Cross-site Scripting (XSS) - 47654 CVEs (Page 60/398)

About “Cross-site Scripting (XSS)”

A curated feed of “Cross-site Scripting (XSS)”-related CVEs appears below. We currently track 47654 CVEs for this tag (all time). In the last 365 days, 7589 were published. Average CVSS is 5.6 (all time; 5.9 over 365d), and 11% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-352 - Cross-Site Request Forgery (CSRF), CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS).

In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2025-06-20

Medium

CVE-2025-50042

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aviplugins.com WP Register Profile With Shortcode wp-register-profile-with-shortcode allows Store…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50041

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Engine Gutenberg Blocks – ACF Blocks Suite acf-blocks allows Stored XSS.This issue affects Gut…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50038

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anantaddons Anant Addons for Elementor anant-addons-for-elementor allows Stored XSS.This issue af…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50037

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Buying Buddy Buying Buddy IDX CRM buying-buddy-idx-crm allows DOM-Based XSS.This issue affects Bu…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50035

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyrilG Fyrebox Quizzes fyrebox-shortcode allows Stored XSS.This issue affects Fyrebox Quizzes: fr…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50033

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sparklewpthemes Fitness Park fitness-park allows DOM-Based XSS.This issue affects Fitness Park: f…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50030

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sparklewpthemes Spark Multipurpose spark-multipurpose allows DOM-Based XSS.This issue affects Spa…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50027

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xootix Login/Signup Popup easy-login-woocommerce allows Stored XSS.This issue affects Login/Signu…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in spoki Spoki spoki allows Stored XSS.This issue affects Spoki: from n/a through <= 2.17.0.

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople CP Polls cp-polls allows Stored XSS.This issue affects CP Polls: from n/a through <= 1…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Truong Thanh ATP Call Now atp-call-now allows Stored XSS.This issue affects ATP Call Now: from n/…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50023

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Coyier CodePen Embed Block codepen-embed-block allows Stored XSS.This issue affects CodePen…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50022

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JK WP-FB-AutoConnect wp-fb-autoconnect allows Stored XSS.This issue affects WP-FB-AutoConnect: fr…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50021

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robert Peake Better Random Redirect better-random-redirect allows Stored XSS.This issue affects B…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50020

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nitin Yawalkar RDFa Breadcrumb rdfa-breadcrumb allows Stored XSS.This issue affects RDFa Breadcru…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50019

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sandor Kovacs Simple Sticky Footer simple-sticky-footer allows Stored XSS.This issue affects Sim…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50018

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tealium Tealium tealium allows Stored XSS.This issue affects Tealium: from n/a through <= 2.1.20.

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50017

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matt WP Voting Contest wp-voting-contest allows Stored XSS.This issue affects WP Voting Contest:…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50016

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brijeshk89 IP Based Login ip-based-login allows Stored XSS.This issue affects IP Based Login: fro…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50015

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rodrigo Bastos Hand Talk handtalk allows Stored XSS.This issue affects Hand Talk: from n/a throug…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50014

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iamapinan PDPA Consent for Thailand pdpa-consent allows Stored XSS.This issue affects PDPA Consen…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50013

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jason Judge CSV Importer Improved csv-importer-improved allows Stored XSS.This issue affects CSV…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50012

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fridaysystems Inventory Presser inventory-presser allows Stored XSS.This issue affects Inventory…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50011

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Félix Martínez Recipes manager - WPH allows Stored XSS. This issue affects Recipes manager - WPH:…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-49873

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NasaTheme Elessi elessi-theme allows Reflected XSS.This issue affects Elessi: from n/a through <=…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Low

CVE-2025-6340

A vulnerability classified as problematic has been found in code-projects School Fees Payment System 1.0. This affects an unknown part of the file /branch.php. The manipulation of the argument Branch…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-6257

The Euro FxRef Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's currency shortcode in all versions up to, and including, 2.0.2 due to insufficient…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Low

CVE-2025-6301

A vulnerability, which was classified as problematic, has been found in PHPGurukul Notice Board System 1.0. This issue affects some unknown processing of the file /admin/manage-notices.php of the com…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Low

CVE-2025-6288

A vulnerability, which was classified as problematic, has been found in PHPGurukul Bus Pass Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/admin-profil…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Low

CVE-2025-6287

A vulnerability classified as problematic was found in PHPGurukul COVID19 Testing Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /test-details.php of th…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2025-06-19

Medium

CVE-2025-6285

A vulnerability was found in PHPGurukul COVID19 Testing Management System 2021. It has been rated as problematic. This issue affects some unknown processing of the file /search-report-result.php. The…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-6268

A vulnerability classified as problematic has been found in Luna Imaging up to 7.5.5.6. Affected is an unknown function of the file /luna/servlet/view/search. The manipulation of the argument q leads…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5234

The Gutenverse News plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘elementId’ parameter in all versions up to, and including, 1.0.4 due to insufficient input sanitization…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-4965

