CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

45,133 vulnerabilities with CWE-79
CVE-2025-55996 MEDIUM
Viber < 25.6.0 - HTML Injection via Message Compose/Forward Text Parameter
CVSS 6.3
CVE-2025-8280 MEDIUM
Contact Form 7 reCAPTCHA < 1.2.0 - Reflected Cross-Site Scripting via REQUEST_URI Parameter
CVSS 5.8
CVE-2025-9879 MEDIUM
Spotify Embed Creator <= 1.0.5 - Authenticated Stored Cross-Site Scripting via Spotify Shortcode
CVSS 6.4
CVE-2025-9877 MEDIUM
Embed Google Datastudio plugin <1.0.0 - XSS
CVSS 6.4
CVE-2025-10274 MEDIUM
10oa 1.0 - Cross-Site Scripting via Name Parameter in /trial/mvc/item
CVSS 4.3
CVE-2025-10272 MEDIUM
10oa 1.0 - Cross-Site Scripting via Name Parameter in /trial/mvc/catalogue
CVSS 4.3
CVE-2025-10271 MEDIUM
10oa 1.0 - Cross-Site Scripting via Name Parameter
CVSS 4.3
CVE-2025-10255 LOW
OnlyOffice < 12.7.0 - Cross-Site Scripting in Comment Handler
CVSS 3.5
CVE-2025-10254 LOW
OnlyOffice < 12.7.0 - Cross-Site Scripting via SVG Image Handler in Messages.aspx
CVSS 3.5
CVE-2025-10253 LOW
openDCIM 23.04 - Cross-Site Scripting via SVG File Handler in uploadifive.php
CVSS 3.5
CVE-2025-40696 MEDIUM
Online Fire Reporting System 1.2 - Stored XSS via fullname, location, and message
CVSS 5.4
CVE-2025-40695 MEDIUM
Online Fire Reporting System v1.2 - Authenticated Stored Cross-Site Scripting via remark status takeaction Parameters
CVSS 5.4
CVE-2025-40694 MEDIUM
Online Fire Reporting System 1.2 - Authenticated Stored Cross-Site Scripting via fromdate and todate Parameters
CVSS 5.4
CVE-2025-40693 MEDIUM
Online Fire Reporting System 1.2 - Authenticated Stored Cross-Site Scripting via tname Parameter
CVSS 5.4
CVE-2025-9861 MEDIUM
ThemeLoom Widgets <= 1.8.5 - Authenticated Stored Cross-Site Scripting via los_showposts Shortcode
CVSS 6.4
CVE-2025-9860 MEDIUM
Mixtape < 1.1 - Authenticated Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2025-9855 MEDIUM
Enhanced BibliPlug <= 1.3.8 - Authenticated Stored Cross-Site Scripting via bibliplug_authors Shortcode
CVSS 6.4
CVE-2025-9850 MEDIUM
Evenium <= 1.3.11 - Authenticated Stored Cross-Site Scripting via evenium_single_event Shortcode
CVSS 6.4
CVE-2025-9128 MEDIUM
eID Easy <= 4.9.3 - Authenticated Stored Cross-Site Scripting via ID Parameter
CVSS 6.4
CVE-2025-9123 MEDIUM
CBX Map for Google Map & OpenStreetMap <= 2.0.1 - Authenticated Stored XSS via Popup Parameters
CVSS 6.4
CVE-2025-8721 MEDIUM
Workable Api <= 1.0.4 - Authenticated Stored Cross-Site Scripting via workable_jobs Shortcode
CVSS 6.4
CVE-2025-8691 MEDIUM
WP Scriptcase <= 2.0.0 - Authenticated Stored Cross-Site Scripting via URL Parameter
CVSS 6.4
CVE-2025-8689 MEDIUM
Elements Plus! <= 2.16.4 - Authenticated Stored XSS via Widgets
CVSS 6.4
CVE-2025-8686 MEDIUM
WP Easy FAQs <= 1.0.5 - Authenticated Stored Cross-Site Scripting via WP_EASY_FAQ Shortcode
CVSS 6.4
CVE-2025-8445 MEDIUM
Countdown Timer for Elementor <= 1.3.9 - Authenticated Stored Cross-Site Scripting via countdown_label Parameter
CVSS 6.4
Details
Vulnerabilities 45,133
Exploit Likelihood High