| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the payload executes in the victim’s session. The issue is exploitable because the title is escaped into data-title by the server, decoded again by the browser, read with jQuery .data('title'), and then concatenated into a new HTML string without attribute escaping. To exploit, an attacker must have an existing control panel account (Author role minimum), the victim must perform a drag operation (not just visit the page), and the victim’s session needs to be elevated at trigger time. This issue has been fixed in version 5.9.23. |
| Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header. The vulnerability manifests when assetManager.cacheSourcePaths is set to false. This issue has been fixed in versions 4.18.0 and 5.10.0. |
| The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children WordPress Theme <= 5.4 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Classified Listing <= 5.4.2 versions. |
| Unauthenticated Cross Site Scripting (XSS) in HandL UTM Grabber <= 2.9.2 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Search Atlas SEO <= 2.6.6 versions. |
| Unauthenticated Cross Site Scripting (XSS) in WPAdverts <= 2.3.1 versions. |
| Unauthenticated Cross Site Scripting (XSS) in WP Photo Album Plus <= 9.2.02.004 versions. |
| Contributor Cross Site Scripting (XSS) in Livemesh Addons for WPBakery Page Builder <= 3.9.4 versions. |
| Subscriber Cross Site Scripting (XSS) in ShortPixel Adaptive Images <= 3.11.3 versions. |
| Unauthenticated Cross Site Scripting (XSS) in TheFox <= 3.9.76 versions. |
| Unauthenticated Cross Site Scripting (XSS) in NativeChurch <= 4.8.8.2 versions. |
| Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions. |
| Unauthenticated Cross Site Scripting (XSS) in LMS <= 9.7 versions. |
| The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the the_meta() function: while the custom field VALUE is sanitized with wp_kses_post(), the custom field KEY ($key) is interpolated into the rendered HTML (lines 1786-1791) and echoed (line 1806) without any escaping when an inserted page is rendered with the [insert page='ID' display='all'] shortcode. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Unauthenticated Cross Site Scripting (XSS) in Automotive Car Dealership Business <= 13.3.3 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions. |
| Subscriber Cross Site Scripting (XSS) in JetReviews <= 3.0.0.1 versions. |
| Unauthenticated Cross Site Scripting (XSS) in wpDataTables <= 6.5.1.1 versions. |