CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

44,867 vulnerabilities with CWE-79
CVE-2026-2936 HIGH
Visitor Traffic Real Time Statistics <= 8.4 - Unauthenticated Stored Cross-Site Scripting
CVSS 7.2
CVE-2026-0626 MEDIUM
WPFunnels <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode
CVSS 6.4
CVE-2026-5425 HIGH
Widgets for Social Photo Feed <= 1.7.9 - Unauthenticated Stored Cross-Site Scripting via feed_data
CVSS 7.2
CVE-2026-2437 MEDIUM
WP Travel Engine - Travel and Tour Booking Plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode
CVSS 6.4
CVE-2026-2600 MEDIUM
ElementsKit Elementor Addons and Templates <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Simple Tab Widget
CVSS 6.4
CVE-2026-0738 MEDIUM
Shortcodes Ultimate <= 7.4.8 - authenticated (Contributor+) Stored Cross-Site Scripting via 'su_carousel' Shortcode
CVSS 6.4
CVE-2026-0737 MEDIUM
Shortcodes Ultimate <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' Shortcode
CVSS 6.4
CVE-2026-0664 MEDIUM
Royal Elementor Addons <= 1.7.1049 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Meta Bypass
CVSS 6.4
CVE-2026-0552 MEDIUM
Simple Shopping Cart <= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsc_display_product' Shortcode
CVSS 6.4
CVE-2026-2949 MEDIUM
Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Box Widget
CVSS 6.4
CVE-2026-2924 MEDIUM
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad'
CVSS 6.4
CVE-2026-34229 MEDIUM
Emlog: Stored XSS in Comment Module via URI Scheme Validation Bypass
CVSS 6.1
CVE-2026-35218 HIGH
Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette
CVSS 8.7
CVE-2026-5468 LOW
Casdoor dangerouslySetInnerHTML cross site scripting
CVSS 3.5
CVE-2026-27655 HIGH
ManageEngine Exchange Reporter Plus < 5802 - Stored Cross-Site Scripting in Permissions Based on Mailboxes Report
CVSS 7.3
CVE-2026-4108 HIGH
ManageEngine Exchange Reporter Plus < 5802 - Stored Cross-Site Scripting in Non-Owner Mailbox Permission Report
CVSS 7.3
CVE-2026-4107 HIGH
ManageEngine Exchange Reporter Plus < 5802 - Stored Cross-Site Scripting in Folder Message Count and Size Report
CVSS 7.3
CVE-2026-3880 HIGH
ManageEngine Exchange Reporter Plus < 5802 - Stored Cross-Site Scripting in Public Folder Client Permissions Report
CVSS 7.3
CVE-2026-3879 HIGH
ManageEngine Exchange Reporter Plus < 5802 - Stored Cross-Site Scripting in Equipment Mailbox Details Report
CVSS 7.3
CVE-2026-28703 HIGH
ManageEngine Exchange Reporter Plus < 5802 - Stored Cross-Site Scripting in Mails Exchanged Between Users Report
CVSS 7.3
CVE-2026-28756 HIGH
ManageEngine Exchange Reporter Plus < 5802 - Stored Cross-Site Scripting in Permissions Report
CVSS 7.3
CVE-2026-28754 HIGH
ManageEngine Exchange Reporter Plus < 5802 - Stored Cross-Site Scripting in Distribution Lists Report
CVSS 7.3
CVE-2026-35539 MEDIUM
Roundcube Webmail <1.5.14, 1.6.0-1.6.14, 1.7-beta-1.7-rc5 - Stored Cross-Site Scripting via HTML Attachment Preview
CVSS 6.1
CVE-2026-35508 MEDIUM
Shynet < 0.14.0 - Cross-Site Scripting via urldisplay and iconify Template Filters
CVSS 5.4
CVE-2026-35466 MEDIUM
Stored XSS via unsanitized input from remote service
CVSS 6.1
Details
Vulnerabilities 44,867
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits