Total
45597 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6555 | 1 I13websolution | 1 Email Subscription Popup | 2025-06-18 | 6.1 Medium |
| The Email Subscription Popup WordPress plugin before 1.2.20 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2023-6529 | 1 Rextheme | 1 Wp Vr | 2025-06-18 | 6.1 Medium |
| The WP VR WordPress plugin before 8.3.15 does not authorisation and CSRF in a function hooked to admin_init, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities. | ||||
| CVE-2023-27000 | 1 Netscout | 1 Ngeniusone | 2025-06-18 | 6.1 Medium |
| Cross Site Scripting vulnerability found in NetScoutnGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code via the name parameter of the Profile and Exclusion List page(s). | ||||
| CVE-2024-36656 | 1 Minthcm | 1 Minthcm | 2025-06-18 | 6.1 Medium |
| In MintHCM 4.0.3, a registered user can execute arbitrary JavaScript code and achieve a reflected Cross-site Scripting (XSS) attack. | ||||
| CVE-2023-6621 | 1 Wpexperts | 1 Post Smtp | 2025-06-18 | 6.1 Medium |
| The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2023-6141 | 1 G5plus | 1 Essential Real Estate | 2025-06-18 | 5.4 Medium |
| The Essential Real Estate WordPress plugin before 4.4.0 does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Stored XSS attacks. | ||||
| CVE-2023-5911 | 1 Hamidrezasepehr | 1 Wp Custom Cursors \| Wordpress Cursor Plugin | 2025-06-18 | 4.8 Medium |
| The WP Custom Cursors | WordPress Cursor Plugin WordPress plugin through 3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2023-27739 | 1 Easyxdm | 1 Easyxdm | 2025-06-18 | 6.1 Medium |
| easyXDM 2.5 allows XSS via the xdm_e parameter. | ||||
| CVE-2025-48915 | 1 Drupal | 1 Cookies Consent Management | 2025-06-18 | 8.6 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15. | ||||
| CVE-2025-48914 | 1 Drupal | 1 Cookies Consent Management | 2025-06-18 | 8.6 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15. | ||||
| CVE-2025-5420 | 1 Juzaweb | 1 Cms | 2025-06-18 | 3.5 Low |
| A vulnerability classified as problematic was found in juzaweb CMS up to 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/file-manager/upload of the component Profile Page. The manipulation of the argument Upload leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-6485 | 1 Bplugins | 1 Html5 Video Player | 2025-06-18 | 5.4 Medium |
| The Html5 Video Player WordPress plugin before 2.5.19 does not sanitise and escape some of its player settings, which combined with missing capability checks around the plugin could allow any authenticated users, such as low as subscribers to perform Stored Cross-Site Scripting attacks against high privilege users like admins | ||||
| CVE-2023-6037 | 1 Ljapps | 1 Wp Tripadvisor Review Slider | 2025-06-18 | 4.8 Medium |
| The WP TripAdvisor Review Slider WordPress plugin before 11.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2023-6000 | 1 Sygnoos | 1 Popup Builder | 2025-06-18 | 6.1 Medium |
| The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks. | ||||
| CVE-2024-26517 | 1 Rems | 1 School Task Manager | 2025-06-18 | 9.1 Critical |
| SQL Injection vulnerability in School Task Manager v.1.0 allows a remote attacker to obtain sensitive information via a crafted payload to the delete-task.php component. | ||||
| CVE-2023-38582 | 1 Socomec | 2 Modulys Gp, Modulys Gp Firmware | 2025-06-18 | 6.3 Medium |
| Persistent cross-site scripting (XSS) in the web application of MOD3GP-SY-120K allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the field MAIL_RCV. When a legitimate user attempts to access to the vulnerable page of the web application, the XSS payload will be executed. | ||||
| CVE-2024-25107 | 1 Miraheze | 1 Wikidiscover | 2025-06-17 | 4.9 Medium |
| WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the `Language::date` function is used when making the human-readable timestamp for inclusion on the wiki_creation column. This function uses interface messages to translate the names of months and days. It uses the `->text()` output mode, returning unescaped interface messages. Since the output is not escaped later, the unescaped interface message is included on the output, resulting in an XSS vulnerability. Exploiting this on-wiki requires the `(editinterface)` right. This vulnerability has been addressed in commit `267e763a0`. Users are advised to update their installations. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-1257 | 1 Ujcms | 1 Jspxcms | 2025-06-17 | 3.5 Low |
| A vulnerability was found in Jspxcms 10.2.0. It has been classified as problematic. Affected is an unknown function of the file /ext/collect/find_text.do. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252996. | ||||
| CVE-2024-24570 | 1 Statamic | 1 Statamic | 2025-06-17 | 8.2 High |
| Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel. Additionally, if the XSS is crafted in a specific way, the "copy password reset link" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur. In versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled. | ||||
| CVE-2024-1103 | 1 Codeastro | 1 Real Estate Management System | 2025-06-17 | 3.5 Low |
| A vulnerability was found in CodeAstro Real Estate Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file profile.php of the component Feedback Form. The manipulation of the argument Your Feedback with the input <img src=x onerror=alert(document.cookie)> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252458 is the identifier assigned to this vulnerability. | ||||