Vulnerabilities > Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-05-16 | CVE-2025-39509 | Cross-site Scripting vulnerability in Themencode TNC Flipbook Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNcode TNC FlipBook allows Stored XSS. | 5.4 |
| 2025-05-16 | CVE-2025-48132 | Cross-site Scripting vulnerability in Pencilwp X Addons for Elementor Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor allows Stored XSS. | 5.4 |
| 2025-05-16 | CVE-2025-48135 | Cross-site Scripting vulnerability in Aptivada for WP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aptivadadev Aptivada for WP allows DOM-Based XSS. | 5.4 |
| 2025-05-16 | CVE-2025-4169 | The Posts per Cat [Unmaintained plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ppc' shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 |
| 2025-05-15 | CVE-2024-13382 | Cross-site Scripting vulnerability in Codepeople Calculated Fields Form The Calculated Fields Form WordPress plugin before 5.2.64 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
| 2025-05-15 | CVE-2024-6718 | Cross-site Scripting vulnerability in Freebiesdownload PVN Auth Popup The PVN Auth Popup WordPress plugin through 1.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 5.4 |
| 2025-05-15 | CVE-2024-8095 | Cross-site Scripting vulnerability in Ryanchristenson Babeiz The BabelZ WordPress plugin through 1.1.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 6.1 |
| 2025-05-15 | CVE-2024-8187 | Cross-site Scripting vulnerability in Shapedplugin Smart Post Show The Smart Post Show WordPress plugin before 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
| 2025-05-15 | CVE-2025-3440 | IBM Security Guardium 11.5 is vulnerable to stored cross-site scripting. | 5.5 |
| 2025-05-15 | CVE-2025-4589 | The Bon Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bt-map' shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 |