Search Results (47148 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-11462 1 Wordpress 1 Wordpress 2026-04-15 6.1 Medium
The Filestack Official plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'fstab' and 'filestack_options' parameters in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2024-11888 2026-04-15 6.4 Medium
The IDer Login for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ider_login_button' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This affects version 2.1, but was also patched in version 2.1 - a new version was not released with the patch.
CVE-2024-11883 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The Connatix Video Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cnx_script_code' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-11853 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The jAlbum Bridge plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ar’ parameter in all versions up to, and including, 2.0.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. It was determined that the patch in 2.0.16 was insufficient, and 2.0.17 is considered the fully patched version.
CVE-2024-11876 2026-04-15 6.4 Medium
The Kredeum NFTs, the easiest way to sell your NFTs directly on your WordPress site plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kredeum_opensky' shortcode in all versions up to, and including, 1.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-11873 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The glomex oEmbed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'glomex_integration' shortcode in all versions up to, and including, 0.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-2634 2026-04-15 6.1 Medium
A Cross-Site Scripting Vulnerability has been found on Meta4 HR affecting version 819.001.022 and earlier. The endpoint '/sse_generico/generico_login.jsp' is vulnerable to XSS attack via 'lang' query, i.e. '/sse_generico/generico_login.jsp?lang=%27%3balert(%27BLEUSS%27)%2f%2f&params='.
CVE-2025-51691 2026-04-15 6.1 Medium
Cross-Site Scripting (XSS) vulnerability found in MarkTwo commit e3a1d3f90cce4ea9c26efcbbf3a1cbfb9dcdb298 (May 2025) allows a remote attacker to execute arbitrary code via a crafted script input to the editor interface. The application does not properly sanitize user-supplied Markdown before rendering it. Successful exploitation could lead to session hijacking, credential theft, or arbitrary client-side code execution in the context of the victim's browser.
CVE-2024-11867 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The Companion Portfolio – Responsive Portfolio Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'companion-portfolio' shortcode in all versions up to, and including, 2.4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-5424 2026-04-15 6.4 Medium
The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘galleryID’ and 'className' parameters in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-3798 2026-04-15 N/A
Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause one of the following (depending on the chosen payload): shell command execution, reflected XSS or cross-site request forgery. This issue affects Phoniebox in all releases through 2.7. Newer 2.x releases were not tested, but they might also be vulnerable.  Phoniebox in version 3.0 and higher are not affected.
CVE-2024-25737 2026-04-15 6.1 Medium
A Server-Side Request Forgery (SSRF) vulnerability in the /Cover/Show route (showAction in CoverController.php) in Open Library Foundation VuFind 2.4 through 9.1 before 9.1.1 allows remote attackers to access internal HTTP servers and perform Cross-Site Scripting (XSS) attacks by proxying arbitrary URLs via the proxy GET parameter.
CVE-2024-37961 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in codoc.Jp allows Stored XSS.This issue affects codoc: from n/a through 0.9.51.12.
CVE-2024-54674 1 Misp 1 Misp 2026-04-15 6.1 Medium
app/View/GalaxyClusters/cluster_export_misp_galaxy.ctp in MISP through 2.5.2 has stored XSS when exporting custom clusters into the misp-galaxy format.
CVE-2024-37960 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Chris Coyier CodePen Embedded Pens Shortcode allows Stored XSS.This issue affects CodePen Embedded Pens Shortcode: from n/a through 1.0.0.
CVE-2025-24833 1 Neojapan 1 Desknet Neo 2026-04-15 N/A
Stored cross-site scripting (XSS) vulnerability in desknet's NEO versions V4.0R1.0–V9.0R2.0 allow execution of arbitrary JavaScript in a user’s web browser.
CVE-2024-25662 2026-04-15 6.1 Medium
Oxygen XML Web Author v26.0.0 and older and Oxygen Content Fusion v6.1 and older are vulnerable to Cross-Site Scripting (XSS) for malicious URLs.
CVE-2025-24841 2026-04-15 N/A
Movable Type contains a stored cross-site scripting vulnerability in the HTML edit mode of MT Block Editor. It is exploitable when TinyMCE6 is used as a rich text editor and an arbitrary script may be executed on a logged-in user's web browser.
CVE-2025-51629 2026-04-15 8.8 High
A cross-site scripting (XSS) vulnerability in the PdfViewer component of Agenzia Impresa Eccobook 2.81.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Temp parameter.
CVE-2025-24885 2026-04-15 7.6 High
pwn.college is an education platform to learn about, and practice, core cybersecurity concepts in a hands-on fashion. Missing access control on rendering custom (unprivileged) dojo pages causes ability for users to create stored XSS.