CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

45,012 vulnerabilities with CWE-79
CVE-2025-12066 MEDIUM
WP Delete Post Copies <= 6.0.2 - Authenticated Stored Cross-Site Scripting via Admin Settings
CVSS 4.4
CVE-2025-13141 MEDIUM
HT Mega - Absolute Addons For Elementor <3.0.0 - XSS
CVSS 6.4
CVE-2025-11826 MEDIUM
WP Company Info <= 1.9.0 - Authenticated Stored Cross-Site Scripting via Social Networks Shortcode Class Attribute
CVSS 6.4
CVE-2025-11808 MEDIUM
Google Street View plugin <0.5.7 - XSS
CVSS 6.4
CVE-2025-11803 MEDIUM
WPSite Shortcode <= 1.2 - Authenticated Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2025-13159 HIGH
Flo Forms - Easy Drag & Drop Form Builder <= 1.0.43 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload
CVSS 7.1
CVE-2025-13135 MEDIUM
HotelRunner Booking Widget <5.2.4 - XSS
CVSS 6.4
CVE-2025-12746 MEDIUM
Tainacan plugin - WordPress <1.0.0 - XSS
CVSS 6.1
CVE-2025-12661 MEDIUM
Pollcaster Shortcode Plugin - WordPress <1.0 - XSS
CVSS 6.4
CVE-2025-12660 MEDIUM
Padlet Shortcode <= 1.3 - Authenticated Stored Cross-Site Scripting via 'key' Parameter
CVSS 6.4
CVE-2025-12135 HIGH
WPBookit <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting via CSS Code Parameter
CVSS 7.2
CVE-2025-11885 MEDIUM
EchBay Admin Security <= 1.3.0 - Unauthenticated Reflected Cross-Site Scripting via _ebnonce Parameter
CVSS 6.1
CVE-2025-11802 MEDIUM
Bulma Shortcodes <= 1.0 - Authenticated Stored Cross-Site Scripting via 'type' Shortcode Attribute
CVSS 6.4
CVE-2025-11801 MEDIUM
AudioTube <= 0.0.3 - Authenticated Stored Cross-Site Scripting via Caption Shortcode Attribute
CVSS 6.4
CVE-2025-11800 MEDIUM
Surbma | MiniCRM Shortcode <2.0 - XSS
CVSS 6.4
CVE-2025-11799 MEDIUM
Affiliate AI Lite <= 1.0.1 - Authenticated Stored Cross-Site Scripting via 'asin' Shortcode Attribute
CVSS 6.4
CVE-2025-11770 MEDIUM
BrightTALK WordPress Shortcode <2.4.0 - XSS
CVSS 6.4
CVE-2025-11768 MEDIUM
Islamic Phrases WordPress <2.12.2015 - XSS
CVSS 6.4
CVE-2025-11767 MEDIUM
Tips Shortcode <= 0.2.1 - Authenticated Stored Cross-Site Scripting via 'tip' Shortcode
CVSS 6.4
CVE-2025-11765 MEDIUM
Stock Tools <= 1.1 - Authenticated Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2025-11764 MEDIUM
Shortcodes Bootstrap < 1.1 - Authenticated Stored Cross-Site Scripting via Notification Shortcode Type Parameter
CVSS 6.4
CVE-2025-11763 MEDIUM
Display Pages Shortcode < 1.1 - Authenticated Stored Cross-Site Scripting via Column Count Parameter
CVSS 6.4
CVE-2025-61949 MEDIUM
LogStare Collector < 2.4.2 - Stored Cross-Site Scripting in UserManagement
CVSS 5.4
CVE-2025-62459 HIGH
Microsoft 365 Defender Portal - Spoofing
CVSS 8.3
CVE-2025-13484 LOW
Campcodes Beauty Parlor Management System 1.0 - XSS via Name Parameter in /admin/customer-list.php
CVSS 2.4
Details
Vulnerabilities 45,012
Exploit Likelihood High