CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

45,028 vulnerabilities with CWE-79
CVE-2025-12711 MEDIUM
WordPress Share to Google Classroom <1.0 - XSS
CVSS 6.4
CVE-2025-12672 MEDIUM
Flickr Show <= 1.5 - Authenticated Stored Cross-Site Scripting via div_height Parameter
CVSS 6.4
CVE-2025-12671 MEDIUM
WP-Iconics <= 0.0.4 - Authenticated Stored Cross-Site Scripting via Shortcode Parameters
CVSS 6.4
CVE-2025-12668 MEDIUM
WP Count Down Timer <= 1.0.1 - Authenticated Stored Cross-Site Scripting via Shortcode Parameters
CVSS 6.4
CVE-2025-12667 MEDIUM
GitHub Gist Shortcode Plugin <0.3 - XSS
CVSS 6.4
CVE-2025-12663 MEDIUM
Jeba Cute forkit <= 1.0 - Authenticated Stored Cross-Site Scripting via 'text' Parameter
CVSS 6.4
CVE-2025-12662 MEDIUM
Coon Google Maps < 1.0 - Authenticated Stored Cross-Site Scripting via Map Shortcode Height Parameter
CVSS 6.4
CVE-2025-12658 MEDIUM
WordPress Preload Current Images <1.3 - XSS
CVSS 6.4
CVE-2025-12652 MEDIUM
Ungapped Widgets <= 1 - Authenticated Stored Cross-Site Scripting via Prefillvalues Parameter
CVSS 6.4
CVE-2025-12651 MEDIUM
Live Photos on WordPress <= 0.1 - Authenticated Stored Cross-Site Scripting via Shortcode Parameters
CVSS 6.4
CVE-2025-12644 MEDIUM
Nonaki WordPress Plugin <=1.0.11 - Authenticated Stored XSS via 'nonaki' Shortcode
CVSS 6.4
CVE-2025-12632 MEDIUM
RandomQuotr <= 1.0.4 - Authenticated Stored Cross-Site Scripting via Admin Settings
CVSS 5.5
CVE-2025-12631 MEDIUM
Squirrels Auto Inventory <1.0.3 - XSS
CVSS 4.4
CVE-2025-12538 MEDIUM
Fleet Manager <= 2.5.1 - Authenticated Stored Cross-Site Scripting via Admin Settings
CVSS 4.4
CVE-2025-12021 MEDIUM
WP-OAuth <= 0.4.1 - Unauthenticated Reflected Cross-Site Scripting via Error Description Parameter
CVSS 6.1
CVE-2025-12020 MEDIUM
Double the Donation WordPress <2.0.0 - XSS
CVSS 4.9
CVE-2025-12019 MEDIUM
Featured Image <= 2.1 - Authenticated Stored Cross-Site Scripting via Image Metadata
CVSS 4.4
CVE-2025-11882 MEDIUM
Simple Donate <= 1.0 - Authenticated Stored Cross-Site Scripting via simpledonate Shortcode
CVSS 6.4
CVE-2025-11873 MEDIUM
WP BBCode <= 1.8.1 - Authenticated Stored Cross-Site Scripting via URL Shortcode
CVSS 6.4
CVE-2025-11869 MEDIUM
Precise Columns <= 1.0 - Authenticated Stored Cross-Site Scripting via wrap_id Shortcode Attribute
CVSS 6.4
CVE-2025-11863 MEDIUM
My Geo Posts Free <= 1.2 - Authenticated Stored Cross-Site Scripting via 'mygeo_city' Shortcode
CVSS 6.4
CVE-2025-11860 MEDIUM
Twitter Feed < 1.3.1 - Authenticated Stored Cross-Site Scripting via 'ottwitter_feed' Shortcode Parameters
CVSS 6.4
CVE-2025-11859 MEDIUM
Paypal Donation Shortcode <0.1 - XSS
CVSS 6.4
CVE-2025-11856 MEDIUM
Eventbee Ticketing Widget <1.0 - XSS
CVSS 6.4
CVE-2025-11829 MEDIUM
Five9 Live Chat <= 1.1.2 - Authenticated Stored Cross-Site Scripting via Shortcode Toolbar Attribute
CVSS 6.4
Details
Vulnerabilities 45,028
Exploit Likelihood High