3u40alaserjet_enterprise_mfp_m725_l3u64alaserjet_managed_mfp_e72430_5rc89alaserjet_managed_flow_mfp_e82540_x3a79apagewide_managed_mfp_p77940_y3z63apagewide_enterprise_556_g1w47vlaserjet_managed_mfp_e77830_z8z02alaserjet_managed_500_mfp_m575_l3u46alaserjet_managed_flow_mfp_e82540_x3a72alaserjet_managed_mfp_e82560_x3a69alaserjet_managed_mfp_e82560_az8z20alaserjet_enterprise_700_mfp_m775_cc522alaserjet_managed_mfp_e77825_x3a84alaserjet_enterprise_700_mfp_m775_cf304apagewide_managed_mfp_p77940_y3z64alaserjet_managed_flow_mfp_e82560_x3a79alaserjet_managed_e75245_t3u43alaserjet_managed_flow_mfp_e77822_z8z0alaserjet_managed_mfp_e87660_x3a89alaserjet_enterprise_flow_mfp_m630_p7z48alaserjet_managed_flow_mfp_e87660_x3a86alaserjet_enterprise_600_m603_ce994apagewide_managed_mfp_p77940_y3z66alaserjet_enterprise_m652_j7z98alaserjet_managed_flow_mfp_e62575_j8j74alaserjet_managed_flow_mfp_e82550_z8z18alaserjet_managed_mfp_e82560_x3a74alaserjet_managed_mfp_e62565_j8j74alaserjet_managed_mfp_e87650_z8z17alaserjet_enterprise_m506_f2a71apagewide_managed_p75250_y3z49alaserjet_managed_mfp_e72535_z8z08alaserjet_managed_flow_mfp_e87650_x3a87alaserjet_managed_mfp_e82560_x3a79alaserjet_managed_flow_mfp_e62575_j8j67alaserjet_managed_mfp_e87640_z8z14apagewide_managed_flow_mfp_e77650_j7z13alaserjet_enterprise_flow_mfp_m776_t3u55alaserjet_managed_m605_e6b70alaserjet_managed_flow_mfp_m527z_f2a79alaserjet_enterprise_600_m602_ce991apagewide_managed_mfp_p77950_5zn99alaserjet_managed_flow_mfp_e77825_z8z01alaserjet_enterprise_m4555_mfp_ce502alaserjet_managed_mfp_e77428_5rc91alaserjet_managed_flow_mfp_e62575_j8j66apagewide_managed_flow_mfp_e77660z_j7z14alaserjet_managed_flow_mfp_e62555_j8j73alaserjet_managed_e60065_m0p39alaserjet_managed_e60055_m0p33apagewide_managed_mfp_e77650_j7z08alaserjet_managed_flow_mfp_e72525_x3a66alaserjet_enterprise_m553_bl27alaserjet_managed_flow_mfp_e72535_z8z09alaserjet_managed_mfp_e57540_3gy25alaserjet_enterprise_m553_b5l24apagewide_enterprise_flow_mfp_586z_g1w39alaserjet_managed_flow_mfp_m575_l3u46alaserjet_managed_flow_mfp_e87640_z8z15aofficejet_managed_flow_mfp_x585_b5l07alaserjet_managed_mfp_e77422_5cm75alaserjet_managed_flow_mfp_e72535_x3a65alaserjet_managed_flow_mfp_e82550_z8z22alaserjet_managed_flow_mfp_e82560_x3a82apagewide_managed_flow_mfp_e77660z_j7z03alaserjet_enterprise_700_mfp_m775_l3u50alaserjet_managed_flow_mfp_e82550_x3a71alaserjet_managed_flow_mfp_e72530_x3a62alaserjet_managed_mfp_e82540_x3a82apagewide_managed_mfp_p77960_y3z62alaserjet_managed_flow_mfp_e57540_3gy26alaserjet_enterprise_500_mfp_m575_cd645alaserjet_managed_flow_mfp_e87660_z8z14alaserjet_managed_mfp_e77822_z8z04apagewide_managed_mfp_p77940_2gp26alaserjet_managed_mfp_e87640_z8z16apagewide_managed_mfp_p77940_5zn98alaserjet_enterprise_flow_mfp_m633_j8j76apagewide_mfp_774_4pa44alaserjet_enterprise_m507_1pv87alaserjet_managed_mfp_e72535_x3a60alaserjet_managed_flow_mfp_e87650_z8z15alaserjet_managed_flow_mfp_e87650_x3a90alaserjet_enterprise_flow_mfp_m681_j8a11alaserjet_enterprise_mfp_m528_1pv49alaserjet_managed_mfp_e72525_z8z011alaserjet_managed_mfp_e87640_x3a89apagewide_managed_mfp_p77940_2gp25alaserjet_managed_m553_b5l26alaserjet_managed_mfp_e87660_z8z14alaserjet_managed_mfp_e67560_l3u69alaserjet_enterprise_flow_mfp_m632_j8j72alaserjet_managed_flow_mfp_e77822_x3a77alaserjet_managed_mfp_e77830_x3a84alaserjet_managed_mfp_m725_cf068alaserjet_managed_mfp_e82540_x3a72alaserjet_managed_flow_mfp_m630_b3g86alaserjet_enterprise