Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-4763

Summary
Assigner-TR-CERT
Assigner Org ID-ca940d4e-fea4-4aa2-9a58-591a58b1ce21
Published At-22 Jan, 2026 | 09:10
Updated At-05 Jun, 2026 | 14:41
Rejected At-
Credits

XSS in Aida Computer's Hotspot

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS. This issue affects Hotel Guest Hotspot: through 22012026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:TR-CERT
Assigner Org ID:ca940d4e-fea4-4aa2-9a58-591a58b1ce21
Published At:22 Jan, 2026 | 09:10
Updated At:05 Jun, 2026 | 14:41
Rejected At:
▼CVE Numbering Authority (CNA)
XSS in Aida Computer's Hotspot

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS. This issue affects Hotel Guest Hotspot: through 22012026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected Products
Vendor
Aida Computer Information Technology Inc.
Product
Hotel Guest Hotspot
Default Status
unknown
Versions
Affected
  • From 0 through 22012026 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.15.5MEDIUM
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-591CAPEC-591 Reflected XSS
CAPEC ID: CAPEC-591
Description: CAPEC-591 Reflected XSS
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Sevban DÖNMEZ
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.usom.gov.tr/bildirim/tr-26-0001
government-resource
broken-link
https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0001
government-resource
Hyperlink: https://www.usom.gov.tr/bildirim/tr-26-0001
Resource:
government-resource
broken-link
Hyperlink: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0001
Resource:
government-resource
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:iletisim@usom.gov.tr
Published At:22 Jan, 2026 | 10:16
Updated At:05 Jun, 2026 | 16:16

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS. This issue affects Hotel Guest Hotspot: through 22012026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.5MEDIUM
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CPE Matches

aida
aida
>>hotel_guest_hotspot>>Versions up to 2026-01-22(inclusive)
cpe:2.3:a:aida:hotel_guest_hotspot:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondaryiletisim@usom.gov.tr
CWE ID: CWE-79
Type: Secondary
Source: iletisim@usom.gov.tr
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0001iletisim@usom.gov.tr
N/A
https://www.usom.gov.tr/bildirim/tr-26-0001iletisim@usom.gov.tr
Third Party Advisory
Hyperlink: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0001
Source: iletisim@usom.gov.tr
Resource: N/A
Hyperlink: https://www.usom.gov.tr/bildirim/tr-26-0001
Source: iletisim@usom.gov.tr
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

10532Records found

CVE-2021-24955
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.97% / 57.51%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 10:41
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ProfilePress < 3.2.3 - Reflected Cross-Site Scripting

The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-profilepressUnknown
Product-user_registration\,_login_form\,_user_profile_\&_membershipUser Registration, Login Form, User Profile & Membership – ProfilePress (Formerly WP User Avatar)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8622
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 6.47%
||
7 Day CHG~0.00%
Published-24 Jun, 2026 | 05:33
Updated-29 Jun, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Sizes on Demand <= 1.3 - Reflected Cross-Site Scripting via PHP_SELF Server Variable

The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The injected payload only executes in the context of an administrator, as the settings page requires the manage_options capability to render.

Action-Not Available
Vendor-pixelwelt
Product-Image Sizes on Demand
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24925
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.80% / 51.95%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 10:41
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Modern Events Calendar Lite < 6.1.5 - Reflected Cross-Site Scripting

The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-webnusUnknown
Product-modern_events_calendar_liteModern Events Calendar Lite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25044
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.49% / 38.35%
||
7 Day CHG~0.00%
Published-10 Oct, 2022 | 00:00
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cryptocurrency Pricing list and Ticker <= 1.5 - Reflected Cross-Site Scripting

The Cryptocurrency Pricing list and Ticker WordPress plugin through 1.5 does not sanitise and escape the ccpw_setpage parameter before outputting it back in pages where its shortcode is embed, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-premium-themesUnknown
Product-cryptocurrency_pricing_list_and_tickerCryptocurrency Pricing list and Ticker
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-59995
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.20% / 10.28%
||
7 Day CHG~0.00%
Published-09 Oct, 2025 | 16:14
Updated-23 Jan, 2026 | 20:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos Space: Template creation through Definition is vulnerable to reflected cross-site script injection

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Quick Template page that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator. This issue affects all versions of Junos Space before 24.1R4.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-junos_spaceJunos Space
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24984
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.80% / 52.12%
||
7 Day CHG~0.00%
Published-27 Dec, 2021 | 10:33
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPFront User Role Editor < 3.2.1.11184 - Reflected Cross-Site Scripting

