Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-23604

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-19 Feb, 2026 | 17:54
Updated At-19 Feb, 2026 | 19:21
Rejected At-
Credits

GFI MailEssentials AI < 22.4 Keyword Filtering Rule Stored XSS

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Keyword Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter to /MailEssentials/pages/MailSecurity/contentchecking.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:19 Feb, 2026 | 17:54
Updated At:19 Feb, 2026 | 19:21
Rejected At:
▼CVE Numbering Authority (CNA)
GFI MailEssentials AI < 22.4 Keyword Filtering Rule Stored XSS

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Keyword Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter to /MailEssentials/pages/MailSecurity/contentchecking.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.

Affected Products
Vendor
GFI Software
Product
MailEssentials AI
Default Status
unaffected
Versions
Affected
  • From 0 before 22.4 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Alex Williams from Pellera Technologies
coordinator
VulnCheck
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases
release-notes
patch
https://www.vulncheck.com/advisories/gfi-mailessentials-ai-keyword-filtering-rule-stored-xss
third-party-advisory
Hyperlink: https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases
Resource:
release-notes
patch
Hyperlink: https://www.vulncheck.com/advisories/gfi-mailessentials-ai-keyword-filtering-rule-stored-xss
Resource:
third-party-advisory
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:19 Feb, 2026 | 18:24
Updated At:19 Feb, 2026 | 20:25

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Keyword Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter to /MailEssentials/pages/MailSecurity/contentchecking.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Secondarydisclosure@vulncheck.com
CWE ID: CWE-79
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releasesdisclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/gfi-mailessentials-ai-keyword-filtering-rule-stored-xssdisclosure@vulncheck.com
N/A
Hyperlink: https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/gfi-mailessentials-ai-keyword-filtering-rule-stored-xss
Source: disclosure@vulncheck.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

9932Records found
CVE-2023-2350
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.09% / 25.06%
||
7 Day CHG~0.00%
Published-27 Apr, 2023 | 15:31
Updated-02 Aug, 2024 | 06:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Service Provider Management System Users.php cross site scripting

A vulnerability classified as problematic was found in SourceCodester Service Provider Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /classes/Users.php. The manipulation of the argument id leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227593 was assigned to this vulnerability.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-service_provider_management_systemService Provider Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2349
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.09% / 25.06%
||
7 Day CHG~0.00%
Published-27 Apr, 2023 | 15:00
Updated-22 Nov, 2024 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Service Provider Management System index.php cross site scripting

A vulnerability classified as problematic has been found in SourceCodester Service Provider Management System 1.0. Affected is an unknown function of the file /admin/index.php. The manipulation of the argument page leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-227592.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-service_provider_management_systemService Provider Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2439
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.08% / 24.04%
||
7 Day CHG~0.00%
Published-31 Jan, 2024 | 02:35
Updated-17 Jun, 2025 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The UserPro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userpro' shortcode in versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-userpropluginn/a
Product-userproUserPro - Community and User Profile WordPress Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23481
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.4||MEDIUM
EPSS-0.14% / 33.36%
||
7 Day CHG~0.00%
Published-08 Jun, 2023 | 01:29
Updated-06 Jan, 2025 | 19:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Sterling Partner Engagement Manager cross-site scripting

IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 245889.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-sterling_partner_engagement_managerlinux_kernelSterling Partner Engagement Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23831
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 20.25%
||
7 Day CHG~0.00%
Published-13 Jun, 2023 | 13:40
Updated-02 Aug, 2024 | 13:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Rating Widget Plugin <= 3.1.9 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Rating-Widget Rating-Widget: Star Review System plugin <= 3.1.9 versions.

Action-Not Available
Vendor-rating-widgetRating-Widget
Product-ratingwidgetRating-Widget: Star Review System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-24181
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 30.94%
||
7 Day CHG~0.00%
Published-10 Apr, 2023 | 00:00
Updated-11 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm.

Action-Not Available
Vendor-n/aOpenWrt
Product-lucin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23728
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.09%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 14:18
Updated-19 Feb, 2025 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Flipclock Plugin <= 1.7.4 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Winwar Media WP Flipclock plugin <= 1.7.4 versions.

Action-Not Available
Vendor-winwarWinwar Media
Product-wp_flipclockWP Flipclock
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23867
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 26.90%
||
7 Day CHG~0.00%
Published-12 May, 2023 | 14:39
Updated-09 Jan, 2025 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Button Builder – Buttons X Plugin <= 0.8.6 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Gautam Thapar Button Builder – Buttons X plugin <= 0.8.6 versions.