_mfp_m681_j8a12alaserjet_enterprise_m855_d7p73alaserjet_enterprise_mfp_m680_cz248alaserjet_managed_flow_mfp_e82550_x3a69alaserjet_managed_mfp_e77422_5rc92alaserjet_enterprise_flow_mfp_m575_cd645alaserjet_managed_mfp_e82560_x3a68alaserjet_enterprise_flow_mfp_m577_b5l46alaserjet_managed_e50145_1pv89alaserjet_managed_e60075_m0p39apagewide_managed_mfp_p77960_y3z63alaserjet_managed_m553_b5l38alaserjet_enterprise_700_mfp_m775_cc524aofficejet_enterprise_x555_l1h45alaserjet_managed_flow_mfp_e72530_z8z010alaserjet_managed_flow_mfp_m525_l3u59alaserjet_enterprise_m553_b5l39alaserjet_managed_mfp_m775_cc523alaserjet_enterprise_flow_mfp_m880z_a2w76alaserjet_managed_mfp_e82550_z8z23alaserjet_managed_flow_mfp_e87640_x3a93alaserjet_enterprise_mfp_m630_b3g85alaserjet_managed_mfp_e82540_z8z18alaserjet_enterprise_600_m601_ce989alaserjet_managed_m651_cz257alaserjet_managed_flow_mfp_e77825_z8z05aofficejet_enterprise_flow_mfp_x585_l3u41alaserjet_managed_mfp_e87650_z8z16alaserjet_managed_flow_mfp_e72530_z8z07alaserjet_enterprise_mfp_m577_b5l47alaserjet_enterprise_mfp_m725_cf069alaserjet_managed_e85055_t3u52alaserjet_managed_flow_mfp_e82560_z8z19laserjet_managed_mfp_e72525_z8z07alaserjet_managed_e65050_l3u57alaserjet_managed_flow_mfp_e72530_z8z011alaserjet_managed_e60055_m0p40alaserjet_managed_e50145_1pv88alaserjet_cm4540_mfp_cc420alaserjet_enterprise_600_m602_ce993alaserjet_managed_mfp_e82560_z8z23alaserjet_managed_flow_mfp_e87660_x3a92alaserjet_managed_flow_mfp_e82560_z8z23alaserjet_managed_mfp_e87640_x3a90alaserjet_managed_flow_mfp_e87650_x3a86alaserjet_enterprise_500_mfp_m525f_cf118alaserjet_managed_flow_mfp_e72535_x3a60alaserjet_enterprise_m651_h0dc9alaserjet_managed_flow_mfp_e72525_x3a59alaserjet_managed_mfp_e72525_z8z010alaserjet_managed_flow_mfp_e82550_az8z20alaserjet_managed_mfp_m630_j7x28alaserjet_managed_mfp_e77422_5cm77alaserjet_enterprise_mfp_m725_cf067alaserjet_managed_flow_mfp_e77830_x3a77alaserjet_managed_e50145_1pu51alaserjet_managed_mfp_e82540_az8z20alaserjet_managed_mfp_m630_l3u61alaserjet_managed_mfp_e72425_5cm72alaserjet_managed_flow_mfp_e82560_x3a69aofficejet_managed_mfp_x585_b5l05alaserjet_managed_flow_mfp_e77825_x3a83alaserjet_enterprise_m553_b5l38apagewide_managed_mfp_p77950_y3z65alaserjet_enterprise_flow_mfp_m527z_f2a78alaserjet_enterprise_m751_t3u44alaserjet_managed_mfp_e77822_x3a81alaserjet_enterprise_m4555_mfp_ce504alaserjet_enterprises_cp5525_ce708alaserjet_managed_e60065_m0p35alaserjet_managed_mfp_e77830_z8z04alaserjet_managed_flow_mfp_e82540_x3a74alaserjet_managed_mfp_e62565_j8j79alaserjet_managed_e65050_l3u55alaserjet_enterprise_flow_mfp_m631_j8j64alaserjet_enterprise_m507_1pu52alaserjet_managed_flow_mfp_e72525_z8z010apagewide_managed_mfp_p77950_5zp00apagewide_managed_mfp_p77960_y3z65alaserjet_managed_flow_mfp_m880zm_a2w75alaserjet_enterprise_m653_j8a05alaserjet_managed_m605_l3u54alaserjet_managed_flow_mfp_e72525_z8z07alaserjet_managed_m651_cz255alaserjet_managed_mfp_e82540_x3a79alaserjet_enterprise_m855_a2w79alaserjet_managed_mfp_e87650_x3a86alaserjet_managed_mfp_e87650_x3a93alaserjet_managed_mfp_m775_l3u50apagewide_755_4pz47apagewide_managed_flow_mfp_e77650_j7z08apagewide_managed_mfp_p77960_5zn99alaserjet_managed_mfp_e72530_z8z06alaserjet_managed_flow_mfp_e82550_x3a72apagewide_enterprise_flow_mfp_780f_j7z09alaserjet_managed_mfp_e72525_x3a59apagewide_managed_mfp_e77650_j7z13alaserjet_managed_e60065_m0p36alaserjet_enterprise_mfp_m527_f2a76alaserjet_managed_flow_mfp_e72535_z8