Export limit exceeded: 46898 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (46898 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-64383 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Qode Qi Blocks qi-blocks allows Stored XSS.This issue affects Qi Blocks: from n/a through <= 1.4.3.
CVE-2024-3674 2026-04-15 6.4 Medium
The Inline Google Spreadsheet Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gdoc' shortcode in all versions up to, and including, 0.13.2 due to insufficient input sanitization and output escaping on user supplied attributes such as 'chart_resolution'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-3681 1 Wordpress 2 Interactive World Maps, Wordpress 2026-04-15 6.1 Medium
The Interactive World Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the search (s) parameter in all versions up to, and including, 2.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2023-51436 1 Japan System Techniques 1 Universal Passport Rx 2026-04-15 5.9 Medium
Cross-site scripting vulnerability exists in UNIVERSAL PASSPORT RX versions 1.0.0 to 1.0.8, which may allow a remote authenticated attacker with an administrative privilege to execute an arbitrary script on the web browser of the user who is using the product.
CVE-2022-50940 1 Ajay138 1 Knap Advanced Php Login 2026-04-15 6.4 Medium
Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script code in the name parameter. Attackers can exploit the vulnerability to execute arbitrary scripts in users and activity log backend modules, potentially leading to session hijacking and persistent phishing attacks.
CVE-2024-3726 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The Login Logout Register Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'llrmloginlogout' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2022-50941 1 Mrplugins 1 Bootcommerce 2026-04-15 6.4 Medium
BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. Attackers can exploit unvalidated input parameters to execute arbitrary scripts, potentially leading to session hijacking, phishing attacks, and application module manipulation.
CVE-2024-3687 2026-04-15 3.5 Low
A vulnerability was found in bihell Dice 3.1.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Comment Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-260474 is the identifier assigned to this vulnerability.
CVE-2022-50942 1 Icinga 1 Icinga Web 2 2026-04-15 5.4 Medium
Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacking and non-persistent phishing attacks.
CVE-2022-50951 1 Smarterdroid 1 Wifi File Transfer 2026-04-15 6.4 Medium
WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. Attackers can exploit the web server's input validation weakness to execute arbitrary JavaScript when users preview infected file paths, potentially compromising user browser sessions.
CVE-2024-47917 2026-04-15 7.5 High
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13401 2026-04-15 6.4 Medium
The Payment Button for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_paypal_checkout' shortcode in all versions up to, and including, 1.2.3.35 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-36676 2026-04-15 7.5 High
Incorrect access control in BookStack before v24.05.1 allows attackers to confirm existing system users and perform targeted notification email DoS via public facing forms.
CVE-2025-31128 2026-04-15 N/A
gifplayer is a customizable jquery plugin to play and stop animated gifs. gifplayer contains a cross-site scripting (XSS) vulnerability. This vulnerability is fixed in 0.3.7.
CVE-2024-37563 1 Tochat Be 1 Tochat Be 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TOCHAT.BE allows Stored XSS.This issue affects TOCHAT.BE: from n/a through 1.3.0.
CVE-2025-0869 2026-04-15 4.3 Medium
A vulnerability was found in Cianet ONU GW24AC up to 20250127. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Login. The manipulation of the argument browserLang leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-37565 2026-04-15 5.9 Medium
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TemeGUM Gum Elementor Addon allows Stored XSS.This issue affects Gum Elementor Addon: from n/a through 1.3.5.
CVE-2025-0871 2026-04-15 3.5 Low
A vulnerability classified as problematic has been found in Maybecms 1.2. This affects an unknown part of the file /mb/admin/index.php?u=article-edit of the component Add Article. The manipulation of the argument data_info[content] leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-7388 1 Wordpress 1 Wordpress 2026-04-15 4 Medium
The WP Bannerize Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via banner alt data in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2024-3916 2026-04-15 6.4 Medium
The Swift Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 2.7.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Unfortunately, we did not receive a response from the vendor to send over the vulnerability details.