The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Grid Builder feature in all versions up to, and including, 8.4.1 due to insu…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5490

The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output e…

CVSS: 5.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5524

The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitization and output esca…

CVSS: 4.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-4479

The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin image comparison widget's before/after labels in all versions up to, an…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-4367

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient…

CVSS: 6.4 CWE: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) View on NVD

Medium

CVE-2025-6201

The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-50183

OpenList Frontend is a UI component for OpenList. Prior to version 4.0.0-rc.4, a vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that co…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-23169

The Versa Director SD-WAN orchestration platform allows customization of the user interface, including the header, footer, and logo. However, the input provided for these customizations is not proper…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2025-06-18

Medium

CVE-2025-49590

CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed.…

CVSS: 6.1 CWE: CWE-692 - Incomplete Denylist to Cross-Site Scripting View on NVD

Medium

CVE-2025-1349

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.4 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged us…

CVSS: 5.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2024-54183

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.4 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-45786

Real Estate Management 1.0 is vulnerable to Cross Site Scripting (XSS) in /store/index.php.

CVSS: 8.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-45661

A cross-site scripting (XSS) vulnerability in miniTCG v1.3.1 beta allows attackers to execute abritrary web scripts or HTML via injecting a crafted payload into the id parameter at /members/edit.php.

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5237

The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 3.8.5 due to insufficient input sanitiz…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-4955

The tarteaucitron.io WordPress plugin before 1.9.5 uses query parameters from YouTube oEmbed URLs without sanitizing these parameters correctly, which could allow users with the contributor role and…

CVSS: 4.7 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2025-06-17

Medium

CVE-2025-49149

Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. Attackers can use website vulnerabilities to inject malicious…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-45880

A cross-site scripting (XSS) vulnerability in the data resource management function of Miliaris Amigdala v2.2.6 allows attackers to execute arbitrary HTML in the context of a user's browser via a cra…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-45878

A cross-site scripting (XSS) vulnerability in the report manager function of Miliaris Amigdala v2.2.6 allows attackers to execute arbitrary HTML in the context of a user's browser via a crafted paylo…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-45879

A cross-site scripting (XSS) vulnerability in the e-mail manager function of Miliaris Amigdala v2.2.6 allows attackers to execute arbitrary HTML in the context of a user's browser via a crafted paylo…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-49882

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Tauqeer CubeWP cubewp-framework allows DOM-Based XSS.This issue affects CubeWP: from n/a th…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-49881

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Blocks responsive-block-editor-addons allows Stored XSS.This issue affects…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-49878

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Greg Winiarski WPAdverts wpadverts allows DOM-Based XSS.This issue affects WPAdverts: from n/a th…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-49875

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in If-So Dynamic Content If-So Dynamic Content Personalization if-so allows Stored XSS.This issue af…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-49871

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noptin Newsletter Team Noptin newsletter-optin-box allows Stored XSS.This issue affects Noptin: f…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-49863

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP CodeUs Advanced Sermons advanced-sermons allows Stored XSS.This issue affects Advanced Sermons…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-49862

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in motov.net Ebook Store ebook-store allows Stored XSS.This issue affects Ebook Store: from n/a thro…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-49861

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timur Kamaev Kama Click Counter kama-clic-counter allows Stored XSS.This issue affects Kama Click…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-49859

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in etruel WP Views Counter wpecounter allows Stored XSS.This issue affects WP Views Counter: from n/…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-49858

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tychesoftwares Arconix Shortcodes arconix-shortcodes allows Stored XSS.This issue affects Arconix…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-49855

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Meks Meks Flexible Shortcodes meks-flexible-shortcodes allows DOM-Based XSS.This issue affects Me…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-49316

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads allows Reflected XSS.This issue affects WP2LEADS: from…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-49312

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeRevolution Echo RSS Feed Post Generator Plugin for WordPress rss-feed-post-generator-echo all…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-49266

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Reflected XSS.This issue affects Ultimate Rev…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-48333

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPQuark eForm - WordPress Form Builder wp-fsqm-pro allows Reflected XSS.This issue affects eForm…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-48145

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michal Jaworski Track, Analyze & Optimize by WP Tao wp-tao allows Reflected XSS.This issue affect…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-39508

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NasaTheme Nasa Core nasa-core allows Reflected XSS.This issue affects Nasa Core: from n/a through…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-30988

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in _CreativeMedia_ Elite Video Player elite-video-player allows Stored XSS.This issue affects Elite…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5700

The Simple Logo Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.9.3 due to insufficient input sanitization an…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5291

The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's masterslider_pb and ms_slide shortcodes in all versions up to, and inclu…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-6050

Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting (XSS) vulnerability in the admin interface. The vulnerability exists in the "displayable_links_js" function, which fa…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-40674

Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the name of…

CVSS: 5.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5209

The Ivory Search WordPress plugin before 5.5.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even w…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-4775