z011alaserjet_managed_flow_mfp_e72530_z8z06alaserjet_managed_flow_mfp_e72535_x3a63apagewide_managed_mfp_p77950_y3z62alaserjet_managed_flow_mfp_e82550_x3a82alaserjet_managed_mfp_e72530_x3a59afuturesmart_4laserjet_managed_mfp_e82560_x3a72alaserjet_managed_mfp_m527_f2a80apagewide_managed_flow_mfp_e77660z_j7z08alaserjet_managed_m605_e6b69apagewide_managed_mfp_p77950_y3z64alaserjet_managed_mfp_e72525_x3a65alaserjet_managed_flow_mfp_m830_cf367alaserjet_managed_mfp_e67550_l3u67alaserjet_managed_m553_b5l24alaserjet_managed_flow_mfp_e82560_x3a68apagewide_enterprise_mfp_586_g1w41alaserjet_managed_mfp_e77822_z8z02alaserjet_managed_mfp_m775_l3u49alaserjet_enterprise_flow_mfp_m830_l3u65alaserjet_managed_500_mfp_m525_l3u60alaserjet_enterprise_m608_k0q17alaserjet_enterprise_m4555_mfp_ce738alaserjet_enterprise_m506_f2a67alaserjet_enterprise_600_m603_ce996alaserjet_managed_mfp_m680_l3u47alaserjet_enterprise_mfp_m680_cz249alaserjet_enterprise_flow_mfp_m682_j8a17alaserjet_enterprise_flow_mfp_m527z_f2a81alaserjet_managed_mfp_m775_cc524alaserjet_enterprise_500_mfp_m525f_cf117alaserjet_enterprise_500_mfp_m575_cd646alaserjet_managed_mfp_m527_f2a79apagewide_enterprise_flow_mfp_785_j7z11alaserjet_managed_mfp_m725_cf067alaserjet_enterprise_flow_mfp_m527z_f2a77alaserjet_managed_mfp_e72535_z8z011alaserjet_managed_mfp_e77422_5rc91aofficejet_managed_flow_mfp_x585_b5l06alaserjet_enterprise_mfp_m528_1pv65alaserjet_managed_flow_mfp_e72525_x3a60alaserjet_managed_flow_mfp_m577_b5l49alaserjet_managed_mfp_e72535_z8z06alaserjet_managed_mfp_e87660_z8z12alaserjet_managed_mfp_e82560_x3a75alaserjet_managed_flow_mfp_e72525_x3a65alaserjet_managed_mfp_e87640_z8z17alaserjet_managed_mfp_e72430_5cm71alaserjet_managed_flow_mfp_e82550_x3a79alaserjet_managed_e85055_t3u66alaserjet_enterprise_m604_e6b68aofficejet_enterprise_x555_c2s11alaserjet_managed_mfp_e72430_5cm72alaserjet_managed_m651_cz256apagewide_enterprise_flow_mfp_780f_j7z10alaserjet_managed_mfp_e72535_x3a62alaserjet_managed_flow_mfp_e87640_x3a92alaserjet_managed_mfp_e82550_x3a79aofficejet_enterprise_x555_c2s12alaserjet_managed_mfp_e72535_x3a63alaserjet_managed_flow_mfp_e52545c_3gy20alaserjet_managed_mfp_e82550_x3a69alaserjet_managed_flow_mfp_e62555_j8j80alaserjet_managed_mfp_e82560_x3a71apagewide_managed_mfp_p77960_2gp23alaserjet_managed_mfp_e72425_5cm70alaserjet_managed_flow_mfp_e72530_x3a66alaserjet_enterprise_flow_mfp_m880z_l3u51alaserjet_enterprise_mfp_m631_j8j64alaserjet_managed_mfp_e82560_z8z19laserjet_managed_flow_mfp_e87640_z8z12apagewide_managed_mfp_p77960_5zn98alaserjet_managed_flow_mfp_m630_p7z48apagewide_managed_flow_mfp_e77650_z5g79alaserjet_enterprise_m4555_mfp_ce503alaserjet_managed_mfp_e77428_5rc92alaserjet_enterprise_m806_cz244alaserjet_managed_flow_mfp_e72525_x3a63apagewide_mfp_779_4pz46apagewide_managed_mfp_p77940_y3z62alaserjet_managed_mfp_e62555_j8j66apagewide_enterprise_flow_mfp_586z_g1w40alaserjet_managed_m605_l3u53alaserjet_managed_mfp_e72525_x3a63alaserjet_enterprise_m608_k0q18apagewide_managed_mfp_p77940_2gp23alaserjet_enterprise_flow_mfp_m680_ca251alaserjet_managed_mfp_e87660_x3a86alaserjet_enterprise_m651_cz256alaserjet_enterprise_flow_mfp_m575_cd644apagewide_managed_mfp_p77950_2gp23apagewide_managed_e55650_l3u44alaserjet_enterprise_m609_k0q20apagewide_enterprise_556_g1w46apagewide_managed_mfp_p77950_5zp01alaserjet_managed_mfp_e77825_z8z02alaserjet_managed_flow_mfp_e62555_j8j79alaserjet_managed_flow_mfp_e87640_x3a87aofficejet_managed_mfp_x585_l3u40