Vulnerabilities (CVE)

Filtered by CWE-79
Total 18948 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-1915 2022-06-21 N/A N/A
The WP Zillow Review Slider WordPress plugin before 2.4 does not escape a settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite)
CVE-2022-23074 2022-06-21 N/A 5.4 MEDIUM
In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.
CVE-2021-25104 2022-06-21 N/A N/A
The Ocean Extra WordPress plugin before 1.9.5 does not escape generated links which are then used when the OceanWP is active, leading to a Reflected Cross-Site Scripting issue
CVE-2022-1889 2022-06-21 N/A N/A
The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed
CVE-2022-1896 2022-06-21 N/A N/A
The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.
CVE-2022-2130 2022-06-21 N/A N/A
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17.
CVE-2021-25088 2022-06-21 N/A N/A
The XML Sitemaps WordPress plugin before 4.1.3 does not sanitise and escape a settings before outputting it in the Debug page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2022-0388 1 Humananatomyillustrations 1 Interactive Medical Drawing Of Human Body 2022-06-20 3.5 LOW 4.8 MEDIUM
The Interactive Medical Drawing of Human Body WordPress plugin before 2.6 does not sanitise and escape the Link field, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2022-0626 1 Kuroit 1 Advanced Admin Search 2022-06-20 4.3 MEDIUM 6.1 MEDIUM
The Advanced Admin Search WordPress plugin before 1.1.6 does not sanitize and escape some parameters before outputting them back in an admin page, leading to a Reflected Cross-Site Scripting.
CVE-2022-31400 1 Helpdeskz 1 Helpdeskz 2022-06-18 3.5 LOW 4.8 MEDIUM
A cross-site scripting (XSS) vulnerability in /staff/setup/email-addresses of Helpdeskz v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email name field.
CVE-2022-1549 1 Wp Athletics Project 1 Wp Athletics 2022-06-18 3.5 LOW 5.4 MEDIUM
The WP Athletics WordPress plugin through 1.1.7 does not sanitize parameters before storing them in the database, nor does it escape the values when outputting them back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability.
CVE-2022-1604 1 Mailerlite 1 Mailerlite Signup Forms 2022-06-17 4.3 MEDIUM 6.1 MEDIUM
The MailerLite WordPress plugin before 1.5.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
CVE-2022-1710 1 Dwbooster 1 Appointment Hour Booking 2022-06-17 3.5 LOW 4.8 MEDIUM
The Appointment Hour Booking WordPress plugin before 1.3.56 does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
CVE-2022-1707 1 Gtm4wp 1 Google Tag Manager 2022-06-17 4.3 MEDIUM 6.1 MEDIUM
The Google Tag Manager for WordPress plugin for WordPress is vulnerable to reflected Cross-Site Scripting via the s parameter due to the site search populating into the data layer of sites with insufficient sanitization in versions up to an including 1.15. The affected file is ~/public/frontend.php and this could be exploited by unauthenticated attackers.
CVE-2022-1724 1 Simple-membership-plugin 1 Simple Membership 2022-06-17 4.3 MEDIUM 6.1 MEDIUM
The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting
CVE-2022-1532 1 Themify 1 Woocommerce Product Filter 2022-06-17 4.3 MEDIUM 6.1 MEDIUM
Themify WordPress plugin before 1.3.8 does not sanitise and escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
CVE-2022-1208 1 Ultimatemember 1 Ultimate Member 2022-06-17 3.5 LOW 5.4 MEDIUM
The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding that is reflected back on the page. This affects versions up to, and including, 2.3.2. Please note this issue was partially fixed in version 2.3.2 then subsequently fully patched in version 2.3.3.
CVE-2022-1336 1 Ceikay 1 Carousel Ck 2022-06-17 3.5 LOW 4.8 MEDIUM
The Carousel CK WordPress plugin through 1.1.0 does not sanitize and escape Slide's descriptions, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed
CVE-2022-1335 1 Ceikay 1 Slideshow Ck 2022-06-17 3.5 LOW 4.8 MEDIUM
The Slideshow CK WordPress plugin before 1.4.10 does not sanitize and escape Slide's descriptions, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed
CVE-2021-40902 1 Flatcore 1 Flatcore-cms 2022-06-17 3.5 LOW 5.4 MEDIUM
flatCore-CMS version 2.0.8 is affected by Cross Site Scripting (XSS) in the "Create New Page" option through the index page.