The AI Engine WordPress plugin before 1.6.83 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Justin Saad Simple Tooltips plugin <= 2.1.4 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alex Benfica Publish to Schedule plugin <= 4.5.4 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Noah Hearle, Design Extreme We’re Open! plugin <= 1.46 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Denzel Chia | Phire Design Custom Login Page plugin <= 2.0 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in StreamWeasels Twitch Player plugin <= 2.1.0 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Thom Stark Eyes Only: User Access Shortcode plugin <= 1.8.2 versions.
The Call Now Accessibility Button WordPress plugin before 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WP-Buddy Google Analytics Opt-Out plugin <= 2.3.4 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ajay D'Souza Top 10 – Popular posts plugin for WordPress plugin <= 3.2.4 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Tauhidul Alam Simple Portfolio Gallery plugin <= 0.1 versions.
Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer.
Cross Site Scripting (XSS) vulnerability exists in PbootCMS v1.3.7 via the title parameter in the mod function in SingleController.php.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in jinit9906 Shipyaari Shipping Management plugin <= 1.0 versions.
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Samuel Marshall JCH Optimize plugin <= 3.2.2 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in psicosi448 wp2syslog plugin <= 1.0.5 versions.
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.
Persistent Cross-Site scripting vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. The vulnerability could allow persistent XSS attack.
The House Manager WordPress plugin through 1.0.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
The Buy Me a Coffee WordPress plugin before 3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Rigorous & Factory Pattern Dovetail plugin <= 1.2.13 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Bon Plan Gratos Sticky Ad Bar plugin <= 1.3.1 versions.
Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Podlove Podlove Subscribe button plugin <= 1.3.7 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in George Pattihis Link Juice Keeper plugin <= 2.0.2 versions.
Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy wp tell a friend popup form plugin <= 7.1 versions.
The WP To Do plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
A vulnerability was found in SourceCodester Human Resource Information System 1.0 and classified as problematic. This issue affects some unknown processing of the file Superadmin_Dashboard/process/addcorporate_process.php. The manipulation of the argument corporate_name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259583.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in JoomSky JS Job Manager plugin <= 2.0.0 versions.
The Sticky Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ popup_title' parameter in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admin level capabilities and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue mostly affects sites where unfiltered_html has been disabled for administrators and on multi-site installations where unfiltered_html is disabled for administrators.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Duc Bui Quang WP Default Feature Image plugin <= 1.0.1.1 versions.
Cross Site Scripting (XSS) vulnerability in Textpattern CMS 4.8.1 via Custom fields in the Menu Preferences feature.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Go Prayer WP Prayer plugin <= 1.9.6 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Yotuwp Video Gallery plugin <= 1.3.12 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in IKSWEB WordPress Старт plugin <= 3.7 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ko Takagi Simple Slug Translate plugin <= 2.7.2 versions.
Stored XSS in b2evolution CMS version 6.11.6 and prior allows an attacker to perform malicious JavaScript code execution via the plugin name input field in the plugin module.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mehjabin Orthi Interactive SVG Image Map Builder plugin <= 1.0 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Nate Reist Protected Posts Logout Button plugin <= 1.4.5 versions.
There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser. The privileges required to execute this attack are high. The impact to Confidentiality, Integrity and Availability are High.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Oliver Schlöbe Simple Yearly Archive plugin <= 2.1.8 versions.
The Custom Base Terms WordPress plugin before 1.0.3 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in OneWebsite WP Repost plugin <= 0.1 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM Answers plugin <= 3.1.9 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Tapfiliate plugin <= 3.0.12 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Include WP BaiDu Submit plugin <= 1.2.1 versions.
DBHcms v1.2.0 has a reflected xss vulnerability as there is no security filter in dbhcms\mod\mod.selector.php line 108 for $_GET['return_name'] parameter, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in DupeOff.Com DupeOff plugin <= 1.6 versions.