Action-Not Available
Vendor-buttons_x_projectGautam Thapar
Product-buttons_xButton Builder – Buttons X
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23685
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.09%
||
7 Day CHG~0.00%
Published-04 Apr, 2023 | 11:05
Updated-19 Feb, 2025 | 21:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Portfolio – WordPress Portfolio Plugin Plugin <= 2.8.10 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in RadiusTheme Portfolio – WordPress Portfolio plugin <= 2.8.10 versions.

Action-Not Available
Vendor-radiusthemeRadiusTheme
Product-portfolioPortfolio – WordPress Portfolio Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23885
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.09%
||
7 Day CHG~0.00%
Published-07 Apr, 2023 | 11:46
Updated-10 Jan, 2025 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Quick Contact Form Plugin <= 8.0.3.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Fullworks Quick Contact Form plugin <= 8.0.3.1 versions.

Action-Not Available
Vendor-fullworkspluginsFullworks
Product-quick_contact_formQuick Contact Form
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23856
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.43% / 62.35%
||
7 Day CHG+0.15%
Published-14 Feb, 2023 | 03:15
Updated-20 Mar, 2025 | 17:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In SAP BusinessObjects Business Intelligence (Web Intelligence user interface) - version 430, some calls return json with wrong content type in the header of the response. As a result, a custom application that calls directly the jsp of Web Intelligence DHTML may be vulnerable to XSS attacks. On successful exploitation an attacker can cause a low impact on integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-business_objects_business_intelligence_platformSAP BusinessObjects Business Intelligence (Web Intelligence UI)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23717
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.09%
||
7 Day CHG~0.00%
Published-23 Apr, 2023 | 10:12
Updated-10 Jan, 2025 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Portfolio Slideshow Plugin <= 1.13.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in George Gecewicz Portfolio Slideshow plugin <= 1.13.0 versions.

Action-Not Available
Vendor-portfolio_slideshow_projectGeorge Gecewicz
Product-portfolio_slideshowPortfolio Slideshow
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23815
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.09%
||
7 Day CHG~0.00%
Published-06 Apr, 2023 | 04:58
Updated-10 Jan, 2025 | 19:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Multi-column Tag Map Plugin <= 17.0.24 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Alan Jackson Multi-column Tag Map plugin <= 17.0.24 versions.

Action-Not Available
Vendor-Multi-Column Tag Map
Product-multi-column_tag_mapMulti-column Tag Map
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-24400
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.81%
||
7 Day CHG~0.00%
Published-06 May, 2023 | 23:03
Updated-09 Jan, 2025 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Cookie Notice & Compliance for GDPR / CCPA Plugin <= 2.4.6 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Hu-manity.Co Cookie Notice & Compliance for GDPR / CCPA plugin <= 2.4.6 versions.

Action-Not Available
Vendor-hu-manityHu-manity.co
Product-cookie_notice_\&_compliance_for_gdpr_\/_ccpaCookie Notice & Compliance for GDPR / CCPA
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23664
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 26.90%
||
7 Day CHG~0.00%
Published-09 May, 2023 | 09:58
Updated-02 Aug, 2024 | 10:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ConvertBox Auto Embed WordPress plugin Plugin <= 1.0.19 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ConvertBox ConvertBox Auto Embed WordPress plugin <= 1.0.19 versions.

Action-Not Available
Vendor-convertboxConvertBox
Product-convertbox_auto_embedConvertBox Auto Embed WordPress plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23891
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.5||MEDIUM
EPSS-0.10% / 27.09%
||
7 Day CHG~0.00%
Published-06 Apr, 2023 | 13:54
Updated-10 Jan, 2025 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ocean Extra Plugin <= 2.1.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in OceanWP Ocean Extra plugin <= 2.1.1 versions. Needs the OceanWP theme installed and activated.

Action-Not Available
Vendor-oceanwpOceanWP
Product-ocean_extraOcean Extra
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23681
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.09%
||
7 Day CHG~0.00%
Published-30 Mar, 2023 | 11:06
Updated-10 Jan, 2025 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Image Hover Effects For WPBakery Page Builder Plugin <= 4.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Labib Ahmed Image Hover Effects For WPBakery Page Builder plugin <= 4.0 versions.

Action-Not Available
Vendor-webdevoceanLabib Ahmed
Product-image_hover_effects_for_wpbakery_page_builderImage Hover Effects For WPBakery Page Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23898
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.5||MEDIUM
EPSS-0.10% / 27.09%
||
7 Day CHG~0.00%
Published-06 Apr, 2023 | 10:08
Updated-10 Jan, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Blocksy Companion Plugin <= 1.8.67 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeThemes Blocksy Companion plugin <= 1.8.67 versions.

