Total
39922 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6387 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 6.4 Medium |
| The WP Get The Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8071 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 6.4 Medium |
| Mine CloudVod plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘audio’ parameter in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-3669 | 2025-07-25 | 6.4 Medium | ||
| The Supreme Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's auto_qrcodesabb shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-7966 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 6.4 Medium |
| The Get Youtube Subs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘channel', 'layout', and 'subs_count’ parameters in all versions up to, and including, 3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-7959 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 6.4 Medium |
| The Station Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width' and 'height’ parameter in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-6539 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 6.4 Medium |
| The Voltax Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-6385 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 6.4 Medium |
| The WP Applink plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-6382 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 6.4 Medium |
| The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's taeggie-feed shortcode in all versions up to, and including, 0.1.10. The plugin’s render() method takes the user-supplied name attribute and injects it directly into a <script> tag - both in the id attribute and inside jQuery.getScript() - without proper escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-6262 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 6.4 Medium |
| The muse.ai video embedding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's muse-ai shortcode in all versions up to, and including, 0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-4608 | 2025-07-25 | 6.4 Medium | ||
| The Structured Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_fs_local_business shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-27349 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nurelm Get Posts allows Stored XSS. This issue affects Get Posts: from n/a through 0.6. | ||||
| CVE-2025-30575 | 1 Wordpress | 1 Wordpress | 2025-07-24 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arefly Login Redirect allows Stored XSS. This issue affects Login Redirect: from n/a through 1.0.5. | ||||
| CVE-2021-26087 | 1 Fortinet | 1 Fortiwlc | 2025-07-24 | 4.2 Medium |
| An improper neutralization of input during web page generation in FortiWLC version 8.6.0, version 8.5.3 and below, version 8.4.8 and below, version 8.3.3 web interface may allow both authenticated remote attackers and non-authenticated attackers in the same network as the appliance to perform a stored cross site scripting attack (XSS) via injecting malicious payloads in different locations. | ||||
| CVE-2019-6697 | 1 Fortinet | 1 Fortios | 2025-07-24 | 5.2 Medium |
| An Improper Neutralization of Input vulnerability affecting FortiGate version 6.2.0 through 6.2.1, 6.0.0 through 6.0.6 in the hostname parameter of a DHCP packet under DHCP monitor page may allow an unauthenticated attacker in the same network as the FortiGate to perform a Stored Cross Site Scripting attack (XSS) by sending a crafted DHCP packet. | ||||
| CVE-2019-15706 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-07-24 | 4 Medium |
| An improper neutralization of input during web page generation in the SSL VPN portal of FortiProxy version 2.0.0, version 1.2.9 and below and FortiOS version 6.2.1 and below, version 6.0.8 and below, version 5.6.12 may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS). | ||||
| CVE-2024-26006 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-07-24 | 6.9 Medium |
| An improper neutralization of input during web page Generation vulnerability [CWE-79] in FortiOS version 7.4.3 and below, version 7.2.7 and below, version 7.0.13 and below and FortiProxy version 7.4.3 and below, version 7.2.9 and below, version 7.0.16 and below web SSL VPN UI may allow a remote unauthenticated attacker to perform a Cross-Site Scripting attack via a malicious samba server. | ||||
| CVE-2025-2616 | 1 Yangyouwang | 1 Crud | 2025-07-23 | 2.4 Low |
| A vulnerability classified as problematic has been found in yangyouwang 杨有旺 crud 简约后台管理系统 1.0.0. Affected is an unknown function of the component Role Management Page. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-47189 | 1 Netwrix | 1 Directory Manager | 2025-07-23 | 6.1 Medium |
| Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows XSS for authentication error data of certain user flows, a different vulnerability than CVE-2025-54392. | ||||
| CVE-2024-9526 | 1 Kubeflow | 2 Kubeflow W Pipeline View, Pipelines | 2025-07-23 | 5.4 Medium |
| There exists a stored XSS Vulnerability in Kubeflow Pipeline View web UI. The Kubeflow Web UI allows to create new pipelines. When creating a new pipeline, it is possible to add a description. The description field allows html tags, which are not filtered properly. Leading to a stored XSS. We recommend upgrading past commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d | ||||
| CVE-2024-11023 | 1 Google | 1 Firebase Javascript Sdk | 2025-07-23 | 5.3 Medium |
| Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "_authTokenSyncURL" to point to their own server and it would allow an actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0. | ||||