alaserjet_managed_mfp_e72535_x3a59alaserjet_managed_mfp_e82550_x3a72alaserjet_enterprise_flow_mfp_m880z_d7p70alaserjet_enterprise_m651_l8z07alaserjet_managed_flow_mfp_e77830_z8z01alaserjet_managed_mfp_e72530_x3a63alaserjet_managed_flow_mfp_e82560_z8z22alaserjet_managed_flow_mfp_e77830_x3a80apagewide_managed_mfp_p77960_y3z61alaserjet_enterprise_m606_e6b72alaserjet_enterprise_m605_e6b71alaserjet_managed_mfp_e62555_j8j73apagewide_managed_flow_mfp_e77660z_j7z05alaserjet_managed_mfp_e87660_x3a90alaserjet_managed_e65050_l3u56alaserjet_managed_flow_mfp_m830_l3u65alaserjet_managed_flow_mfp_e77830_z8z05alaserjet_enterprise_m607_k0q15apagewide_managed_mfp_p77960_2gp22alaserjet_managed_flow_mfp_e82540_az8z20alaserjet_enterprise_flow_mfp_m630_l3u62alaserjet_enterprise_m750_d3l08alaserjet_enterprise_m856_t3u51alaserjet_managed_mfp_e62555_j8j79alaserjet_enterprises_cp5525_ce709aofficejet_enterprise_flow_mfp_x585_b5l06alaserjet_managed_flow_mfp_e62565_j8j66alaserjet_managed_mfp_m577_b5l49alaserjet_managed_e65060_l3u55alaserjet_managed_flow_mfp_e87640_z8z13alaserjet_enterprise_m607_k0q14alaserjet_cm4540_mfp_cc421alaserjet_managed_flow_mfp_e72525_z8z06alaserjet_managed_flow_mfp_e82540_x3a71alaserjet_enterprise_m653_j8a06apagewide_managed_e75160_j7z06apagewide_managed_mfp_p77960_5zp00alaserjet_managed_flow_mfp_e62575_j8j73alaserjet_managed_mfp_e72530_z8z010alaserjet_managed_mfp_e87650_x3a89apagewide_managed_mfp_e58650dn_l3u43alaserjet_managed_e60075_m0p40alaserjet_managed_mfp_e87660_x3a93alaserjet_enterprise_m506_f2a69alaserjet_managed_mfp_e82540_x3a71apagewide_managed_mfp_p77940_5zp01alaserjet_enterprise_mfp_m633_j8j76alaserjet_managed_mfp_e82550_z8z19laserjet_enterprise_flow_mfp_m681_j8a13alaserjet_managed_flow_mfp_e62555_j8j67apagewide_managed_mfp_p77440_y3z60alaserjet_managed_m506_f2a71alaserjet_enterprise_600_m603_ce995alaserjet_managed_flow_mfp_e67550_l3u67alaserjet_enterprise_flow_mfp_m633_j8j78alaserjet_managed_mfp_e77830_x3a78apagewide_managed_mfp_p77940_5zn99apagewide_enterprise_mfp_586_g1w39alaserjet_managed_flow_mfp_e67550_l3u66alaserjet_managed_flow_mfp_e87650_x3a89alaserjet_managed_mfp_e72430_5cm68apagewide_managed_flow_mfp_e77660z_z5g77alaserjet_managed_flow_mfp_m880zm_a2w76alaserjet_managed_mfp_e67560_l3u70alaserjet_managed_m605_e6b71alaserjet_managed_e50145_1pu52alaserjet_managed_flow_mfp_e72525_z8z09alaserjet_enterprise_mfp_m527_f2a81alaserjet_enterprise_500_mfp_m525f_cf116alaserjet_managed_flow_mfp_e82540_z8z18alaserjet_enterprise_m506_f2a68alaserjet_managed_e60075_m0p35alaserjet_enterprise_m507_1pv86alaserjet_enterprise_m608_m0p32alaserjet_enterprise_m553_b5l26apagewide_managed_mfp_p77940_5zp00alaserjet_enterprise_mfp_m528_1ps54alaserjet_managed_500_mfp_m525_l3u59alaserjet_managed_mfp_e72425_5cm68alaserjet_managed_mfp_e72525_x3a60alaserjet_enterprise_mfp_m681_j8a13alaserjet_enterprise_mfp_m725_cf066alaserjet_managed_flow_mfp_e77825_x3a80alaserjet_managed_mfp_e77830_x3a81apagewide_managed_mfp_e58650dn_l3u42alaserjet_managed_mfp_e87650_x3a92alaserjet_managed_flow_mfp_e87660_z8z13alaserjet_managed_mfp_e82550_x3a82alaserjet_managed_mfp_e77825_z8z04alaserjet_managed_m506_f2a70alaserjet_managed_flow_mfp_e82540_x3a68alaserjet_managed_mfp_e77825_z8z00apagewide_enterprise_flow_mfp_785_j7z12alaserjet_enterprise_flow_mfp_m525_cf116alaserjet_managed_mfp_e72535_z8z07alaserjet_enterprise_flow_mfp_m631_j8j65alaserjet_managed_m651_h0dc9alaserjet_managed_flow_mfp_e87640_x3a86alaserjet_managed_e50045