Vulnerabilities > Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

DATE CVE VULNERABILITY TITLE RISK
2024-11-21 CVE-2024-11455 The Include Mastodon Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'include-mastodon-feed' shortcode in all versions up to, and including, 1.9.5 due to insufficient input sanitization and output escaping on user supplied attributes.
network
low complexity
CWE-79
6.4
2024-11-21 CVE-2024-11456 The Run Contests, Raffles, and Giveaways with ContestsWP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.3.
network
low complexity
CWE-79
6.1
2024-11-21 CVE-2024-9111 The Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4
2024-11-21 CVE-2024-9371 The Branda – White Label & Branding, Custom Login Page Customizer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.19.
network
low complexity
CWE-79
6.1
2024-11-21 CVE-2024-9442 Cross-site Scripting vulnerability in F4Dev F4 Improvements
The F4 Improvements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping.
network
low complexity
f4dev CWE-79
5.4
2024-11-21 CVE-2024-9768 Cross-site Scripting vulnerability in Strategy11 Formidable Forms
The Formidable Forms WordPress plugin before 6.14.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
network
low complexity
strategy11 CWE-79
4.8
2024-11-21 CVE-2024-9851 Cross-site Scripting vulnerability in Lightspeedwp LSX Tour Operator
The LSX Tour Operator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping.
network
low complexity
lightspeedwp CWE-79
5.4
2024-11-20 CVE-2024-11492 Cross-site Scripting vulnerability in 115Cms 4.2
A vulnerability classified as problematic has been found in 115cms up to 20240807.
network
low complexity
115cms CWE-79
6.1
2024-11-20 CVE-2024-11493 Cross-site Scripting vulnerability in 115Cms 4.2
A vulnerability classified as problematic was found in 115cms up to 20240807.
network
low complexity
115cms CWE-79
6.1
2024-11-20 CVE-2024-11488 Cross-site Scripting vulnerability in 115Cms 4.2
A vulnerability was found in 115cms up to 20240807 and classified as problematic.
network
low complexity
115cms CWE-79
6.1