Action-Not Available
Vendor-creativethemesCreativeThemes
Product-blocksy_companionBlocksy Companion
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-38694
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.5||LOW
EPSS-0.49% / 65.09%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 17:09
Updated-02 Aug, 2024 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Umbraco CMS vulnerable to possible injection of HTML in an unintended form

Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue.

Action-Not Available
Vendor-Umbraco A/S (Umbraco)
Product-umbraco_cmsUmbraco-CMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2334
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.02% / 5.36%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:08
Updated-11 Jun, 2025 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Digital Downloads Google Sheet Connector < 1.6.6 - Access Code Update via CSRF

The edd-google-sheet-connector-pro WordPress plugin before 1.4, Easy Digital Downloads Google Sheet Connector WordPress plugin before 1.6.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack

Action-Not Available
Vendor-gsheetconnectorwesterndealUnknown
Product-edd_gsheetconnectoreasy_digital_downloads_google_sheet_connectorEasy Digital Downloads Google Sheet Connectoredd-google-sheet-connector-pro
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23949
Matching Score-4
Assigner-Symantec - A Division of Broadcom
ShareView Details
Matching Score-4
Assigner-Symantec - A Division of Broadcom
CVSS Score-8.1||HIGH
EPSS-0.71% / 71.87%
||
7 Day CHG~0.00%
Published-24 Jan, 2023 | 00:00
Updated-02 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authenticated user can supply malicious HTML and JavaScript code that will be executed in the client browser.

Action-Not Available
Vendor-n/aBroadcom Inc.
Product-symantec_identity_managersymantec_identity_governance_and_administrationSymantec Identity Management And Governance
CWE ID-CWE-779
Logging of Excessive Data
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23647
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.07% / 21.23%
||
7 Day CHG~0.00%
Published-09 May, 2023 | 11:05
Updated-09 Jan, 2025 | 15:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Team Member Plugin <= 4.4 is vulnerable to Cross Site Scripting (XSS)

Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerability in Sk. Abul Hasan Team Member – Team with Slider plugin <= 4.4 versions.

Action-Not Available
Vendor-wpmartSk. Abul Hasan
Product-team_member_-_team_with_sliderTeam Member – Team with Slider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23956
Matching Score-4
Assigner-Symantec - A Division of Broadcom
ShareView Details
Matching Score-4
Assigner-Symantec - A Division of Broadcom
CVSS Score-6.1||MEDIUM
EPSS-6.68% / 91.04%
||
7 Day CHG~0.00%
Published-30 May, 2023 | 00:00
Updated-14 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A user can supply malicious HTML and JavaScript code that will be executed in the client browser

Action-Not Available
Vendor-n/aBroadcom Inc.
Product-symantec_siteminder_webagentSymantec SiteMinder WebAgent
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23880
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 23.00%
||
7 Day CHG~0.00%
Published-08 Aug, 2023 | 11:23
Updated-25 Sep, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ExactMetrics Plugin <= 7.14.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ExactMetrics plugin <= 7.14.1 versions.

Action-Not Available
Vendor-ExactMetricsMonsterInsights, LLC
Product-exactmetricsExactMetrics
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-38582
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.3||MEDIUM
EPSS-0.08% / 23.52%
||
7 Day CHG~0.00%
Published-18 Sep, 2023 | 20:04
Updated-18 Jun, 2025 | 14:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Socomec MOD3GP-SY-120K Cross-site Scripting

Persistent cross-site scripting (XSS) in the web application of MOD3GP-SY-120K allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the field MAIL_RCV. When a legitimate user attempts to access to the vulnerable page of the web application, the XSS payload will be executed.

Action-Not Available
Vendor-socomecSocomec
Product-modulys_gp_firmwaremodulys_gpMODULYS GP (MOD3GP-SY-120K)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-24282
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 45.94%
||
7 Day CHG~0.00%
Published-08 Mar, 2023 | 00:00
Updated-05 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file upload vulnerability in Poly Trio 8800 7.2.2.1094 allows attackers to execute arbitrary code via a crafted ringtone file.

Action-Not Available
Vendor-polyn/a
Product-trio_8800trio_8800_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23873
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 26.90%
||
7 Day CHG~0.00%
Published-10 May, 2023 | 08:35
Updated-02 Aug, 2024 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BBSpoiler Plugin <= 2.01 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Flector BBSpoiler plugin <= 2.01 versions.

