Search Results (47293 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-40697 1 Lewe 1 Webmeasure 2026-04-15 N/A
Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
CVE-2025-50869 2026-04-15 6.1 Medium
A stored Cross-Site Scripting (XSS) vulnerability exists in the qureydetails.php page of Institute-of-Current-Students 1.0, where the input fields for Query and Answer do not properly sanitize user input. Authenticated users can inject arbitrary JavaScript code.
CVE-2024-38724 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Muhammad Rehman Contact Form 7 Summary and Print allows Stored XSS.This issue affects Contact Form 7 Summary and Print: from n/a through 1.2.5.
CVE-2025-53297 3 Aa-team, Woocommerce, Wordpress 3 Woocommerce Envato Affiliates, Woocommerce, Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Envato Affiliates wooenvato allows Reflected XSS.This issue affects Woocommerce Envato Affiliates: from n/a through <= 1.2.1.
CVE-2023-7295 1 Wordpress 1 Wordpress 2026-04-15 6.1 Medium
The Video Grid plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the search_term parameter in versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2025-40633 2026-04-15 N/A
A Stored Cross-Site Scripting (XSS) vulnerability has been found in Koibox for versions prior to e8cbce2. This vulnerability allows an authenticated attacker to upload an image containing malicious JavaScript code as profile picture in the '/es/dashboard/clientes/ficha/' endpoint
CVE-2023-5451 1 Forcepoint 1 Next Generation Firewall Security Management Center 2026-04-15 6.1 Medium
Forcepoint NGFW Security Management Center Management Server has SMC Downloads optional feature to offer standalone Management Client downloads and ECA configuration downloads. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Next Generation Firewall Security Management Center (SMC Downloads feature) allows Reflected XSS. This issue affects Next Generation Firewall Security Management Center : before 6.10.13, from 6.11.0 before 7.1.2.
CVE-2025-22917 2026-04-15 5.4 Medium
A reflected cross-site scripting (XSS) vulnerability in Audemium ERP <=0.9.0 allows remote attackers to execute an arbitrary JavaScript payload in the web browser of a user by including a malicious payload into the 'type' parameter of list.php.
CVE-2024-10017 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The PJW Mime Config plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
CVE-2025-3781 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The Raisely Donation Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's raisely_donation_form shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-12626 2026-04-15 9.6 Critical
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. When used in conjunction with the plugin's import and code action feature, this vulnerability can be leveraged to execute arbitrary code.
CVE-2024-11091 2026-04-15 6.4 Medium
The Support SVG – Upload svg files in wordpress without hassle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
CVE-2025-40642 1 Webwork 1 Webwork 2026-04-15 N/A
Reflected Cross-Site Scripting (XSS) vulnerability in WebWork, which allows remote attackers to execute arbitrary code through the 'q' and 'engine' request parameters in /search.
CVE-2025-63072 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in THEMECO Cornerstone cornerstone allows Stored XSS.This issue affects Cornerstone: from n/a through <= 7.7.3.
CVE-2024-10034 2026-04-15 5.5 Medium
The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the gallery link text parameter in all versions up to, and including, 3.2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-4302 2026-04-15 6.1 Medium
Super 8 Live Chat online customer service platform fails to properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. When the message recipient views the message, they become susceptible to Cross-site Scripting (XSS) attacks.
CVE-2024-45832 2026-04-15 4.3 Medium
Hard-coded credentials were included as part of the application binary. These credentials served as part of the application authentication flow and communication with the mobile application. An attacker could access unauthorized information.
CVE-2025-53369 2026-04-15 8.6 High
Short Description is a MediaWiki extension that provides local short description support. In version 4.0.0, short descriptions are not properly sanitized before being inserted as HTML using mw.util.addSubtitle, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue has been patched in version 4.0.1.
CVE-2025-52378 2026-04-15 5.4 Medium
Cross-Site Scripting (XSS) vulnerability in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below allowing attackers to inject JavaScript code that is executed in the context of administrator sessions when viewing the device management page via the DEVICE_ALIAS parameter to the /web/um_device_set_aliasname endpoint.
CVE-2024-52951 1 Omada 1 Omada Identity 2026-04-15 8 High
Stored Cross-Site Scripting in the Access Request History in Omada Identity before version 15 update 1 allows an authenticated attacker to execute arbitrary code in the browser of a victim via a specially crafted link or by viewing a manipulated Access Request History