CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

45,300 vulnerabilities with CWE-79
CVE-2024-13400 MEDIUM
Kona Gallery Block < 1.7 - Authenticated Stored Cross-Site Scripting via Align Attribute
CVSS 6.4
CVE-2024-13349 MEDIUM
Stockdio Historical Chart <2.8.18 - XSS
CVSS 6.4
CVE-2024-12451 MEDIUM
HTML5 Chat <= 1.07 - Authenticated Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2024-12444 MEDIUM
WP Dispensary < 4.5.0 - Authenticated Stored Cross-Site Scripting via wpd_menu Shortcode
CVSS 6.4
CVE-2024-12320 MEDIUM
Team Rosters < 4.7 - Unauthenticated Reflected Cross-Site Scripting via Tab Parameter
CVSS 6.1
CVE-2024-12299 MEDIUM
System Dashboard < 2.8.17 - Unauthenticated Reflected Cross-Site Scripting via Filename Parameter
CVSS 6.1
CVE-2024-12177 MEDIUM
Ai Image Alt Text Generator for WP <= 1.0.6 - Unauthenticated Reflected Cross-Site Scripting via Page Parameter
CVSS 6.1
CVE-2024-10847 MEDIUM
Storely < 18 - Authenticated Stored Cross-Site Scripting via Display Name
CVSS 6.4
CVE-2024-13466 MEDIUM
Automatically Hierarchic Categories in Menu <= 2.0.7 - Stored XSS via autocategorymenu Shortcode
CVSS 6.4
CVE-2024-13380 MEDIUM
Alex Reservations: Smart Restaurant Booking <2.0.5 - XSS
CVSS 6.4
CVE-2024-13706 MEDIUM
WP Image Uploader <= 1.0.1 - Unauthenticated Reflected Cross-Site Scripting via File Parameter
CVSS 6.1
CVE-2024-12524 MEDIUM
Clinked Client Portal <= 1.9 - Authenticated Stored Cross-Site Scripting via clinked-login-button Shortcode
CVSS 6.4
CVE-2024-12409 MEDIUM
Simplepress < 6.10.12 - XSS
CVSS 6.1
CVE-2024-13732 MEDIUM
Responsive Blocks - Page Builder for Blocks & Patterns <= 1.9.9 - Authenticated Stored XSS via Section Tag Parameter
CVSS 6.4
CVE-2024-13470 MEDIUM
Ninja Forms < 3.8.25 - Authenticated Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2024-13642 MEDIUM
Stratum - Elementor Widgets < 1.4.7 - Authenticated Stored Cross-Site Scripting via Image Hotspot Widget
CVSS 6.4
CVE-2024-12921 MEDIUM
EthereumICO <= 2.4.6 - Authenticated Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2024-12708 HIGH
Bulk Me Now! < 2.0 - Stored Cross-Site Scripting via Shortcode Attributes
CVSS 7.1
CVE-2024-12638 HIGH
Bulk Me Now! < 2.0 - Reflected Cross-Site Scripting
CVSS 7.1
CVE-2024-12400 HIGH
Tour Master < 5.3.5 - Reflected Cross-Site Scripting via Unescaped Generated URLs
CVSS 7.1
CVE-2024-12163 MEDIUM
goodlayers-core < 2.1.3 - Authenticated Stored Cross-Site Scripting via SVG Upload
CVSS 6.5
CVE-2024-10309 MEDIUM
Tracking Code Manager < 2.4.0 - Authenticated Stored Cross-Site Scripting in Metabox Settings
CVSS 5.9
CVE-2024-51182 MEDIUM
Celk Saude 3.1.252.1 - HTML Injection via 'erro' Parameter
CVSS 6.1
CVE-2024-48761 HIGH
Celk Saude 3.1.252.1 - Reflected Cross-Site Scripting via 'erro' Parameter
CVSS 8.8
CVE-2024-13561 MEDIUM
Target Video Easy Publish <3.8.3 - XSS
CVSS 6.4
Details
Vulnerabilities 45,300
Exploit Likelihood High