CWE-79
High likelihoodImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
45,155 vulnerabilities with CWE-79
CVE-2025-5508
LOW
TOTOLINK A3002RU 2.1.1-B20230720.1011 - XSS
CVSS 2.4
CVE-2025-5507
LOW
TOTOLINK A3002RU 2.1.1-B20230720.1011 - XSS
CVSS 2.4
CVE-2025-44148
CRITICAL
MailEnable < 10.00 - Cross-Site Scripting via failure.aspx
CVSS 9.8
CVE-2025-5506
LOW
TOTOLINK A3002RU 2.1.1-B20230720.1011 - XSS
CVSS 2.4
CVE-2025-5505
LOW
TOTOLINK A3002RU 2.1.1-B20230720.1011 - XSS
CVSS 2.4
CVE-2025-43924
MEDIUM
Unicom Focal Point 7.6.1 - Stored Cross-Site Scripting via SettingController and FriendsController Parameters
CVSS 6.1
CVE-2025-5340
MEDIUM
Music Player for Elementor <2.4.6 - XSS
CVSS 6.4
CVE-2025-4671
MEDIUM
User Profile Builder < 3.13.8 - Authenticated Stored Cross-Site Scripting via user_meta and compare Shortcodes
CVSS 6.4
CVE-2025-4205
MEDIUM
Popup Maker < 1.20.4 - Authenticated Stored Cross-Site Scripting via popupID Parameter
CVSS 6.4
CVE-2025-4392
HIGH
Shared Files <= 1.7.48 - Unauthenticated Stored XSS via HTML File Upload
CVSS 7.2
CVE-2025-5116
MEDIUM
WP Plugin Info Card <= 5.3.1 - Authenticated Stored Cross-Site Scripting via ContainerID Parameter
CVSS 6.4
CVE-2025-4420
MEDIUM
Vayu Blocks <= 1.3.1 - Authenticated Stored XSS via containerWidth
CVSS 6.4
CVE-2025-4567
MEDIUM
Post Slider and Post Carousel Widget < 3.2.10 - Stored XSS via Widget Options
CVSS 4.8
CVE-2025-3662
MEDIUM
FancyBox for WordPress < 3.3.6 - Unauthenticated Stored Cross-Site Scripting in Caption and Title Attributes
CVSS 6.1
CVE-2025-3584
MEDIUM
Newsletter < 8.8.2 - Authenticated Stored Cross-Site Scripting in Subscription Settings
CVSS 4.8
CVE-2025-4224
HIGH
wpForo + wpForo Advanced Attachments - XSS
CVSS 7.2
CVE-2025-3919
MEDIUM
WordPress Comments Import & Export 2.4.3 - Info Disclosure
CVSS 6.4
CVE-2025-45387
MEDIUM
osTicket < 1.17.6 - Broken Access Control in /scp/ajax.php
CVSS 5.4
CVE-2025-20297
MEDIUM
Splunk Enterprise < 9.4.2, < 9.3.4, < 9.2.6 and Splunk Cloud Platform < 9.3.2411.102 - XSS via pdfgen/render
CVSS 4.3
CVE-2025-44115
MEDIUM
Cotonti Siena 0.9.25 - Stored Cross-Site Scripting via Admin Config Title Parameter
CVSS 5.4
CVE-2025-48958
MEDIUM
froxlor < 2.2.6 - Unauthenticated HTML Injection in Customer Account Portal Email Section
CVSS 5.5
CVE-2025-48495
MEDIUM
Gokapi < 2.0.0 - Authenticated Stored Cross-Site Scripting via API Key Friendly Name
CVSS 5.4
CVE-2025-48494
MEDIUM
Gokapi < 2.0.0 - Stored Cross-Site Scripting via Filename
CVSS 5.4
CVE-2025-47289
MEDIUM
CE Phoenix Cart 1.0.9.9-1.1.0.2 - Stored Cross-Site Scripting in Testimonial Description Field
CVSS 6.3
CVE-2025-1485
MEDIUM
Real Cookie Banner WordPress Plugin < 5.1.6 - Authenticated Stored Cross-Site Scripting via Settings
CVSS 4.8
Details
Vulnerabilities
45,155
Exploit Likelihood
High