_3gn19alaserjet_enterprise_m653_j8a04alaserjet_enterprise_flow_mfp_m577_b5l54alaserjet_enterprise_flow_mfp_m577_b5l47alaserjet_managed_flow_mfp_m880zm_l3u51alaserjet_enterprise_600_m602_ce992alaserjet_enterprise_m605_e6b69alaserjet_managed_mfp_e52645_1pv65alaserjet_enterprise_flow_mfp_m630_p7z47alaserjet_managed_mfp_m725_cf066alaserjet_enterprise_m507_1pv89alaserjet_managed_mfp_e82540_x3a69alaserjet_managed_mfp_e87660_z8z15alaserjet_managed_mfp_m630_b3g84alaserjet_managed_flow_mfp_e77830_x3a83alaserjet_managed_mfp_e87660_z8z16alaserjet_enterprise_mfp_m725_cf068alaserjet_managed_flow_mfp_e87640_x3a90alaserjet_managed_mfp_e82550_x3a71apagewide_managed_mfp_p77950_y3z66alaserjet_managed_mfp_e72530_x3a66alaserjet_enterprise_flow_mfp_m681_j8a10alaserjet_managed_flow_mfp_e82540_z8z22alaserjet_managed_mfp_e72425_5cm71alaserjet_managed_flow_mfp_e82560_z8z18alaserjet_enterprise_700_m712_cf236alaserjet_enterprise_mfp_m631_j8j63alaserjet_managed_flow_mfp_e72530_x3a63alaserjet_managed_500_mfp_m575_l3u45alaserjet_managed_e65060_l3u56alaserjet_managed_flow_mfp_e87650_z8z13alaserjet_enterprise_mfp_m632_j8j70apagewide_enterprise_556_g1w46vlaserjet_managed_e85055_t3u51alaserjet_managed_mfp_e72425_5cm69alaserjet_enterprise_flow_mfp_m632_j8j71alaserjet_enterprise_m751_t3u43alaserjet_managed_mfp_e62555_j8j80alaserjet_enterprise_m651_cz257alaserjet_managed_mfp_e77422_5cm76alaserjet_managed_flow_mfp_e82560_x3a71alaserjet_managed_mfp_e87650_x3a90alaserjet_managed_mfp_e77822_z8z00alaserjet_managed_flow_mfp_e87650_x3a92alaserjet_managed_mfp_e67550_l3u69alaserjet_managed_mfp_e52645_1pv49alaserjet_enterprise_flow_mfp_m575_cd646alaserjet_enterprise_mfp_m632_j8j71alaserjet_managed_flow_mfp_e82540_z8z19laserjet_enterprise_m806_cz245alaserjet_enterprise_mfp_m528_1pv66alaserjet_managed_flow_mfp_e52545c_3gy19alaserjet_enterprise_500_m551_cf083alaserjet_managed_e60065_m0p40alaserjet_managed_flow_mfp_e62575_j8j79apagewide_mfp_774_4pz43alaserjet_managed_mfp_e87640_z8z13alaserjet_enterprises_cp5525_ce707alaserjet_managed_mfp_e82540_z8z23apagewide_managed_mfp_p77940_2gp22alaserjet_managed_e60075_m0p36alaserjet_enterprise_700_mfp_m775_cc523alaserjet_enterprise_mfp_m682_j8a16alaserjet_managed_mfp_e77428_5cm76alaserjet_managed_e60055_m0p35alaserjet_managed_mfp_e77422_5cm79alaserjet_managed_mfp_e72430_5rc90alaserjet_managed_mfp_m725_l3u63alaserjet_managed_mfp_e62565_j8j67alaserjet_enterprise_m855_a2w78aofficejet_enterprise_mfp_x585_b5l04alaserjet_managed_flow_mfp_e87640_z8z16alaserjet_managed_e75245_t3u44alaserjet_managed_mfp_e87650_x3a87alaserjet_managed_flow_mfp_m680_l3u48apagewide_mfp_779_4pz45alaserjet_managed_flow_mfp_e72535_x3a59alaserjet_managed_flow_mfp_e82560_x3a75alaserjet_managed_mfp_e82550_x3a75alaserjet_enterprise_m856_t3u66alaserjet_managed_flow_mfp_e82550_x3a74alaserjet_managed_flow_mfp_e67550_l3u69alaserjet_managed_mfp_e87640_x3a92apagewide_enterprise_mfp_586_g1w40alaserjet_managed_mfp_e82550_z8z22alaserjet_managed_flow_mfp_e77822_z8z01alaserjet_managed_mfp_e87660_z8z13apagewide_managed_mfp_p77940_y3z65alaserjet_enterprise_m609_k0q21alaserjet_managed_mfp_e72525_z8z09alaserjet_managed_flow_mfp_e87650_z8z12alaserjet_managed_mfp_e62565_j8j73alaserjet_enterprise_500_mfp_m575_cd644alaserjet_managed_mfp_e87640_x3a87alaserjet_enterprise_m605_e6b70alaserjet_managed_mfp_m680_l3u48alaserjet_enterprise_m606_e6b73alaserjet_enterprise_m608_k0q19alaserjet_managed_flow_mfp_e87660_z8z16alaserjet_enterprise_m750_d3l09alaserjet