Export limit exceeded: 46898 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46898 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13566 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The WP DataTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 0.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-13650 | 2026-04-15 | 6.4 Medium | ||
| The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'PAFE Before After Image Comparison Slider' widget in all versions up to, and including, 2.4.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-13662 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The eHive Objects Image Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ehive_objects_image_grid' shortcode in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-13696 | 2026-04-15 | 7.2 High | ||
| The Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wishlist_name’ parameter in all versions up to, and including, 1.2.25 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-9611 | 2026-04-15 | 6.1 Medium | ||
| The Increase upload file size & Maximum Execution Time limit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-9543 | 2026-04-15 | 6.4 Medium | ||
| The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skipto' shortcode in all versions up to, and including, 11.9.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-62967 | 2 Designinvento, Wordpress | 2 Directorypress, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Designinvento DirectoryPress directorypress allows DOM-Based XSS.This issue affects DirectoryPress: from n/a through <= 3.6.25. | ||||
| CVE-2025-68917 | 1 Onlyoffice | 1 Document Server | 2026-04-15 | 6.4 Medium |
| ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer. | ||||
| CVE-2024-4398 | 2026-04-15 | 6.4 Medium | ||
| The HTML5 Audio Player- Best WordPress Audio Player Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.2.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-9446 | 2026-04-15 | 6.4 Medium | ||
| The WP Simple Anchors Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpanchor shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-68010 | 2 Netgsm, Wordpress | 2 Netgsm, Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in netgsm Netgsm netgsm allows Reflected XSS.This issue affects Netgsm: from n/a through <= 2.9.63. | ||||
| CVE-2024-9436 | 2026-04-15 | 6.1 Medium | ||
| The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.5.14. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-2163 | 2026-04-15 | 6.4 Medium | ||
| The Ninja Beaver Add-ons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping on user supplied attributes such as urls. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-37244 is likely a duplicate of this issue. | ||||
| CVE-2025-10949 | 2026-04-15 | 2.4 Low | ||
| A vulnerability was found in Changsha Developer Technology iView Editor up to 1.1.1. This impacts an unknown function of the component Markdown Handler. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-9276 | 1 Tmsoft | 1 Myauthgateway | 2026-04-15 | 3.5 Low |
| A vulnerability classified as problematic has been found in TMsoft MyAuth Gateway 3. Affected is an unknown function of the file /index.php. The manipulation of the argument console/nocache/cmd leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-9267 | 2026-04-15 | 6.1 Medium | ||
| The Easy WordPress Subscribe – Optin Hound plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-48842 | 1 Abb | 1 Flxeon | 2026-04-15 | 7 High |
| Use of Hard-coded Credentials vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5 and newer versions | ||||
| CVE-2024-48410 | 1 Camtrace | 1 Camtrace | 2026-04-15 | 6.1 Medium |
| Cross Site Scripting vulnerability in Camtrace v.9.16.2.1 allows a remote attacker to execute arbitrary code via the login.php. | ||||
| CVE-2024-12696 | 2026-04-15 | 6.4 Medium | ||
| The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's videowhisper_picture_upload_guest shortcode in all versions up to, and including, 1.5.22 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-39318 | 2026-04-15 | 5.4 Medium | ||
| The Ibexa Admin UI Bundle contains all the necessary parts to run the Ibexa DXP Back Office interface. The file upload widget is vulnerable to XSS payloads in filenames. Access permission to upload files is required. As such, in most cases only authenticated editors and administrators will have the required permission. It is not persistent, i.e. the payload is only executed during the upload. In effect, an attacker will have to trick an editor/administrator into uploading a strangely named file. | ||||