Action-Not Available
Vendor-bbspoiler_projectFlector
Product-bbspoilerBBSpoiler
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-24399
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.5||MEDIUM
EPSS-0.13% / 32.98%
||
7 Day CHG~0.00%
Published-30 Mar, 2023 | 11:14
Updated-10 Jan, 2025 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ocean Extra Plugin <= 2.1.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in OceanWP Ocean Extra plugin <= 2.1.2 versions.

Action-Not Available
Vendor-oceanwpOceanWP
Product-ocean_extraOcean Extra
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23670
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.09%
||
7 Day CHG~0.00%
Published-30 Mar, 2023 | 10:44
Updated-19 Feb, 2025 | 21:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Fancy Comments WordPress Plugin <= 1.2.10 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Team Heateor Fancy Comments WordPress plugin <= 1.2.10 versions.

Action-Not Available
Vendor-Heateor
Product-fancy_commentsFancy Comments WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2442
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-8.7||HIGH
EPSS-83.69% / 99.26%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 00:00
Updated-07 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A specially crafted merge request could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23635
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.53% / 66.96%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

Action-Not Available
Vendor-jellyfinn/a
Product-jellyfinn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-22659
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 19.98%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 15:01
Updated-08 Jul, 2025 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Orbit Fox by ThemeIsle plugin <= 2.10.44 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Orbit Fox by ThemeIsle allows Stored XSS.This issue affects Orbit Fox by ThemeIsle: from n/a through 2.10.44.

Action-Not Available
Vendor-ThemeisleThemeisle
Product-orbit_foxOrbit Fox by ThemeIsle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-24251
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 34.18%
||
7 Day CHG~0.00%
Published-27 Feb, 2023 | 00:00
Updated-11 Mar, 2025 | 13:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WangEditor v5 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /dist/index.js.

Action-Not Available
Vendor-wangeditorn/a
Product-wangeditorn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-24009
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 23.00%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 10:14
Updated-25 Sep, 2024 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Upfrontwp Theme <= 1.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (subscriber+) Reflected Cross-site Scripting (XSS) vulnerability in Wpazure Themes Upfrontwp theme <= 1.1 versions.

Action-Not Available
Vendor-wpazureWpazure Themes
Product-upfrontwpUpfrontwp
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23798
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 23.00%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 10:04
Updated-25 Sep, 2024 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Layer Slider Plugin <= 1.1.9.7 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Muneeb Layer Slider plugin <= 1.1.9.7 versions.

Action-Not Available
Vendor-web-settlerMuneeb
Product-layer_sliderLayer Slider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-24408
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 26.90%
||
7 Day CHG~0.00%
Published-08 May, 2023 | 14:36
Updated-09 Jan, 2025 | 15:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ecwid Shopping Cart Plugin <= 6.11.4 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Ecwid Ecommerce Ecwid Ecommerce Shopping Cart plugin <= 6.11.4 versions.

Action-Not Available
Vendor-lightspeedhqEcwid Ecommerce
Product-ecwid_ecommerce_shopping_cartEcwid Ecommerce Shopping Cart
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2404
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 28.03%
||
7 Day CHG~0.00%
Published-03 Jun, 2023 | 04:35
Updated-20 Dec, 2024 | 23:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with the edit_posts capability, such as contributors and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-vcitavcita
Product-crm_and_lead_management_by_vcitaCRM and Lead Management by vcita
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23817
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.09%
||
7 Day CHG~0.00%
Published-23 Apr, 2023 | 10:27
Updated-10 Jan, 2025 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple PDF Viewer Plugin <= 1.9 is vulnerable to Cross Site Scripting (XSS)

Auth. (contrinbutor+) Cross-Site Scripting (XSS) vulnerability in WebArea | Vera Nedvyzhenko Simple PDF Viewer plugin <= 1.9 versions.

Action-Not Available
Vendor-simple_pdf_viewer_projectWebArea | Vera Nedvyzhenko
Product-simple_pdf_viewerSimple PDF Viewer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23827
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.09%
||
7 Day CHG~0.00%
Published-23 Apr, 2023 | 10:19
Updated-10 Jan, 2025 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Google Maps v3 Shortcode Plugin <= 1.2.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Google Maps v3 Shortcode plugin <= 1.2.1 versions.