_managed_mfp_e52545_3gy20aofficejet_enterprise_flow_mfp_x585_b5l07alaserjet_managed_mfp_e87660_x3a87alaserjet_enterprise_mfp_m725_l3u63apagewide_managed_mfp_p77950_y3z63alaserjet_managed_mfp_e87650_z8z14alaserjet_managed_m651_l8z07apagewide_managed_mfp_e77650_z5g79alaserjet_managed_flow_mfp_m880zm_l3u52apagewide_managed_mfp_p77950_y3z68alaserjet_managed_mfp_e77822_x3a78alaserjet_managed_e50145_1pv87alaserjet_managed_mfp_e62565_j8j80apagewide_managed_mfp_p77960_5zp01alaserjet_enterprise_600_m601_ce990alaserjet_managed_flow_mfp_e62565_j8j73alaserjet_enterprise_flow_mfp_m682_j8a16alaserjet_managed_flow_mfp_e87650_z8z17alaserjet_managed_mfp_e77830_z8z00alaserjet_enterprise_mfp_m681_j8a11a_laserjet_managed_flow_mfp_e87660_x3a93alaserjet_enterprise_mfp_m527_f2a77alaserjet_managed_mfp_e72525_z8z06alaserjet_enterprise_mfp_m528_1ps55alaserjet_managed_flow_mfp_e62565_j8j67apagewide_enterprise_mfp_780_j7z10alaserjet_enterprise_flow_mfp_m830_cf367alaserjet_managed_flow_mfp_e82550_x3a68alaserjet_enterprise_flow_mfp_m527z_f2a76alaserjet_managed_flow_mfp_e82540_x3a75alaserjet_managed_flow_mfp_e72535_x3a62alaserjet_managed_flow_mfp_e87640_x3a89alaserjet_enterprise_mfp_m527_f2a78alaserjet_managed_mfp_e72535_z8z010alaserjet_cm4540_mfp_cc419alaserjet_managed_flow_mfp_e72530_x3a59alaserjet_managed_mfp_e72530_x3a62alaserjet_enterprise_m507_1pu51apagewide_managed_mfp_p77960_2gp26alaserjet_enterprise_mfp_m682_j8a17alaserjet_managed_mfp_e87640_z8z15alaserjet_managed_flow_mfp_e87650_x3a93alaserjet_managed_mfp_e87650_z8z12alaserjet_managed_flow_mfp_e72530_x3a60alaserjet_managed_mfp_e77422_5cm78alaserjet_enterprise_m604_e6b67alaserjet_managed_flow_mfp_e72535_z8z010alaserjet_enterprise_flow_mfp_m577_b5l48alaserjet_managed_flow_mfp_e82560_az8z20alaserjet_managed_flow_mfp_e87650_z8z14apagewide_managed_flow_mfp_e58650z_l3u42alaserjet_managed_flow_mfp_e87660_z8z12alaserjet_enterprise_flow_mfp_m632_j8j70alaserjet_enterprise_m553_b5l25alaserjet_enterprise_700_mfp_m775_l3u49aofficejet_enterprise_mfp_x585_b5l05apagewide_enterprise_765_j7z04alaserjet_managed_mfp_e82540_x3a68alaserjet_managed_mfp_e72430_5cm69alaserjet_managed_flow_mfp_e87660_z8z17alaserjet_managed_mfp_e72530_z8z011alaserjet_enterprise_m651_cz255alaserjet_enterprise_mfp_m681_j8a10apagewide_managed_mfp_e77650_j7z14alaserjet_managed_mfp_e52645_1pv66alaserjet_enterprise_flow_mfp_m880z_d7p71alaserjet_enterprise_m856_t3u52alaserjet_managed_mfp_e87660_x3a92alaserjet_managed_mfp_m775_cc522alaserjet_managed_mfp_e67550_l3u70alaserjet_managed_mfp_e82560_z8z18apagewide_managed_mfp_p77940_y3z61alaserjet_managed_mfp_e82540_x3a75alaserjet_enterprise_mfp_m630_b3g84apagewide_managed_mfp_p77960_y3z68alaserjet_managed_e60055_m0p36alaserjet_managed_mfp_e77825_x3a81alaserjet_managed_flow_mfp_e87660_z8z15alaserjet_enterprise_m750_d3l10alaserjet_managed_mfp_e72525_x3a62apagewide_managed_flow_mfp_e77660z_j7z13alaserjet_enterprise_flow_mfp_m880z_l3u52alaserjet_managed_mfp_m577_b5l50adigital_sender_flow_8500_fn2_document_capture_workstation_l2762alaserjet_managed_mfp_e52645_1ps55alaserjet_managed_flow_mfp_e87640_z8z14alaserjet_managed_mfp_e67560_l3u66alaserjet_managed_mfp_m725_cf069alaserjet_managed_flow_mfp_m577_b5l50alaserjet_managed_e55040dw_3gx98ascanjet_enterprise_flow_n9120_fn2_document_scanner_l2763alaserjet_enterprise_mfp_m680_cz250alaserjet_enterprise_mfp_m776_t3u56alaserjet_managed_mfp_e82550_x3a74afuturesmart_3laserjet_enterprise_m751_t3u64alaserjet_enterprise_flow_mfp_m525_cf118alaserjet_enterprise_mfp_m680_ca251alaserjet_managed_mfp_e87640_x3a93alaserjet_managed_mfp_e67550_l3u66alaserjet_managed_mfp_e77428_5cm75alaserjet_managed_flow_mfp_e62565_j8j74alaserjet_managed_mfp_m775_cf304alaserjet_managed_flow_mfp_e72530_x3a65alaserjet_managed_e65060_l3u57alaserjet_managed_flow_mfp_e72535_z8z07alaserjet_managed_flow_mfp_m527z_f2a80alaserjet_managed_mfp_e72425_5rc90apagewide_managed_mfp_p77960_2gp25apagewide_enterprise_mfp_780_j7z09alaserjet_managed_mfp_e87660_z8z17alaserjet_enterprise_m605_l3u53alaserjet_managed_flow_mfp_e87660_x3a87alaserjet_managed_mfp_e72430_5cm70alaserjet_managed_mfp_e72535_z8z09alaserjet_managed_flow_mfp_e77822_z8z05alaserjet_managed_flow_mfp_e62555_j8j66alaserjet_managed_mfp_e62565_j8j66alaserjet_enterprise_500_m551_cf082alaserjet_enterprise_m855_d7p72alaserjet_managed_e50145_1pv86alaserjet_managed_mfp_e82540_x3a74alaserjet_managed_flow_mfp_e72535_x3a66alaserjet_enterprise_mfp_m528_1pv64alaserjet_enterprise_mfp_m630_l3u61alaserjet_managed_mfp_m725_l3u64alaserjet_enterprise_mfp_m577_b5l54alaserjet_managed_mfp_e72425_5rc89apagewide_managed_mfp_p77960_y3z64alaserjet_managed_m553_b5l25alaserjet_managed_mfp_e72535_x3a65apagewide_enterprise_556_g1w47alaserjet_managed_mfp_e87650_z8z13alaserjet_managed_flow_mfp_e82550_x3a75ascanjet_enterprise_8500_fn1_document_capture_workstation_l2717apagewide_managed_mfp_p77950_2gp25apagewide_managed_mfp_e77650_j7z05alaserjet_managed_flow_mfp_e67560_l3u67alaserjet_managed_flow_mfp_e62575_j8j80alaserjet_managed_mfp_e72530_z8z07alaserjet_managed_flow_mfp_e77822_x3a83alaserjet_managed_flow_mfp_e77825_x3a77alaserjet_managed_flow_mfp_e72530_z8z09alaserjet_managed_m506_f2a66apagewide_managed_mfp_p77950_y3z61alaserjet_enterprise_mfp_m528_1pv67apagewide_managed_mfp_p77960_y3z66alaserjet_managed_mfp_e52645_1ps54alaserjet_enterprise_700_m712_cf238alaserjet_managed_flow_mfp_e77830_z8z0alaserjet_managed_m506_f2a67alaserjet_managed_flow_mfp_e87660_x3a90alaserjet_managed_mfp_e77825_x3a78alaserjet_enterprise_flow_mfp_m776_t3u56alaserjet_managed_mfp_e82550_z8z18alaserjet_managed_flow_mfp_e87660_x3a89alaserjet_managed_flow_mfp_e87640_z8z17alaserjet_managed_m553_b5l39alaserjet_managed_mfp_e67560_l3u67alaserjet_managed_flow_mfp_e67560_l3u69apagewide_managed_flow_mfp_e77660z_z5g79alaserjet_managed_mfp_e72535_x3a66alaserjet_managed_mfp_e82560_x3a82alaserjet_managed_flow_mfp_e72525_z8z011alaserjet_managed_flow_mfp_e72530_z8z08alaserjet_managed_flow_mfp_m880zm_d7p70alaserjet_managed_flow_mfp_e77822_x3a80alaserjet_managed_flow_mfp_e67560_l3u66alaserjet_managed_m506_f2a68alaserjet_managed_flow_mfp_e82550_z8z19laserjet_managed_flow_mfp_m525_l3u60alaserjet_managed_e60065_m0p33aofficejet_managed_flow_mfp_x585_l3u41alaserjet_managed_flow_mfp_e82560_x3a72alaserjet_managed_m553_bl27alaserjet_enterprise_flow_mfp_m680_cz249apagewide_managed_flow_mfp_e77650_j7z05alaserjet_enterprise_flow_mfp_m525_cf117alaserjet_enterprise_mfp_m630_j7x28apagewide_managed_flow_mfp_e58650z_l3u43alaserjet_enterprise_flow_mfp_m680_cz250alaserjet_managed_mfp_e87640_z8z12aHP Color LaserJet Managed Printers, HP Color LaserJet Enterprise Printers
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12465
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.02% / 3.76%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 08:24