The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-button-label HTML attribute in all versions up to, and including, 7.4.0.1…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-3774

The Wise Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.3.4 due to insufficient input sanitization and o…

CVSS: 7.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-48993

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatti…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2025-06-16

Medium

CVE-2025-48992

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a stored and blind cross-site scripting (XSS) vulnerability exists in the Nam…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Low

CVE-2025-6131

A vulnerability, which was classified as problematic, was found in CodeAstro Food Ordering System 1.0. Affected is an unknown function of the file /admin/store/edit/ of the component POST Request Par…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Low

CVE-2025-6127

A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search-report.ph…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-6126

A vulnerability was found in PHPGurukul Rail Pass Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /contact.php. The…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Low

CVE-2025-6125

A vulnerability was found in PHPGurukul Rail Pass Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file /admin/aboutus.php. The manipulation of the…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-40729

Reflected Cross-Site Scripting (XSS) in /customer_support/index.php in Customer Support System v1.0, which allows remote attackers to execute arbitrary code via the page parameter.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-40727

A Reflected Cross Site Scripting (XSS) vulnerability was found in '/search' in Phoenix Site CMS from Phoenix, which allows remote attackers to execute arbitrary code via 's' GET parameter.

CVSS: 5.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-40726

Reflected Cross-Site Scripting (XSS) vulnerability in /pages/search-results-page in Nosto, which allows remote attackers to execute arbitrary code via the q GET request parameter.

CVSS: 5.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-4987

A stored Cross-site Scripting (XSS) vulnerability affecting Opportunity Management in Project Portfolio Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker…

CVSS: 8.7 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2025-06-15

Medium

CVE-2025-6092

A vulnerability was found in comfyanonymous comfyui up to 0.3.39. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /upload/image of the comp…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-5990

An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.

CVSS: 7.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2025-06-14

Medium

CVE-2025-5337

The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘aria-label’ parameter in all versions up to, and including, 3.98.0 due to in…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5238

The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitizati…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-4667

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ssa_admin_upcoming_appointments, ssa_…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-6061

The kk Youtube Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kkytv' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitizat…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5589

The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘status-classic-offline-text’ parameter in all versions up to, and including, 1.1.3 due to…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5336

The Click to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-no_number’ parameter in all versions up to, and including, 4.22 to insufficient input sanitization an…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-4216

The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sa…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2025-06-13

High

CVE-2025-49587

XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and sa…

CVSS: 8.0 CWE: CWE-357 - Insufficient UI Warning of Dangerous Operations View on NVD

High

CVE-2025-48920

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal etracker allows Cross-Site Scripting (XSS).This issue affects etracker: from 0.0.0 before…

CVSS: 7.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-48919

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0…

CVSS: 5.0 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-48918

CVSS: 8.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-48917

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal EU Cookie Compliance (GDPR Compliance) allows Cross-Site Scripting (XSS).This issue affect…

CVSS: 5.0 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-48915

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Co…

CVSS: 8.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

High

CVE-2025-48914

CVSS: 8.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-28380

A cross-site scripting (XSS) vulnerability in OpenC3 COSMOS before v6.0.2 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the URL parameter.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-46096

Directory Traversal vulnerability in solon v.3.1.2 allows a remote attacker to conduct XSS attacks via the solon-faas-luffy component

CVSS: 6.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD

Medium

CVE-2025-6012

The Auto Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output…

CVSS: 5.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5923

The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitizatio…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5950

The IndieBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘kind’ parameter in all versions up to, and including, 0.13.2 due to insufficient input sanitization and outp…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5939

The Telegram for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5841

The ACF Onyx Poll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and ou…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5233

The Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hex’ parameter in all versions up to, and including, 4.3.2 due to insufficient input sanitization and outp…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-5123

The Contact Us Page – Contact People plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 3.7.4 due to insufficient input…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-4586

The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmcalendarview' shortcode in all versions up to, and including, 1.2.19 due to insufficient input…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-4585

The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmflat' shortcode in all versions up to, and including, 1.2.19 due to insufficient input sanitiza…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-4584

The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmeventlist' shortcode in all versions up to, and including, 1.2.19 due to insufficient input san…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2025-06-12

Medium

CVE-2025-44091

yangyouwang crud v1.0.0 is vulnerable to Cross Site Scripting (XSS) via the role management function.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-4417

A cross-site scripting vulnerability exists in AVEVA PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow an administrator miscreant with local access to the connector…

CVSS: 5.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-2745

A cross-site scripting vulnerability exists in AVEVA PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker (with privileges to create/update annotations or…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2025-49193

The application fails to implement several security headers. These headers help increase the overall security level of the web application by e.g., preventing the application to be displayed in an iF…

CVSS: 4.2 CWE: CWE-693 - Protection Mechanism Failure View on NVD

High

CVE-2025-2254

An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper output encoding in the snipper viewer functionalit…

CVSS: 8.7 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD