Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-53460

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-22 Sep, 2025 | 18:25
Updated At-28 Apr, 2026 | 16:13
Rejected At-
Credits

WordPress AffiliateWP – External Referral Links Plugin <= 1.2.0 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi AffiliateWP – External Referral Links affiliatewp-external-referral-links allows Stored XSS.This issue affects AffiliateWP – External Referral Links: from n/a through <= 1.2.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:22 Sep, 2025 | 18:25
Updated At:28 Apr, 2026 | 16:13
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress AffiliateWP – External Referral Links Plugin <= 1.2.0 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi AffiliateWP – External Referral Links affiliatewp-external-referral-links allows Stored XSS.This issue affects AffiliateWP – External Referral Links: from n/a through <= 1.2.0.

Affected Products
Vendor
Awesome Motive Inc.Syed Balkhi
Product
AffiliateWP – External Referral Links
Collection URL
https://wordpress.org/plugins
Package Name
affiliatewp-external-referral-links
Default Status
unaffected
Versions
Affected
  • From 0 through 1.2.0 (custom)
    • -> unaffectedfrom1.2.2
Problem Types
TypeCWE IDDescription
CWECWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.15.9MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-592Stored XSS
CAPEC ID: CAPEC-592
Description: Stored XSS
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Nabil Irawan | Patchstack Bug Bounty Program
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/Wordpress/Plugin/affiliatewp-external-referral-links/vulnerability/wordpress-affiliatewp-external-referral-links-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/Wordpress/Plugin/affiliatewp-external-referral-links/vulnerability/wordpress-affiliatewp-external-referral-links-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:22 Sep, 2025 | 19:15
Updated At:23 Apr, 2026 | 15:32

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi AffiliateWP – External Referral Links affiliatewp-external-referral-links allows Stored XSS.This issue affects AffiliateWP – External Referral Links: from n/a through <= 1.2.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.9MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Type: Secondary
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Secondaryaudit@patchstack.com
CWE ID: CWE-79
Type: Secondary
Source: audit@patchstack.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://patchstack.com/database/Wordpress/Plugin/affiliatewp-external-referral-links/vulnerability/wordpress-affiliatewp-external-referral-links-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cveaudit@patchstack.com
N/A
Hyperlink: https://patchstack.com/database/Wordpress/Plugin/affiliatewp-external-referral-links/vulnerability/wordpress-affiliatewp-external-referral-links-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1269Records found
CVE-2023-45747
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.15% / 34.87%
||
7 Day CHG~0.00%
Published-24 Oct, 2023 | 11:24
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Lightbox 2 Plugin <= 3.0.6.5 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Syed Balkhi WP Lightbox 2 plugin <= 3.0.6.5 versions.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-wp_lightbox_2WP Lightbox 2
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-47520
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.17% / 37.81%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 14:20
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Charitable plugin <= 1.8.5.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Charitable charitable allows Stored XSS.This issue affects Charitable: from n/a through <= 1.8.5.1.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Charitable
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-46451
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.17% / 37.81%
||
7 Day CHG~0.00%
Published-24 Apr, 2025 | 16:09
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Floating Social Bar plugin <= 1.1.7 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Floating Social Bar floating-social-bar allows Stored XSS.This issue affects Floating Social Bar: from n/a through <= 1.1.7.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Floating Social Bar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24637
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.18% / 40.01%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 15:48
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Beacon Lead Magnets and Lead Capture Plugin <= 1.5.7 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Beacon Lead Magnets and Lead Capture beacon-by allows Reflected XSS.This issue affects Beacon Lead Magnets and Lead Capture: from n/a through <= 1.5.7.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Beacon Lead Magnets and Lead Capture
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22646
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 25.43%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 15:08
Updated-12 May, 2026 | 23:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress aThemes Addons for Elementor plugin <= 1.0.8 - Stored Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi aThemes Addons for Elementor athemes-addons-for-elementor-lite allows Stored XSS.This issue affects aThemes Addons for Elementor: from n/a through <= 1.0.8.

