| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Avo is an open source ruby on rails admin panel creation framework. In affected versions some avo fields are vulnerable to Cross Site Scripting (XSS) when rendering html based content. Attackers do need form edit privilege in order to successfully exploit this vulnerability, but the results are stored and no specific timing is required. This issue has been addressed in commit `7891c01e` which is expected to be included in the next release of avo. Users are advised to configure CSP headers for their application and to limit untrusted user access as a mitigation. |
| The Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the 'add_form_Emsfb' AJAX action in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping and missing authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Cross-site scripting vulnerability exists in MZK-DP300N firmware versions 1.05 and earlier. If an attacker logs in to the affected product and manipulates the device settings, an arbitrary script may be executed on the logged-in user's web browser when accessing a crafted URL. |
| The PDF Flipbook, 3D Flipbook—DearFlip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via outline settings in all versions up to 2.3.52 due to insufficient input sanitization and output escaping on user-supplied data. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The Shipping via Planzer for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘processed-ids’ parameter in all versions up to, and including, 1.0.25 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |
| Auth. (ShopManager+) Stored Cross-Site Scripting (XSS) vulnerability in actpro Extra Product Options for WooCommerce plugin <= 3.0.3 versions. |
| Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Marco Milesi ANAC XML Bandi di Gara plugin <= 7.5 versions. |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in livescore.Bz BZScore – Live Score plugin <= 1.03 versions. |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Abu Bakar TWB Woocommerce Reviews plugin <= 1.7.5 versions. |
| IBM CICS TX Advanced 10.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 260769. |
| The Beaver Builder Addons by WPZOOM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Box widget in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The Beaver Builder Addons by WPZOOM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Team Members widget in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Auth. (Shop Manager+) Stored Cross-Site Scripting (XSS) vulnerability in CedCommerce Recently viewed and most viewed products plugin <= 1.1.1 versions. |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in DenK BV Actueel Financieel Nieuws – Denk Internet Solutions plugin <= 5.1.0 versions. |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability on 302 response page in spider-themes EazyDocs plugin <= 2.3.3 versions. |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPFactory Products, Order & Customers Export for WooCommerce plugin <= 2.0.7 versions. |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Walter Pinem OneClick Chat to Order plugin <= 1.0.4.2 versions. |
| Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Fatcat Apps Forms for Mailchimp by Optin Cat – Grow Your MailChimp List plugin <= 2.5.4 versions. |
| Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Atarim Visual Website Collaboration, Feedback & Project Management – Atarim plugin <= 3.12 versions. |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in wpdevart Countdown and CountUp, WooCommerce Sales Timer plugin <= 1.8.2 versions. |
