CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

45,122 vulnerabilities with CWE-79
CVE-2025-8560 MEDIUM
FancyTabs <= 1.1.0 - Authenticated Stored Cross-Site Scripting via Title Parameter
CVSS 6.4
CVE-2025-8214 MEDIUM
The Pack Elementor addon plugin <2.1.5 - XSS
CVSS 6.4
CVE-2025-8116 MEDIUM
widzialni pad_cms < 1.2.1 - Reflected Cross-Site Scripting in Print and PDF Save Functionality
CVSS 6.1
CVE-2025-6941 MEDIUM
LatePoint - Calendar Booking Plugin <5.1.94 - XSS
CVSS 6.4
CVE-2025-6815 MEDIUM
LatePoint - Calendar Booking Plugin <5.1.94 - XSS
CVSS 5.5
CVE-2025-10196 MEDIUM
Survey Anyplace < 1.0.0 - Authenticated Stored Cross-Site Scripting via surveyanyplace_embed Shortcode
CVSS 6.4
CVE-2025-10191 MEDIUM
Big Post Shipping for WooCommerce <2.1.1 - XSS
CVSS 6.4
CVE-2025-10189 MEDIUM
BP Direct Menus <= 1.0.0 - Authenticated Stored Cross-Site Scripting via 'bpdm_login' Shortcode
CVSS 6.4
CVE-2025-10182 MEDIUM
dbview <= 0.5.5 - Authenticated Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2025-10179 MEDIUM
My AskAI <= 1.0.0 - Authenticated Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2025-10168 MEDIUM
Any News Ticker plugin - WordPress <3.1.1 - XSS
CVSS 6.4
CVE-2025-10131 MEDIUM
All Social Share Options <1.0 - XSS
CVSS 6.4
CVE-2025-10130 MEDIUM
Layers <= 0.5 - Authenticated Stored Cross-Site Scripting via Webcam Shortcode
CVSS 6.4
CVE-2025-59948 MEDIUM
FreshRSS < 1.27.0 - Authenticated Cross-Site Scripting via Feed Event Handler Attributes
CVSS 6.7
CVE-2025-43817 MEDIUM
Liferay DXP 2023.Q3.1-2023.Q3.8 & 7.4.3.74-7.4.3.111 - Reflected XSS via Redirect
CVSS 6.1
CVE-2025-43812 MEDIUM
Liferay Digital Experience Platform < 2023.q3.9 - XSS
CVSS 5.4
CVE-2025-57769 MEDIUM
FreshRSS < 1.27.0 - Cross-Site Scripting and Privilege Escalation via Iframe UI Obscuring
CVSS 6.1
CVE-2025-43820 MEDIUM
Liferay DXP 2023.Q3.1-2023.Q3.6 - XSS via Calendar Widget User Invitation
CVSS 5.4
CVE-2025-43818 MEDIUM
Liferay Digital Experience Platform 2023.Q3.1-2023.Q3.6 - Cross-Site Scripting in Calendar Widget Name Field
CVSS 6.1
CVE-2025-43815 MEDIUM
Liferay Portal 7.4.3.102-7.4.3.110 & DXP 2023.Q4.0-2023.Q4.2 - XSS via backURLTitle
CVSS 6.1
CVE-2025-43811 MEDIUM
Liferay DXP 2023.Q3.1-Q3.7 Authenticated Stored XSS via Asset Author Name
CVSS 5.4
CVE-2025-35034 MEDIUM
Medical Informatics Engineering Enterprise Health - Reflected Cross-Site Scripting via portlet_user_id Parameter
CVSS 4.3
CVE-2025-57877 MEDIUM
Esri Portal for ArcGIS <= 11.4 - Authenticated Reflected Cross-Site Scripting
CVSS 4.8
CVE-2025-57876 MEDIUM
Esri Portal for ArcGIS <= 11.4 - Authenticated Stored Cross-Site Scripting via File Upload
CVSS 4.8
CVE-2025-57875 MEDIUM
Esri Portal for ArcGIS 11.4 and below - Authenticated Reflected Cross-Site Scripting
CVSS 4.8
Details
Vulnerabilities 45,122
Exploit Likelihood High