| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Subscriber Cross Site Scripting (XSS) in JetReviews <= 3.0.0.1 versions. |
| Unauthenticated Cross Site Scripting (XSS) in wpDataTables <= 6.5.1.1 versions. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShortPixel Enable Media Replace allows Stored XSS.
This issue affects Enable Media Replace: from n/a through 4.2.1. |
| Unauthenticated Cross Site Scripting (XSS) in eCommerce Product Catalog <= 3.5.4 versions. |
| Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions. |
| Unauthenticated Cross Site Scripting (XSS) in WowAddons <= 1.6.14 versions. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemePunch Slider Revolution allows Reflected XSS.
This issue affects Slider Revolution: from 7.0.0 through 7.0.16. |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber Defense Inc. WAF-ASP allows Stored XSS.
This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117. |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber Defense Inc. Web Application Firewall allows DOM-Based XSS.
This issue affects Web Application Firewall: from v1.0.42.239 before v1.4.0.117. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta LTD Shortcodes and extra features for Phlox theme allows DOM-Based XSS.
This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.17.16. |
| Unauthenticated Cross Site Scripting (XSS) in ReviewX <= 2.3.10 versions. |
| u5CMS through v12.8.8 is vulnerable to reflected XSS via the ‘thanks’ parameter in multiple form components |
| Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source and post messages using non-specific target origins, while insufficient URL sanitization in rich-text content allows malicious URLs to persist and execute. A page the victim visits (or a window in an opener/iframe relationship with a Tina admin) can forge messages to drive the editor, inject preview content, or observe/forge the OAuth popup channel to take over an authenticated editing session. This issue has been fixed in versions @tinacms/app 2.5.6 and tinacms 3.9.3. |
| Unauthenticated Cross Site Scripting (XSS) in Google Maps CP <= 1.2.5 versions. |
| Unauthenticated Cross Site Scripting (XSS) in perfmatters <= 2.6.4 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Automotive Listings <= 18.6 versions. |
| Unauthenticated Cross Site Scripting (XSS) in WPeMatico RSS Feed Fetcher <= 2.8.17 versions. |
| Contributor Cross Site Scripting (XSS) in Structured Content <= 1.7.0 versions. |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in all versions up to, and including, 4.16.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Give Worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |