Export limit exceeded: 45765 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45765 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-11765 | 2026-04-15 | 6.4 Medium | ||
| The WordPress Portfolio Plugin – A Plugin for Making Filterable Portfolio Grid, Portfolio Slider and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gs_portfolio' shortcode in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11766 | 2026-04-15 | 6.4 Medium | ||
| The WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gs_book_showcase' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11781 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Smart Agenda – Prise de rendez-vous en ligne plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'smartagenda' shortcode in all versions up to, and including, 4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11804 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Planaday API plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 11.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-11891 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Perfect Font Awesome Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pfai' shortcode in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-12260 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Ultimate Endpoints With Rest Api plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-12271 | 2026-04-15 | 4.4 Medium | ||
| The 360 Javascript Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ref’ parameter in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-12338 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Website Toolbox Community plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘websitetoolbox_username’ parameter in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-12623 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The DICOM Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dcm' shortcode in all versions up to, and including, 0.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-50452 | 2 Posimyth, Wordpress | 2 Nexter Blocks, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Stored XSS.This issue affects Nexter Blocks: from n/a through <= 3.3.3. | ||||
| CVE-2025-22872 | 2026-04-15 | 6.5 Medium | ||
| The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts). | ||||
| CVE-2024-6767 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.5 Medium |
| The WordSurvey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘sounding_title’ parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-2039 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post(v2) block title tag in all versions up to, and including, 3.12.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-40649 | 1 Bbmri-eric | 1 Negotiator | 2026-04-15 | N/A |
| Stored Cross-Site Scripting (XSS) in Biobanking and Biomolecular Resources Negotiator v3.15.2 - European Research Infrastructure (BBMRI-ERIC), consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request using parameter text in '/api/v3/negotiations/<postUID>/posts'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. | ||||
| CVE-2024-36556 | 2026-04-15 | 9.1 Critical | ||
| Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h, and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b have a Hardcoded password vulnerability. | ||||
| CVE-2025-7342 | 1 Kubernetes | 1 Image Builder | 2026-04-15 | 7.5 High |
| A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the Windows image build process when using the Nutanix or VMware OVA providers. These credentials, which allow root access, are disabled at the conclusion of the build. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project and the vulnerability was exploited during the build process, which requires an attacker to access the build VM and modify the image while the build is in progress. | ||||
| CVE-2025-60507 | 1 Moodle | 1 Moodle | 2026-04-15 | 8.9 High |
| Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Administrators) click the link, the payload executes in their browser. | ||||
| CVE-2024-36480 | 1 Ricoh | 1 Streamline Nx Pc Client | 2026-04-15 | 9.8 Critical |
| Use of hard-coded credentials issue exists in Ricoh Streamline NX PC Client ver.3.7.2 and earlier. If this vulnerability is exploited, an attacker may obtain LocalSystem Account of the PC where the product is installed. As a result, unintended operations may be performed on the PC. | ||||
| CVE-2024-5479 | 2 Jevnet, Wordpress | 2 Easy Pixels, Wordpress | 2026-04-15 | 7.2 High |
| The Easy Pixels plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-7435 | 1 Livehelperchat | 1 Livehelperchat | 2026-04-15 | 3.5 Low |
| A vulnerability was found in LiveHelperChat lhc-php-resque Extension up to ee1270b35625f552425e32a6a3061cd54b5085c4. It has been classified as problematic. This affects an unknown part of the file /site_admin/lhcphpresque/list/ of the component List Handler. The manipulation of the argument queue name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The identifier of the patch is 542aa8449b5aa889b3a54f419e794afe19f56d5d/0ce7b4f1193c0ed6c6e31a960fafededf979eef2. It is recommended to apply a patch to fix this issue. | ||||