Action-Not Available
Vendor-Pop Goes The Pixel Ltd. (aThemes)Awesome Motive Inc.
Product-athemes_addons_for_elementoraThemes Addons for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-60112
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.03% / 8.66%
||
7 Day CHG~0.00%
Published-26 Sep, 2025 | 08:31
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress aThemes Addons for Elementor Plugin <= 1.1.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi aThemes Addons for Elementor athemes-addons-for-elementor-lite allows Stored XSS.This issue affects aThemes Addons for Elementor: from n/a through <= 1.1.2.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-aThemes Addons for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-58001
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.03% / 8.66%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 18:24
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Compact Archives plugin <= 4.1.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Compact Archives compact-archives allows Stored XSS.This issue affects Compact Archives: from n/a through <= 4.1.0.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Compact Archives
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-30770
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.53% / 67.49%
||
7 Day CHG-0.35%
Published-27 Mar, 2025 | 10:54
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Charitable plugin <= 1.8.4.7 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Charitable charitable allows DOM-Based XSS.This issue affects Charitable: from n/a through <= 1.8.4.7.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Charitable
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-51675
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 43.53%
||
7 Day CHG~0.00%
Published-09 Nov, 2024 | 13:01
Updated-11 May, 2026 | 21:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress aThemes Addons for Elementor plugin <= 1.0.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi aThemes Addons for Elementor athemes-addons-for-elementor-lite allows DOM-Based XSS.This issue affects aThemes Addons for Elementor: from n/a through <= 1.0.7.

Action-Not Available
Vendor-Pop Goes The Pixel Ltd. (aThemes)Awesome Motive Inc.
Product-athemes_addons_for_elementoraThemes Addons for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-36919
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.09% / 24.87%
||
7 Day CHG+0.04%
Published-13 Jan, 2026 | 22:55
Updated-05 Mar, 2026 | 01:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPForms 1.7.8 - Cross-Site Scripting (XSS)

WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser.

Action-Not Available
Vendor-WPForms, LLCAwesome Motive Inc.
Product-wpformsWPForms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31734
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.88% / 75.62%
||
7 Day CHG+0.74%
Published-01 Apr, 2025 | 14:51
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple Post Expiration plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Simple Post Expiration simple-post-expiration allows DOM-Based XSS.This issue affects Simple Post Expiration: from n/a through <= 1.0.1.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Simple Post Expiration
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-42643
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.03% / 9.84%
||
7 Day CHG~0.00%
Published-29 Apr, 2026 | 10:40
Updated-12 May, 2026 | 11:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Image Widget plugin <= 4.4.11 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through <= 4.4.11.

Action-Not Available
Vendor-The Events Calendar (StellarWP)
Product-Image Widget
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-25105
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.10%
||
7 Day CHG~0.00%
Published-07 Feb, 2025 | 10:11
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Pop Up Plugin <= 0.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in coffeestudios Pop Up popup-seo-optimized allows Stored XSS.This issue affects Pop Up: from n/a through <= 0.1.

Action-Not Available
Vendor-coffeestudios
Product-Pop Up
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-25073
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.10%
||
7 Day CHG~0.00%
Published-07 Feb, 2025 | 10:11
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy WP Tiles plugin <= 1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vasilis Triantafyllou Easy WP Tiles easy-wp-tiles allows Stored XSS.This issue affects Easy WP Tiles: from n/a through <= 1.

Action-Not Available
Vendor-Vasilis Triantafyllou
Product-Easy WP Tiles
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24634
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.21% / 43.63%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Orbisius Simple Notice plugin <= 1.1.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Svetoslav Marinov Orbisius Simple Notice orbisius-simple-notice allows Stored XSS.This issue affects Orbisius Simple Notice: from n/a through <= 1.1.3.

Action-Not Available
Vendor-Svetoslav Marinov
Product-Orbisius Simple Notice
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24658
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.32% / 54.88%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-12 May, 2026 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Auction Nudge – Your eBay on Your Site plugin <= 7.2.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Auction Nudge – Your eBay on Your Site auction-nudge allows Stored XSS.This issue affects Auction Nudge – Your eBay on Your Site: from n/a through <= 7.2.0.

Action-Not Available
Vendor-Joe
Product-Auction Nudge – Your eBay on Your Site
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24668
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.22% / 44.44%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PPOM for WooCommerce plugin <= 33.0.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle PPOM for WooCommerce woocommerce-product-addon allows Stored XSS.This issue affects PPOM for WooCommerce: from n/a through <= 33.0.8.

Action-Not Available
Vendor-Themeisle
Product-PPOM for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24722
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.09% / 25.30%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:25
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FAQ Builder AYS Plugin <= 1.7.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro FAQ Builder AYS faq-builder-ays allows Stored XSS.This issue affects FAQ Builder AYS: from n/a through <= 1.7.3.

Action-Not Available
Vendor-AYS Pro Extensions
Product-FAQ Builder AYS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24674
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 17.91%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ShMapper by Teplitsa Plugin <= 1.5.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Denis Cherniatev ShMapper by Teplitsa shmapper-by-teplitsa allows Stored XSS.This issue affects ShMapper by Teplitsa: from n/a through <= 1.5.0.

Action-Not Available
Vendor-Denis Cherniatev
Product-ShMapper by Teplitsa
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23878
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.33% / 55.63%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 20:07
Updated-12 May, 2026 | 23:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Post-to-Post Links plugin <= 4.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Reilly Post-to-Post Links easy-post-to-post-links allows Stored XSS.This issue affects Post-to-Post Links: from n/a through <= 4.2.