The WPFront User Role Editor WordPress plugin before 3.2.1.11184 does not sanitise and escape the changes-saved parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-wpfrontUnknown
Product-wpfront_user_role_editorWPFront User Role Editor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24876
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-1.17% / 63.45%
||
7 Day CHG~0.00%
Published-29 Nov, 2021 | 08:25
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Registrations for The Events Calendar < 2.7.5 - Reflected Cross-Site Scripting

The Registrations for the Events Calendar WordPress plugin before 2.7.5 does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-roundupwpUnknown
Product-registrations_for_the_events_calendarRegistrations for the Events Calendar – Event Registration Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25083
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.89% / 54.87%
||
7 Day CHG~0.00%
Published-24 Jan, 2022 | 08:01
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Registrations for the Events Calendar < 2.7.10 - Reflected Cross-Site Scripting

The Registrations for the Events Calendar WordPress plugin before 2.7.10 does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-roundupwpUnknown
Product-registrations_for_the_events_calendarRegistrations for the Events Calendar – Event Registration Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24923
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.81% / 52.45%
||
7 Day CHG~0.00%
Published-24 Jan, 2022 | 08:00
Updated-16 Oct, 2024 | 13:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.25 - Reflected XSS

The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.25 does not escape the sib-statistics-date parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-brevoUnknown
Product-newsletter\,_smtp\,_email_marketing_and_subscribeNewsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24792
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-1.17% / 63.50%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 10:40
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shiny Buttons <= 1.1.0 - Unauthenticated Stored Cross-Site Scripting

The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues.

Action-Not Available
Vendor-wpedenUnknown
Product-shiny_buttonsShiny Buttons – CSS3 Button Generator for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24996
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.79% / 51.73%
||
7 Day CHG~0.00%
Published-14 Mar, 2022 | 14:41
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IDPay for Contact Form 7 <= 2.1.2 - Reflected Cross-Site Scripting

The IDPay for Contact Form 7 WordPress plugin through 2.1.2 does not sanitise and escape the idpay_error parameter before outputting it back in the page leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-wkiUnknown
Product-idpay_for_contact_form_7IDPay for Contact Form 7
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25277
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.82% / 52.66%
||
7 Day CHG~0.00%
Published-19 Mar, 2021 | 16:39
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FTAPI 4.0 - 4.10 allows XSS via a crafted filename to the alternative text hover box in the file submission component.

Action-Not Available
Vendor-ftapin/a
Product-ftapin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25828
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.51% / 39.72%
||
7 Day CHG+0.07%
Published-28 Jun, 2023 | 00:00
Updated-05 Dec, 2024 | 16:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Emby Server versions < 4.6.0.50 is vulnerable to Cross Site Scripting (XSS) vulnerability via a crafted GET request to /web.

Action-Not Available
Vendor-embyn/a
Product-embyn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25894
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.11% / 61.92%
||
7 Day CHG~0.00%
Published-02 Apr, 2021 | 11:31
Updated-03 Aug, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Magnolia CMS from 6.1.3 to 6.2.3 contains a stored cross-site scripting (XSS) vulnerability in the /magnoliaPublic/travel/members/login.html mgnlUserId parameter.

Action-Not Available
Vendor-magnolia-cmsn/a
Product-magnolia_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24935
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.86% / 54.07%
||
7 Day CHG~0.00%
Published-06 Dec, 2021 | 15:55
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Google Fonts < 3.1.5 - Reflected Cross-Site Scripting

The WP Google Fonts WordPress plugin before 3.1.5 does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues

Action-Not Available
Vendor-wp_google_fonts_projectUnknown
Product-wp_google_fontsWP Google Fonts
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-59754
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-5.1||MEDIUM
EPSS-0.19% / 9.02%
||
7 Day CHG+0.01%
Published-02 Oct, 2025 | 14:26
Updated-02 Oct, 2025 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple vulnerabilities in AndSoft's e-TMS

Cross-site scripting (XSS) vulnerability reflected in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL. The relationship between parameter and assigned identifier is 'l, demo, demo2, TNTLOGIN, UO and SuppConn' parameters in '/clt/LOGINFRM_original.ASP'.

Action-Not Available
Vendor-andsoftAndSoft
Product-e-tmse-TMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25773
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.64% / 46.19%
||
7 Day CHG~0.00%
Published-03 Feb, 2021 | 15:32
Updated-03 Aug, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JetBrains TeamCity before 2020.2 was vulnerable to reflected XSS on several pages.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-teamcityn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24987
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-1.94% / 77.64%
||
7 Day CHG+0.04%
Published-11 Apr, 2022 | 14:40
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Super Socializer < 7.13.30 - Reflected Cross-Site Scripting

The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.30 does not sanitise and escape the urls parameter in its the_champ_sharing_count AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue.

