Total
35903 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6133 | 1 Tipsandtricks-hq | 1 Wp Estore | 2025-05-08 | 6.5 Medium |
| The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-12568 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-05-08 | 4.8 Medium |
| The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Workflow settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-12567 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-05-08 | 4.8 Medium |
| The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-12566 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-05-08 | 4.8 Medium |
| The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-11636 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-05-08 | 4.8 Medium |
| The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Text Block options, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2025-29602 | 2025-05-08 | 6.1 Medium | ||
| flatpress 1.3.1 is vulnerable to Cross Site Scripting (XSS) in Administration area via Manage categories. | ||||
| CVE-2022-43425 | 1 Jenkins | 1 Custom Checkbox Parameter | 2025-05-08 | 5.4 Medium |
| Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | ||||
| CVE-2022-43420 | 1 Jenkins | 1 Contrast Continuous Application Security | 2025-05-08 | 5.4 Medium |
| Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast service API responses. | ||||
| CVE-2022-2627 | 1 Tagdiv | 1 Newspaper | 2025-05-08 | 6.1 Medium |
| The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting. | ||||
| CVE-2024-2159 | 2 Heateor, Wpsocialrocket | 2 Sassy Social Share, Social Sharing Plugin | 2025-05-08 | 4.7 Medium |
| The Social Sharing Plugin WordPress plugin before 3.3.61 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2024-0905 | 1 Radykal | 1 Fancy Product Designer | 2025-05-08 | 6.3 Medium |
| The Fancy Product Designer WordPress plugin before 6.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against unauthenticated and admin-level users | ||||
| CVE-2022-3608 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-05-08 | 8.4 High |
| Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-alpha. | ||||
| CVE-2024-3261 | 1 Wpchill | 1 Strong Testimonials | 2025-05-08 | 4.8 Medium |
| The Strong Testimonials WordPress plugin before 3.1.12 does not validate and escape some of its Testimonial fields before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The attack requires a specific view to be performed | ||||
| CVE-2024-2972 | 1 Premio | 1 Floating Chat Widget | 2025-05-08 | 3.8 Low |
| The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-2402 | 1 Utopique | 1 Better Comments | 2025-05-08 | 5.4 Medium |
| The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2025-2371 | 1 Phpgurukul | 1 Human Metapneumovirus Testing Management System | 2025-05-08 | 3.5 Low |
| A vulnerability was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /registered-user-testing.php of the component Registered Mobile Number Search. The manipulation of the argument regmobilenumber leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-2375 | 1 Phpgurukul | 1 Human Metapneumovirus Testing Management System | 2025-05-08 | 3.5 Low |
| A vulnerability, which was classified as problematic, was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. Affected is an unknown function of the file /profile.php of the component Admin Profile Page. The manipulation of the argument email leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-2908 | 1 Callnowbutton | 1 Call Now Button | 2025-05-08 | 4.3 Medium |
| The Call Now Button WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-2310 | 1 Ljapps | 1 Wp Google Review Slider | 2025-05-08 | 5.9 Medium |
| The WP Google Review Slider WordPress plugin before 13.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2021-33231 | 1 Easyvista | 1 Service Manager | 2025-05-08 | 5.4 Medium |
| Cross Site Scripting (XSS) vulnerability in New equipment page in EasyVista Service Manager 2018.1.181.1 allows remote attackers to run arbitrary code via the notes field. | ||||