Action-Not Available
Vendor-Scott Reilly
Product-Post-to-Post Links
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23854
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.33% / 55.63%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 20:07
Updated-11 May, 2026 | 22:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com plugin <= 3.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yesstreamingdev Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com shoutcast-and-icecast-html5-web-radio-player-by-yesstreaming-com allows Stored XSS.This issue affects Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com: from n/a through <= 3.3.

Action-Not Available
Vendor-yesstreamingdev
Product-Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22578
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.14% / 34.30%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 14:57
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Cookie plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aazztech WP Cookie wp-cookie allows Stored XSS.This issue affects WP Cookie: from n/a through <= 1.0.0.

Action-Not Available
Vendor-aazztech
Product-WP Cookie
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22640
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.09% / 25.55%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 15:12
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Paytm Payment Donation Plugin <= 2.3.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in integrationdevpaytm Paytm Payment Donation paytm-donation allows Stored XSS.This issue affects Paytm Payment Donation: from n/a through <= 2.3.3.

Action-Not Available
Vendor-integrationdevpaytm
Product-Paytm Payment Donation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22579
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.13% / 32.02%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 14:57
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Header Notification plugin <= 1.2.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arefly WP Header Notification wp-header-notification allows Stored XSS.This issue affects WP Header Notification: from n/a through <= 1.2.7.

Action-Not Available
Vendor-Arefly
Product-WP Header Notification
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22496
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.09% / 25.16%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 15:32
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Notif Bell Plugin <= 0.9.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MarMar8x Notif Bell notif-bell allows Stored XSS.This issue affects Notif Bell: from n/a through <= 0.9.8.

Action-Not Available
Vendor-MarMar8x
Product-Notif Bell
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22788
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.13% / 32.02%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 15:23
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CoDesigner plugin <= 4.29 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codexpert, Inc CoDesigner woolementor allows Stored XSS.This issue affects CoDesigner: from n/a through <= 4.29.

Action-Not Available
Vendor-Codexpert, Inc
Product-CoDesigner
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39654
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-13 May, 2026 | 00:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Simple HTML Sitemap plugin <= 3.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani WP Simple HTML Sitemap wp-simple-html-sitemap allows DOM-Based XSS.This issue affects WP Simple HTML Sitemap: from n/a through <= 3.8.

Action-Not Available
Vendor-Ashish Ajani
Product-WP Simple HTML Sitemap
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22738
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 22.78%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 15:23
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP ULike plugin <= 4.7.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alimir WP ULike wp-ulike allows Stored XSS.This issue affects WP ULike: from n/a through <= 4.7.6.

Action-Not Available
Vendor-wpulikeAlimir
Product-wp_ulikeWP ULike
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22316
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.07% / 20.67%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 10:48
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPBITS Addons For Elementor Page Builder plugin <= 1.5.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.5.1.

Action-Not Available
Vendor-wpbitswpbits
Product-wpbits_addons_for_elementor_page_builderWPBITS Addons For Elementor Page Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39604
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MyBookTable Bookstore plugin <= 3.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through <= 3.6.0.

Action-Not Available
Vendor-zookatron
Product-MyBookTable Bookstore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-15363
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-18 Mar, 2026 | 06:00
Updated-18 Mar, 2026 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Get Use APIs < 2.0.10 - Contributor+ Stored XSS

The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks under certain server configurations.

Action-Not Available
Vendor-Unknown
Product-Get Use APIs
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10105
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.04%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-02 Apr, 2025 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jobs for WordPress < 2.7.11 - Contributor+ Stored XSS

The Job Postings WordPress plugin before 2.7.11 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-blueglassUnknown
Product-jobs_for_wordpressJob Postings
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39693
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FSM Custom Featured Image Caption plugin <= 1.25.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1.

Action-Not Available
Vendor-fesomia
Product-FSM Custom Featured Image Caption
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10104
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.24% / 46.51%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 06:00
Updated-11 Apr, 2025 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jobs for WordPress < 2.7.8 - Contributor+ Stored XSS

The Jobs for WordPress plugin before 2.7.8 does not sanitise and escape some of its Job settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks

Action-Not Available
Vendor-blueglassUnknown
Product-jobs_for_wordpressJobs for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39667
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Korea SNS plugin <= 1.7.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a through <= 1.7.0.

Action-Not Available
Vendor-Jongmyoung Kim
Product-Korea SNS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39615
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Download Manager plugin <= 3.3.53 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Download Manager download-manager allows Stored XSS.This issue affects Download Manager: from n/a through <= 3.3.53.

Action-Not Available
Vendor-Shahjada
Product-Download Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39638
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Qubely plugin <= 1.8.14 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14.

Action-Not Available
Vendor-Themeum
Product-Qubely
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13958
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.46%
||
7 Day CHG~0.00%
Published-29 Dec, 2025 | 06:00
Updated-29 Dec, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YaMaps < 0.6.40 - Contributor+ Stored XSS

The YaMaps for WordPress Plugin WordPress plugin before 0.6.40 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-Unknown
Product-YaMaps for WordPress Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10309
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.32%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 06:00
Updated-11 May, 2025 | 23:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tracking Code Manager < 2.4.0 - Contributor+ Stored XSS

The Tracking Code Manager WordPress plugin before 2.4.0 does not sanitise and escape some of its metabox settings when outputing them in the page, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

Action-Not Available
Vendor-data443Unknown
Product-tracking_code_managerTracking Code Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10076
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.17% / 37.81%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-04 Jun, 2025 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jetpack < 13.8, Boost < 3.4.8 - Contributor+ Stored XSS

The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and above users to perform Stored XSS attacks

Action-Not Available
Vendor-UnknownAutomattic Inc.
Product-jetpack_boostjetpackJetpackJetpack Boost
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13031
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.02% / 6.51%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 06:00
Updated-12 Dec, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPeMatico RSS Feed Fetcher < 2.8.13 - Contributor+ Stored XSS

The WPeMatico RSS Feed Fetcher WordPress plugin before 2.8.13 does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks

Action-Not Available
Vendor-Unknown
Product-WPeMatico RSS Feed Fetcher
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39683
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Garden Gnome Package plugin <= 2.4.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chief Gnome Garden Gnome Package garden-gnome-package allows DOM-Based XSS.This issue affects Garden Gnome Package: from n/a through <= 2.4.1.

Action-Not Available
Vendor-Chief Gnome
Product-Garden Gnome Package
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-39541
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hydra Booking plugin <= 1.1.38 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Hydra Booking hydra-booking allows Stored XSS.This issue affects Hydra Booking: from n/a through <= 1.1.38.

Action-Not Available
Vendor-Themefic
Product-Hydra Booking
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-49184
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.12% / 30.28%
||
7 Day CHG~0.00%
Published-15 Dec, 2023 | 14:56
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Parallax Slider Block Plugin <= 1.2.4 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Parallax Slider Block allows Stored XSS.This issue affects Parallax Slider Block: from n/a through 1.2.4.

Action-Not Available
Vendor-WPDeveloper
Product-parallax_slider_blockParallax Slider Block
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-40328
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.13% / 31.61%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 08:26
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Carrot Plugin <= 1.1.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Carrrot plugin <= 1.1.0 versions.

Action-Not Available
Vendor-carrrotCarrrot
Product-carrrotCarrrot
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-32351
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 11:41
Updated-29 Apr, 2026 | 09:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PowerPress Podcasting plugin <= 11.15.13 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in blubrry PowerPress Podcasting powerpress allows Stored XSS.This issue affects PowerPress Podcasting: from n/a through <= 11.15.13.

Action-Not Available
Vendor-blubrry
Product-PowerPress Podcasting
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-27303
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.10%
||
7 Day CHG~0.00%
Published-24 Feb, 2025 | 14:48
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form 7 Star Rating plugin <= 1.10 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelogger Contact Form 7 Star Rating contact-form-7-star-rating allows Stored XSS.This issue affects Contact Form 7 Star Rating: from n/a through <= 1.10.

Action-Not Available
Vendor-themelogger
Product-Contact Form 7 Star Rating
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-32360
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 11:42
Updated-29 Apr, 2026 | 09:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Rich Showcase for Google Reviews plugin <= 6.9.4.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.This issue affects Rich Showcase for Google Reviews: from n/a through <= 6.9.4.3.

Action-Not Available
Vendor-richplugins
Product-Rich Showcase for Google Reviews
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-32419
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 11:42
Updated-29 Apr, 2026 | 09:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress List category posts plugin <= 0.93.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fernando Briano List category posts list-category-posts allows DOM-Based XSS.This issue affects List category posts: from n/a through <= 0.93.1.

Action-Not Available
Vendor-Fernando Briano
Product-List category posts
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-37980
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.34%
||
7 Day CHG~0.00%
Published-27 Jul, 2023 | 13:59
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Custom Field For WP Job Manager Plugin <= 1.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gravity Master Custom Field For WP Job Manager plugin <= 1.1 versions.

Action-Not Available
Vendor-custom_field_for_wp_job_manager_projectGravity Master
Product-custom_field_for_wp_job_managerCustom Field For WP Job Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 25
  • 26
  • Next
Details not found