Action-Not Available
Vendor-UnknownHeateor
Product-super_socializerSocial Share, Social Login and Social Comments Plugin – Super Socializer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24719
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-2.96% / 85.53%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Enfold Theme < 4.8.4 - Reflected Cross-Site Scripting (XSS)

The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.

Action-Not Available
Vendor-kriesiUnknown
Product-enfoldEnfold
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25086
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-1.28% / 66.44%
||
7 Day CHG~0.00%
Published-02 May, 2022 | 16:05
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advanced Page Visit Counter < 6.1.2 - Unauthenticated Stored Cross-Site Scripting

The Advanced Page Visit Counter WordPress plugin before 6.1.2 does not sanitise and escape some input before outputting it in an admin dashboard page, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admins viewing it

Action-Not Available
Vendor-advanced_page_visit_counter_projectUnknown
Product-advanced_page_visit_counterAdvanced Page Visit Counter – Advanced WordPress Visit Counter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-25088
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.68% / 47.87%
||
7 Day CHG~0.00%
Published-03 Sep, 2020 | 01:41
Updated-04 Aug, 2024 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/blog/blogpublish.php.

Action-Not Available
Vendor-ecommerce-codeigniter-bootstrap_projectn/a
Product-ecommerce-codeigniter-bootstrapn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24870
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 16.73%
||
7 Day CHG~0.00%
Published-16 Jan, 2024 | 15:49
Updated-09 Jan, 2026 | 21:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Fastest Cache < 0.9.5 - CSRF to Stored Cross-Site Scripting

The WP Fastest Cache WordPress plugin before 0.9.5 is lacking a CSRF check in its wpfc_save_cdn_integration AJAX action, and does not sanitise and escape some the options available via the action, which could allow attackers to make logged in high privilege users call it and set a Cross-Site Scripting payload

Action-Not Available
Vendor-wpfastestcacheUnknown
Product-wp_fastest_cacheWP Fastest Cache
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24903
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-2.93% / 85.40%
||
7 Day CHG~0.00%
Published-07 Jan, 2021 | 12:44
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Action-Not Available
Vendor-cutesoftn/a
Product-cute_editorn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-60450
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 11.60%
||
7 Day CHG+0.01%
Published-03 Oct, 2025 | 00:00
Updated-07 Oct, 2025 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\editor\Uploader.class.php component. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.

Action-Not Available
Vendor-metinfon/a
Product-metinfon/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-27419
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.38% / 30.20%
||
7 Day CHG~0.00%
Published-10 May, 2023 | 08:29
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Viable blog Theme <= 1.1.4 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Everest themes Viable Blog theme <= 1.1.4 versions.

Action-Not Available
Vendor-everestthemesEverest themes
Product-viable_blogViable Blog
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25838
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.59% / 43.75%
||
7 Day CHG~0.00%
Published-26 Apr, 2021 | 13:30
Updated-03 Aug, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Import function in MintHCM RELEASE 3.0.8 allows an attacker to execute a cross-site scripting (XSS) payload in file-upload.

Action-Not Available
Vendor-minthcmn/a
Product-minthcmn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24986
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.79% / 51.73%
||
7 Day CHG+0.02%
Published-11 Apr, 2022 | 14:40
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post Grid < 2.1.16 - Reflected Cross-Site Scripting via keyword

The Post Grid WordPress plugin before 2.1.16 does not escape the keyword parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in pages containing a Post Grid with a search form

Action-Not Available
Vendor-pickpluginsUnknown
Product-post_gridPost Grid
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-27421
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.35% / 27.10%
||
7 Day CHG~0.00%
Published-08 Aug, 2023 | 10:30
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Everest News Theme <= 1.1.0 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Everest themes Everest News theme <= 1.1.0 versions.

Action-Not Available
Vendor-everestthemesEverest themes
Product-everest_newsEverest News
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-25902
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.66% / 47.27%
||
7 Day CHG~0.00%
Published-02 Mar, 2021 | 12:35
Updated-04 Aug, 2024 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Blackboard Collaborate Ultra 20.02 is affected by a cross-site scripting (XSS) vulnerability. The XSS payload will execute on the class room, which leads to stealing cookies from users who join the class. NOTE: Third-parties dispute the validity of this entry as a possible false positive during research

Action-Not Available
Vendor-blackboardn/a
Product-collaborate_ultran/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24796
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-1.17% / 63.50%
||
7 Day CHG~0.00%
Published-17 Nov, 2021 | 10:15
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
My Tickets < 1.8.31 - Unauthenticated Stored Cross-Site Scripting

The My Tickets WordPress plugin before 1.8.31 does not properly sanitise and escape the Email field of booked tickets before outputting it in the Payment admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins

Action-Not Available
Vendor-my_tickets_projectUnknown
Product-my_ticketsMy Tickets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25324
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.80% / 51.93%
||
7 Day CHG~0.00%
Published-19 Jan, 2021 | 15:30
Updated-22 Jun, 2026 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.

