Total
43695 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-47628 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Stored XSS.This issue affects LA-Studio Element Kit for Elementor: from n/a through <= 1.3.9.3. | ||||
| CVE-2024-47629 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit allows Stored XSS.This issue affects Ultimate Store Kit Elementor Addons: from n/a through <= 2.0.5. | ||||
| CVE-2024-2633 | 2026-04-15 | 6.1 Medium | ||
| A Cross-Site Scripting Vulnerability has been found on Meta4 HR affecting version 819.001.022 and earlier. The endpoint '/sitetest/english/dumpenv.jsp' is vulnerable to XSS attack by 'lang' query, i.e. '/sitetest/english/dumpenv.jsp?snoop=yes&lang=%27%3Cimg%20src/onerror=alert(1)%3E¶ms'. | ||||
| CVE-2024-26367 | 2026-04-15 | 6.1 Medium | ||
| Cross Site Scripting vulnerability in Evertz microsystems MViP-II Firmware 8.6.5, XPS-EDGE-* Build 1467, evEDGE-EO-* Build 0029, MMA10G-* Build 0498, 570IPG-X19-10G Build 0691 allows a remote attacker to execute arbitrary code via a crafted payload to the login parameters. | ||||
| CVE-2024-26521 | 1 Oscommerce | 1 Ce Phoenix | 2026-04-15 | 4.8 Medium |
| HTML Injection vulnerability in CE Phoenix v1.0.8.20 and before allows a remote attacker to execute arbitrary code, escalate privileges, and obtain sensitive information via a crafted payload to the english.php component. | ||||
| CVE-2025-32214 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hive Support Hive Support hive-support allows Stored XSS.This issue affects Hive Support: from n/a through <= 1.2.11. | ||||
| CVE-2025-14137 | 2 Alexdtn, Wordpress | 2 Simple Al Slider, Wordpress | 2026-04-15 | 6.1 Medium |
| The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-53496 | 2026-04-15 | 5.4 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - MediaSearch Extension allows Stored XSS.This issue affects Mediawiki - MediaSearch Extension: from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-6259 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The esri-map-view plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's esri-map-view shortcode in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-4698 | 2 Uapp, Wordpress | 2 Testimonial Carousel For Elementor, Wordpress | 2026-04-15 | 6.4 Medium |
| The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'show_line_text ' and 'slide_button_hover_animation' parameters in versions up to, and including, 10.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-35713 is likely a duplicate of this issue. | ||||
| CVE-2024-12815 | 2 Wordpress, Zipang | 2 Wordpress, Point Maker | 2026-04-15 | 6.4 Medium |
| The Point Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'point_maker' shortcode in all versions up to, and including, 0.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-12816 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The NOTICE BOARD BY TOWKIR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'notice-board' shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-10208 | 2026-04-15 | N/A | ||
| An Improper Neutralization of Input During Web Page Generation vulnerability in the APROL Web Portal used in B&R APROL <4.4-00P5 may allow an authenticated network-based attacker to insert malicious code which is then executed in the context of the user’s browser session. | ||||
| CVE-2024-47920 | 2026-04-15 | 7.5 High | ||
| Tiki Wiki CMS – CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ||||
| CVE-2025-24885 | 2026-04-15 | 7.6 High | ||
| pwn.college is an education platform to learn about, and practice, core cybersecurity concepts in a hands-on fashion. Missing access control on rendering custom (unprivileged) dojo pages causes ability for users to create stored XSS. | ||||
| CVE-2024-12817 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Etsy Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'product_link' shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-7486 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.4 Medium |
| The Ebook Store plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Order Details in all versions up to, and including, 5.8012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2025-6626 | 2 Shortpixel, Wordpress | 2 Shortpixel Adaptive Images, Wordpress | 2026-04-15 | 4.4 Medium |
| The ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the API URL Setting in all versions up to, and including, 3.10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2025-0354 | 2026-04-15 | 4.8 Medium | ||
| Cross-site scripting vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WG2600HP4 Ver.1.4.2 and earlier, WG2600HM4 Ver.1.4.2 and earlier, WG2600HS2 Ver.1.3.2 and earlier, WX3000HP Ver.2.4.2 and earlier and WX4200D5 Ver.1.2.4 and earlier allows a attacker to inject an arbitrary script via the network. | ||||
| CVE-2024-12818 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The WP Smart TV plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tv-video-player' shortcode in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||