| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated Cross Site Scripting (XSS) in MC Woocommerce Wishlist <= 1.9.19 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Real Estate 7 <= 3.5.9 versions. |
| The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'aspectRatio' Attribute in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types a search term that returns the poisoned issue, the payload executes in the admin’s control panel session. No control panel account or elevated privileges are required on the attacker’s side. This issue has been fixed in versions 4.17.16 and 5.9.23. |
| Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In versions prior to 6.2.2, the "Insert media from web" functionality in the CMS is vulnerable to XSS from a specially crafted embed. This issue was fixed in version 6.2.2/ |
| Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the payload executes in the victim’s session. The issue is exploitable because the title is escaped into data-title by the server, decoded again by the browser, read with jQuery .data('title'), and then concatenated into a new HTML string without attribute escaping. To exploit, an attacker must have an existing control panel account (Author role minimum), the victim must perform a drag operation (not just visit the page), and the victim’s session needs to be elevated at trigger time. This issue has been fixed in version 5.9.23. |
| Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header. The vulnerability manifests when assetManager.cacheSourcePaths is set to false. This issue has been fixed in versions 4.18.0 and 5.10.0. |
| Unauthenticated Cross Site Scripting (XSS) in Classified Listing <= 5.4.2 versions. |
| Unauthenticated Cross Site Scripting (XSS) in HandL UTM Grabber <= 2.9.2 versions. |
| Unauthenticated Cross Site Scripting (XSS) in WPAdverts <= 2.3.1 versions. |
| Unauthenticated Cross Site Scripting (XSS) in WP Photo Album Plus <= 9.2.02.004 versions. |
| Contributor Cross Site Scripting (XSS) in Livemesh Addons for WPBakery Page Builder <= 3.9.4 versions. |
| Subscriber Cross Site Scripting (XSS) in ShortPixel Adaptive Images <= 3.11.3 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Automotive Car Dealership Business <= 13.3.3 versions. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShortPixel Enable Media Replace allows Stored XSS.
This issue affects Enable Media Replace: from n/a through 4.2.1. |
| Unauthenticated Cross Site Scripting (XSS) in eCommerce Product Catalog <= 3.5.4 versions. |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber Defense Inc. WAF-ASP allows Stored XSS.
This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117. |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber Defense Inc. Web Application Firewall allows DOM-Based XSS.
This issue affects Web Application Firewall: from v1.0.42.239 before v1.4.0.117. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta LTD Shortcodes and extra features for Phlox theme allows DOM-Based XSS.
This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.17.16. |
| Unauthenticated Cross Site Scripting (XSS) in ReviewX <= 2.3.10 versions. |