Action-Not Available
Vendor-misp-projectn/a
Product-mispn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-25090
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.68% / 47.87%
||
7 Day CHG~0.00%
Published-03 Sep, 2020 | 01:40
Updated-04 Aug, 2024 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/ecommerce/publish.php.

Action-Not Available
Vendor-ecommerce-codeigniter-bootstrap_projectn/a
Product-ecommerce-codeigniter-bootstrapn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-4709
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-2.3||LOW
EPSS-0.34% / 25.50%
||
7 Day CHG~0.00%
Published-01 Sep, 2023 | 18:31
Updated-27 May, 2025 | 07:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTVS RM Portal Login.aspx cross site scripting

A vulnerability classified as problematic has been found in TOTVS RM 12.1. Affected is an unknown function of the file Login.aspx of the component Portal. The manipulation of the argument VIEWSTATE leads to cross site scripting. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. It is possible to mitigate the problem by applying the configuration setting <pages validateRequest="true" [...] viewStateEncryptionMode="Always" />. It is recommended to change the configuration settings. The vendor was initially contacted early about this disclosure but did not respond in any way. In a later statement he explains, that "the behavior described [...] is related to specific configurations that are not part of the default application setup. In standard production environments, the relevant feature (VIEWSTATE) is disabled by default, which effectively mitigates the risk of exploitation."

Action-Not Available
Vendor-totvsTOTVS
Product-rmRM
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-25063
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-2.41% / 82.10%
||
7 Day CHG~0.00%
Published-01 Feb, 2022 | 12:21
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form 7 Skins < 2.5.1 - Reflected Cross-Site Scripting (XSS)

The Skins for Contact Form 7 WordPress plugin before 2.5.1 does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-cf7skinsUnknown
Product-contact_form_7_skinsSkins for Contact Form 7
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25071
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.79% / 51.73%
||
7 Day CHG~0.00%
Published-28 Mar, 2022 | 17:22
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Akismet Privacy Policies <= 2.0.1 - Reflected Cross-Site Scripting

The WordPress plugin through 2.0.1 does not sanitise and escape the translation parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-inpsydeUnknown
Product-akismet_privacy_policiesAkismet Privacy Policies
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25085
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-1.65% / 73.66%
||
7 Day CHG~0.00%
Published-01 Feb, 2022 | 12:21
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WOOF - Products Filter for WooCommerce < 1.2.6.3 - Reflected Cross-Site Scripting

The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape the woof_redraw_elements before outputing back in an admin page, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-UnknownPluginUs.Net (RealMag777)
Product-woocommerce_products_filterWOOF – Products Filter for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24976
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.92% / 55.82%
||
7 Day CHG~0.00%
Published-24 Jan, 2022 | 08:01
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Smart SEO Tool < 3.0.6 - Reflected Cross-Site Scripting

The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-wboltUnknown
Product-smart_seo_toolSmart SEO Tool – SEO优化插件
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-59756
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-5.1||MEDIUM
EPSS-0.19% / 9.02%
||
7 Day CHG+0.01%
Published-02 Oct, 2025 | 14:27
Updated-02 Oct, 2025 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple vulnerabilities in AndSoft's e-TMS

Cross-site scripting (XSS) vulnerability reflected in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL. The relationship between parameter and assigned identifier is 'l, demo, demo2, TNTLOGIN, UO and SuppConn' parameters in 'SuppConn in /clt/LOGINFRM_CON.ASP'.

Action-Not Available
Vendor-andsoftAndSoft
Product-e-tmse-TMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24937
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.80% / 52.12%
||
7 Day CHG~0.00%
Published-01 Feb, 2022 | 12:21
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Asset CleanUp < 1.3.8.5 - Reflected Cross-Site Scripting

The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not escape the wpacu_selected_sub_tab_area parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue

Action-Not Available
Vendor-asset_cleanup\Unknown
Product-_page_speed_booster_projectAsset CleanUp: Page Speed Booster
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25022
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-1.12% / 62.25%
||
7 Day CHG~0.00%
Published-03 Jan, 2022 | 12:49
Updated-22 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UpdraftPlus < 1.16.66 - Reflected Cross-Site Scripting

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues

Action-Not Available
Vendor-updraftplusUnknown
Product-updraftplusUpdraftPlus WordPress Backup Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-2562
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-6.1||MEDIUM
EPSS-0.96% / 57.28%
||
7 Day CHG~0.00%
Published-15 Jul, 2020 | 17:34
Updated-26 Sep, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Primavera Portfolio Management product of Oracle Construction and Engineering (component: Investor Module). Supported versions that are affected are 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0 and 19.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera Portfolio Management accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-primavera_portfolio_managementPrimavera Portfolio Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-59821
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 9.55%
||
7 Day CHG~0.00%
Published-23 Sep, 2025 | 17:42
Updated-29 Sep, 2025 | 12:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DNN vulnerable to Reflected Cross-Site Scripting (XSS) using url to profile

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, DNN’s URL/path handling and template rendering can allow specially crafted input to be reflected into a user profile that is returned to the browser. In these cases, the application does not sufficiently neutralize or encode characters that are meaningful in HTML, so an attacker can cause a victim’s browser to interpret attacker-controlled content as part of the page’s HTML. This issue has been patched in version 10.1.0.

Action-Not Available
Vendor-ESW Operations, LLC ("DNN Software")
Product-dotnetnukeDnn.Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25878
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.15% / 62.92%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 11:33
Updated-03 Aug, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

AVideo/YouPHPTube 10.0 and prior is affected by multiple reflected Cross Script Scripting vulnerabilities via the videoName parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator.

Action-Not Available
Vendor-youphptuben/a
Product-youphptuben/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25019
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.79% / 51.73%
||
7 Day CHG~0.00%
Published-21 Mar, 2022 | 18:55
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SEO Plugin by Squirrly SEO < 11.1.12 - Reflected Cross-Site Scripting

The SEO Plugin by Squirrly SEO WordPress plugin before 11.1.12 does not escape the type parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-squirrlyUnknown
Product-seo_plugin_by_squirrly_seoSEO Plugin by Squirrly SEO
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24985
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-1.11% / 61.91%
||
7 Day CHG~0.00%
Published-24 Jan, 2022 | 08:01
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Forms for Mailchimp < 6.8.6 - Reflected Cross-Site Scripting

The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Action-Not Available
Vendor-yikesincUnknown
Product-easy_forms_for_mailchimpEasy Forms for Mailchimp
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25922
Matching Score-4
Assigner-Mend
ShareView Details
Matching Score-4
Assigner-Mend
CVSS Score-6.1||MEDIUM
EPSS-0.84% / 53.36%
||
7 Day CHG~0.00%
Published-22 Mar, 2021 | 19:39
Updated-03 Aug, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code.

Action-Not Available
Vendor-n/aOpenEMR Foundation, Inc
Product-openemropenemr
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25034
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.79% / 51.73%
||
7 Day CHG~0.00%
Published-28 Feb, 2022 | 09:06
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP User < 7.0 - Reflected Cross-Site Scripting

The WP User WordPress plugin before 7.0 does not sanitise and escape some parameters in pages where the [wp_user] shortcode is used, leading to Reflected Cross-Site Scripting issues

Action-Not Available
Vendor-wp_user_projectUnknown
Product-wp_userWP User – Custom Registration Forms, Login and User Profile
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25969
Matching Score-4
Assigner-Mend
ShareView Details
Matching Score-4
Assigner-Mend
CVSS Score-6.1||MEDIUM
EPSS-0.78% / 51.50%
||
7 Day CHG~0.00%
Published-20 Oct, 2021 | 11:55
Updated-30 Apr, 2025 | 15:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Camaleon CMS - Stored Cross-Site Scripting (XSS) in Comments

In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attacker to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment.

Action-Not Available
Vendor-tuzitiocamaleon_cms
Product-camaleon_cmscamaleon_cms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-26049
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.27% / 66.37%
||
7 Day CHG~0.00%
Published-21 Dec, 2020 | 14:51
Updated-04 Aug, 2024 | 15:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nifty-PM CPE 2.3 is affected by stored HTML injection. The impact is remote arbitrary code execution.

Action-Not Available
Vendor-niftypmn/a
Product-nifty-pmn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24885
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.88% / 54.59%
||
7 Day CHG~0.00%
Published-25 Oct, 2021 | 13:21
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YOP Poll < 6.1.2 - Reflected Cross-Site Scripting

The YOP Poll WordPress plugin before 6.1.2 does not escape the perpage parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting

Action-Not Available
Vendor-yop-pollUnknown
Product-yop-pollYOP Poll
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 210
  • 211
  • Next
Details not found