| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content. |
| The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue |
| The Drop Shadow Boxes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dropshadowbox' shortcode in versions up to, and including, 1.7.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The CITS Support svg, webp Media and TTF,OTF File Upload WordPress plugin before 3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. |
| Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2. |
| The Jquery news ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jquery-news-ticker' shortcode in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs
immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before.
This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
|
| The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ihrss-gallery' shortcode in versions up to, and including, 13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.12.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. |
| Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm prior to 7.14.1. |
| The Product Catalog Mode For WooCommerce WordPress plugin before 5.0.3 does not properly authorize settings updates or escape settings values, leading to stored XSS by unauthenticated users. |
| The Popup box WordPress plugin before 3.7.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. |
| The Theme Blvd Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The Woocommerce Vietnam Checkout WordPress plugin before 2.0.6 does not escape the custom shipping phone field no the checkout form leading to XSS |
| Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0. |
| Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18. |
| Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18. |
| Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0. |
| Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18. |
| Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18. |
