Export limit exceeded: 45440 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45440 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13975 | 2 Izuchy, Wordpress | 2 Contact Form 7 With Chatwork, Wordpress | 2026-04-15 | 4.4 Medium |
| The Contact Form 7 with ChatWork plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api_token' and 'roomid' settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses the settings page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-37178 | 2026-04-15 | 5 Medium | ||
| SAP Financial Consolidation does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. These endpoints are exposed over the network. The vulnerability can exploit resources beyond the vulnerable component. On successful exploitation, an attacker can cause limited impact to confidentiality of the application. | ||||
| CVE-2024-2633 | 2026-04-15 | 6.1 Medium | ||
| A Cross-Site Scripting Vulnerability has been found on Meta4 HR affecting version 819.001.022 and earlier. The endpoint '/sitetest/english/dumpenv.jsp' is vulnerable to XSS attack by 'lang' query, i.e. '/sitetest/english/dumpenv.jsp?snoop=yes&lang=%27%3Cimg%20src/onerror=alert(1)%3E¶ms'. | ||||
| CVE-2024-43155 | 2 Pickplugins, Wordpress | 2 Comboblocks, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PickPlugins ComboBlocks allows Stored XSS.This issue affects ComboBlocks: from n/a through 2.2.86. | ||||
| CVE-2014-125121 | 1 Arraynetworks | 2 Vapv, Vxag | 2026-04-15 | N/A |
| Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise. | ||||
| CVE-2024-53442 | 2026-04-15 | 9.8 Critical | ||
| whapa v1.59 is vulnerable to Command Injection via a crafted filename to the HTML reports component. | ||||
| CVE-2025-11801 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The AudioTube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' shortcode attribute of the 'audiotube' shortcode in all versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-29816 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in htdat Woo Viet allows Stored XSS.This issue affects Woo Viet: from n/a through 1.5.2. | ||||
| CVE-2025-14499 | 1 Icewarp | 1 Icewarp | 2026-04-15 | N/A |
| IceWarp gmaps Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of IceWarp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of a parameter passed to the gmaps webpage. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25441. | ||||
| CVE-2024-31937 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Visitor Analytics TWIPLA (Visitor Analytics IO) allows Stored XSS.This issue affects TWIPLA (Visitor Analytics IO): from n/a through 1.2.0. | ||||
| CVE-2024-2924 | 2026-04-15 | 6.4 Medium | ||
| The Creative Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 1.5.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-51892 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noor Alam Sell Media File with Stripe sell-media-file allows Stored XSS.This issue affects Sell Media File with Stripe: from n/a through <= 1.0.6. | ||||
| CVE-2025-24745 | 2 Radiustheme, Wordpress | 2 Classified Listing, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Classified Listing classified-listing allows Reflected XSS.This issue affects Classified Listing: from n/a through <= 4.0.1. | ||||
| CVE-2024-32590 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webfood Kattene allows Stored XSS.This issue affects Kattene: from n/a through 1.7. | ||||
| CVE-2025-12537 | 3 Elementor, Wordpress, Wpvibes | 3 Elementor, Wordpress, Elementor Addon Elements | 2026-04-15 | 6.4 Medium |
| The Addon Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.14.3. This is due to insufficient input sanitization and output escaping on multiple widget parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via multiple widget parameters in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-54287 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Best WP Developer Advanced Blog Post Block advanced-blog-post-block allows Stored XSS.This issue affects Advanced Blog Post Block: from n/a through <= 1.0.4. | ||||
| CVE-2024-30448 | 2026-04-15 | 5.9 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Supsystic Slider by Supsystic allows Stored XSS.This issue affects Slider by Supsystic: from n/a through 1.8.10. | ||||
| CVE-2024-32594 | 1 100plugins | 1 Open User Map | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AttesaWP Attesa Extra allows Stored XSS.This issue affects Attesa Extra: from n/a through 1.3.9. | ||||
| CVE-2025-27337 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kontur Fontsampler fontsampler allows Reflected XSS.This issue affects Fontsampler: from n/a through <= 0.4.14. | ||||
| CVE-2024-8786 | 2026-04-15 | 6.1 Medium | ||
| The Auto Featured Image from Title plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||