Action-Not Available
Vendor-google_maps_v3_shortcode_projectGoogle Maps v3 Shortcode
Product-google_maps_v3_shortcodeGoogle Maps v3 Shortcode
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23707
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.07% / 21.41%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 16:12
Updated-02 Aug, 2024 | 13:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files Plugin <= 2.7.1 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Unrestricted Upload of File with Dangerous Type vulnerability in Awsm Innovations Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files allows Stored XSS via upload of SVG and HTML files. This issue affects Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files plugin <= 2.7.1 versions.

Action-Not Available
Vendor-AWSM Digital Innovations
Product-embed_any_documentEmbed Any Document – Embed PDF, Word, PowerPoint and Excel Files
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-23641
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 26.90%
||
7 Day CHG~0.00%
Published-16 May, 2023 | 09:18
Updated-10 Oct, 2024 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Uji Popup Plugin <= 1.4.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WPmanage Uji Popup plugin <= 1.4.3 versions.

Action-Not Available
Vendor-wpmanageWPmanage
Product-uji_popupUji Popup
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2428
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 38.27%
||
7 Day CHG~0.00%
Published-30 Apr, 2023 | 00:00
Updated-30 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.13.

Action-Not Available
Vendor-Thorsten Rinne (phpMyFAQ)
Product-phpmyfaqthorsten/phpmyfaq
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23892
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.09%
||
7 Day CHG~0.00%
Published-24 Apr, 2023 | 13:48
Updated-09 Jan, 2025 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress M Chart Plugin <= 1.9.4 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Jamie Poitra M Chart plugin <= 1.9.4 versions.

Action-Not Available
Vendor-m_chart_projectJamie Poitra
Product-m_chartM Chart
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-24374
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.98%
||
7 Day CHG~0.00%
Published-06 Apr, 2023 | 13:33
Updated-19 Feb, 2025 | 21:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Material Design Icons for Page Builders Plugin <= 1.4.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Photon WP Material Design Icons for Page Builders plugin <= 1.4.2 versions.

Action-Not Available
Vendor-material_design_icons_for_page_builders_projectPhoton WP
Product-material_design_icons_for_page_buildersMaterial Design Icons for Page Builders
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23833
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 20.25%
||
7 Day CHG~0.00%
Published-25 Jul, 2023 | 12:53
Updated-25 Sep, 2024 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Drop Shadow Boxes Plugin <= 1.7.10 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Steven Henty Drop Shadow Boxes plugin <= 1.7.10 versions.

Action-Not Available
Vendor-drop_shadow_boxes_projectSteven Henty
Product-drop_shadow_boxesDrop Shadow Boxes
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23701
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 26.90%
||
7 Day CHG~0.00%
Published-10 May, 2023 | 07:58
Updated-09 Jan, 2025 | 15:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Sign Up Plugin <= 3.4.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Andrew @ Geeenville Web Design Easy Sign Up plugin <= 3.4.1 versions.

Action-Not Available
Vendor-web_design_easy_sign_up_projectAndrew @ Geeenville Web Design
Product-web_design_easy_sign_upEasy Sign Up
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23894
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 26.90%
||
7 Day CHG~0.00%
Published-08 May, 2023 | 21:57
Updated-09 Jan, 2025 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Surbma | GDPR Proof Cookie Consent & Notice Bar Plugin <= 17.5.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Surbma Surbma | GDPR Proof Cookie Consent & Notice Bar plugin <= 17.5.3 versions.

Action-Not Available
Vendor-surbmaSurbma
Product-gdpr_proof_cookie_consent_\&_notice_barSurbma | GDPR Proof Cookie Consent & Notice Bar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-22712
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.09%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 12:35
Updated-10 Jan, 2025 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress TemplatesNext ToolKit Plugin <= 3.2.7 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in TemplatesNext TemplatesNext ToolKit plugin <= 3.2.7 versions.

Action-Not Available
Vendor-templatesnextTemplatesNext
Product-templatesnext_toolkitTemplatesNext ToolKit
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-22696
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 26.90%
||
7 Day CHG~0.00%
Published-10 May, 2023 | 08:10
Updated-09 Jan, 2025 | 15:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Affiliate Links Lite Plugin <= 2.5 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Custom4Web Affiliate Links Lite plugin <= 2.5 versions.

Action-Not Available
Vendor-custom4webCustom4Web
Product-affiliate_links_liteAffiliate Links Lite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-28935
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 45.48%
||
7 Day CHG~0.00%
Published-30 Mar, 2021 | 12:00
Updated-03 Aug, 2024 | 21:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field.

Action-Not Available
Vendor-n/aThe CMS Made Simple Foundation
Product-cms_made_simplen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 198
  • 199
  • Next
Details not found