Updated-23 Dec, 2024 | 20:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Property Hive Stamp Duty Calculator <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Property Hive Stamp Duty Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'stamp_duty_calculator_scotland' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-propertyhive
Product-Property Hive Stamp Duty Calculator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12851
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.03% / 7.04%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 06:41
Updated-17 Jan, 2025 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Element Pack Lite - Addons for Elementor <= 5.10.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom_attributes parameter of the Cookie Consent Widget in all versions up to, and including, 5.10.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-BdThemes
Product-element_packElement Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-9502
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.26% / 49.06%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 16:10
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Auberge theme before 1.4.5 for WordPress has XSS via the genericons/example.html anchor identifier.

Action-Not Available
Vendor-webmandesignn/a
Product-auberge_themen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12734
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 15.29%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-22 May, 2025 | 19:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advance Post Prefix <= 1.1.1 - Reflected XSS

The Advance Post Prefix WordPress plugin through 1.1.1, Advance Post Prefix WordPress plugin through 1.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-niceitUnknown
Product-advance_post_prefixAdvance Post Prefix
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1293
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 41.74%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-16 Jan, 2025 | 15:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the embedded media custom block in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-brizythemefusecom
Product-brizyBrizy – Page Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12423
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 40.17%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 09:25
Updated-15 Jan, 2025 | 14:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form 7 Redirect & Thank You Page <= 1.0.7 - Reflected Cross-Site Scripting

The Contact Form 7 Redirect & Thank You Page plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-scottpaterson
Product-Contact Form 7 Redirect & Thank You Page
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-19748
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 61.14%
||
7 Day CHG~0.00%
Published-12 Dec, 2019 | 02:36
Updated-05 Aug, 2024 | 02:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Work Time Calendar app before 4.7.1 for Jira allows XSS.

Action-Not Available
Vendor-brizoitn/a
Product-work_time_calendarn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-35045
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.40% / 59.62%
||
7 Day CHG~0.00%
Published-22 Jun, 2021 | 13:21
Updated-04 Aug, 2024 | 00:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, allows attackers to execute arbitrary code via the parameters to the /app/ endpoint.

Action-Not Available
Vendor-icehrmn/a
Product-icehrmn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 216
  • 217
  • Next
Details not found