CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

45,155 vulnerabilities with CWE-79
CVE-2025-5508 LOW
TOTOLINK A3002RU 2.1.1-B20230720.1011 - XSS
CVSS 2.4
CVE-2025-5507 LOW
TOTOLINK A3002RU 2.1.1-B20230720.1011 - XSS
CVSS 2.4
CVE-2025-44148 CRITICAL
MailEnable < 10.00 - Cross-Site Scripting via failure.aspx
CVSS 9.8
CVE-2025-5506 LOW
TOTOLINK A3002RU 2.1.1-B20230720.1011 - XSS
CVSS 2.4
CVE-2025-5505 LOW
TOTOLINK A3002RU 2.1.1-B20230720.1011 - XSS
CVSS 2.4
CVE-2025-43924 MEDIUM
Unicom Focal Point 7.6.1 - Stored Cross-Site Scripting via SettingController and FriendsController Parameters
CVSS 6.1
CVE-2025-5340 MEDIUM
Music Player for Elementor <2.4.6 - XSS
CVSS 6.4
CVE-2025-4671 MEDIUM
User Profile Builder < 3.13.8 - Authenticated Stored Cross-Site Scripting via user_meta and compare Shortcodes
CVSS 6.4
CVE-2025-4205 MEDIUM
Popup Maker < 1.20.4 - Authenticated Stored Cross-Site Scripting via popupID Parameter
CVSS 6.4
CVE-2025-4392 HIGH
Shared Files <= 1.7.48 - Unauthenticated Stored XSS via HTML File Upload
CVSS 7.2
CVE-2025-5116 MEDIUM
WP Plugin Info Card <= 5.3.1 - Authenticated Stored Cross-Site Scripting via ContainerID Parameter
CVSS 6.4
CVE-2025-4420 MEDIUM
Vayu Blocks <= 1.3.1 - Authenticated Stored XSS via containerWidth
CVSS 6.4
CVE-2025-4567 MEDIUM
Post Slider and Post Carousel Widget < 3.2.10 - Stored XSS via Widget Options
CVSS 4.8
CVE-2025-3662 MEDIUM
FancyBox for WordPress < 3.3.6 - Unauthenticated Stored Cross-Site Scripting in Caption and Title Attributes
CVSS 6.1
CVE-2025-3584 MEDIUM
Newsletter < 8.8.2 - Authenticated Stored Cross-Site Scripting in Subscription Settings
CVSS 4.8
CVE-2025-4224 HIGH
wpForo + wpForo Advanced Attachments - XSS
CVSS 7.2
CVE-2025-3919 MEDIUM
WordPress Comments Import & Export 2.4.3 - Info Disclosure
CVSS 6.4
CVE-2025-45387 MEDIUM
osTicket < 1.17.6 - Broken Access Control in /scp/ajax.php
CVSS 5.4
CVE-2025-20297 MEDIUM
Splunk Enterprise < 9.4.2, < 9.3.4, < 9.2.6 and Splunk Cloud Platform < 9.3.2411.102 - XSS via pdfgen/render
CVSS 4.3
CVE-2025-44115 MEDIUM
Cotonti Siena 0.9.25 - Stored Cross-Site Scripting via Admin Config Title Parameter
CVSS 5.4
CVE-2025-48958 MEDIUM
froxlor < 2.2.6 - Unauthenticated HTML Injection in Customer Account Portal Email Section
CVSS 5.5
CVE-2025-48495 MEDIUM
Gokapi < 2.0.0 - Authenticated Stored Cross-Site Scripting via API Key Friendly Name
CVSS 5.4
CVE-2025-48494 MEDIUM
Gokapi < 2.0.0 - Stored Cross-Site Scripting via Filename
CVSS 5.4
CVE-2025-47289 MEDIUM
CE Phoenix Cart 1.0.9.9-1.1.0.2 - Stored Cross-Site Scripting in Testimonial Description Field
CVSS 6.3
CVE-2025-1485 MEDIUM
Real Cookie Banner WordPress Plugin < 5.1.6 - Authenticated Stored Cross-Site Scripting via Settings
CVSS 4.8
Details
Vulnerabilities 45,155
Exploit Likelihood High