Search Results (47190 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-9615 1 Wordpress 1 Wordpress 2026-04-15 6.1 Medium
The BulkPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.3.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2025-62949 2 Buddydev, Wordpress 2 Activity Plus Reloaded For Buddypress, Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev Activity Plus Reloaded for BuddyPress bp-activity-plus-reloaded allows Stored XSS.This issue affects Activity Plus Reloaded for BuddyPress: from n/a through <= 1.1.2.
CVE-2025-62948 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Konstantin Pankratov Date counter date-counter allows Stored XSS.This issue affects Date counter: from n/a through <= 2.0.3.
CVE-2025-11851 1 Apeman 1 Apeman 2026-04-15 3.5 Low
A vulnerability has been found in Apeman ID71 EN75.8.53.20. The affected element is an unknown function of the file /set_alias.cgi. Such manipulation of the argument alias leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-10048 2026-04-15 6.1 Medium
The Post Status Notifier Lite and Premium plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.11.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2025-2703 1 Grafana 2 Grafana, Grafana Enterprise 2026-04-15 6.8 Medium
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.
CVE-2025-4804 2026-04-15 N/A
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS via the spamBlocker module. This vulnerability requires an authenticated administrator session to a locally managed Firebox. This issue affects Fireware OS: from 12.0 through 12.11.1.
CVE-2024-10175 2026-04-15 6.4 Medium
The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wdo_pricing_tables shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-11804 1 Wordpress 1 Wordpress 2026-04-15 6.1 Medium
The Planaday API plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 11.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2025-3020 2026-04-15 5.4 Medium
An low privileged remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into several fields of the configuration webpage with limited impact.
CVE-2023-6692 2026-04-15 6.4 Medium
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tab anchor metabox in all versions up to, and including, 3.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-50055 1 Openvpn 2 Openvpn, Openvpn Access Server 2026-04-15 6.4 Medium
Cross-site scripting (XSS) vulnerability in the SAML Authentication module in OpenVPN Access Server version 2.14.0 through 2.14.3 allows configured remote SAML Assertion Consumer Service (ACS) endpoint servers to inject arbitrary web script or HTML via the RelayState parameter
CVE-2025-53754 2026-04-15 N/A
This vulnerability exists in Digisol DG-GR6821AC Router due to hard-coded Root Access Credentials in system configuration of the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to obtain the stored root access credentials. Successful exploitation of this vulnerability could allow the attacker to gain admin access to the targeted device.
CVE-2025-49928 2 Crocoblock, Wordpress 2 Jetformbuilder, Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetWooBuilder jet-woo-builder allows DOM-Based XSS.This issue affects JetWooBuilder: from n/a through <= 2.1.20.
CVE-2025-62793 1 Elabftw 1 Elabftw 2026-04-15 6.8 Medium
eLabFTW is an open source electronic lab notebook for research labs. The application served uploaded SVG files inline. Because SVG supports active content, an attacker could upload a crafted SVG that executes script when viewed, resulting in stored XSS under the application origin. A victim who opens the SVG URL or any page embedding it could have their session hijacked, data exfiltrated, or actions performed on their behalf. This vulnerability is fixed n 5.3.0.
CVE-2025-22917 2026-04-15 5.4 Medium
A reflected cross-site scripting (XSS) vulnerability in Audemium ERP <=0.9.0 allows remote attackers to execute an arbitrary JavaScript payload in the web browser of a user by including a malicious payload into the 'type' parameter of list.php.
CVE-2024-10185 2026-04-15 6.4 Medium
The StreamWeasels YouTube Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-youtube-embed shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-1529 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded lottie files in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-69006 1 Wordpress 1 Wordpress 2026-04-15 5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atte Moisio AM Events am-events allows Stored XSS.This issue affects AM Events: from n/a through <= 1.13.1.
CVE-2024-10227 2026-04-15 6.4 Medium
The affiliate-toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's atkp_product shortcode in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.