CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,700)

page 594 of 1,135

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2023-2767	Iptanus Wordpress File Upload	Med	0.29	4.4	0.00	Jun 9, 2023	The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.19.1 due to insufficient input sanitization and output escaping. This makes it possible for…
CVE-2023-2584	Pixelyoursite Pixelyoursite	Med	0.29	4.4	0.00	Jun 9, 2023	The PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 9.3.6 (9.6.1 in the Pro version) due to insufficient input sanitization and output escaping. This makes it possible for authenticated…
CVE-2023-2452	Advanced Woo Search Advanced Woo Search	Med	0.29	4.4	0.00	Jun 9, 2023	The Advanced Woo Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.77 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
CVE-2023-2836	Crmperks CRM Perks Forms	Med	0.29	4.4	0.00	May 31, 2023	The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
CVE-2023-2436	Blog In Blog Project Blog In Blog	Med	0.29	4.4	0.00	May 31, 2023	The Blog-in-Blog plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blog_in_blog' shortcode in versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for…
CVE-2023-1913	Webfactoryltd Maps Widget For Google Maps	Med	0.29	4.4	0.00	Apr 6, 2023	The Maps Widget for Google Maps for WordPress is vulnerable to Stored Cross-Site Scripting via widget settings in versions up to, and including, 4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
CVE-2023-1840	Followmedarling Spotify Play Button For Wordpress	Med	0.29	4.4	0.00	Apr 4, 2023	The Sp*tify Play Button for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.07 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
CVE-2023-1374	Solidres Solidres	Med	0.29	4.4	0.00	Mar 13, 2023	The Solidres plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'currency_name' parameter in versions up to, and including, 0.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with…
CVE-2023-0585	Aioseo All In One Seo	Med	0.29	4.4	0.04	Feb 24, 2023	The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with…
CVE-2022-3144	Wordfence Security Project Wordfence Security	Med	0.29	4.4	0.00	Sep 23, 2022	The Wordfence Security – Firewall & Malware Scan plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 7.6.0 via a setting on the options page due to insufficient escaping on the stored value. This makes it possible for authenticated…
CVE-2017-17094	Debian Debian Linux	Med	0.29	5.4	0.08	Dec 2, 2017	wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
CVE-2017-17093	Debian Debian Linux	Med	0.29	5.4	0.08	Dec 2, 2017	wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.
CVE-2017-6817	Debian Debian Linux	Med	0.29	5.4	0.06	Mar 12, 2017	In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
CVE-2026-39964	Baptistearno Typebot.io	Med	0.28	5.4	0.00	May 22, 2026	TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer (packages/embeds/js) renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the…
CVE-2026-8139	Concrete5 Concrete	Med	0.28	5.4	0.00	May 21, 2026	Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/V…
CVE-2026-22678	Webmin Webmin	Med	0.28	5.4	0.00	May 21, 2026	Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by…
CVE-2026-8203	Concrete5 Concrete	Med	0.28	5.4	0.00	May 21, 2026	Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session…
CVE-2026-48230	Openises Tickets	Med	0.28	5.4	0.00	May 21, 2026	Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdb_import.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (mdbhost, mdbdb, mdbuser,…
CVE-2026-48229	Openises Tickets	Med	0.28	5.4	0.00	May 21, 2026	Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into HTML form hidden input…
CVE-2026-48228	Openises Tickets	Med	0.28	5.4	0.00	May 21, 2026	Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form…

CVE-2023-2767MedJun 9, 2023
Iptanus
Wordpress File Upload
risk 0.29cvss 4.4epss 0.00
The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.19.1 due to insufficient input sanitization and output escaping. This makes it possible for…
CVE-2023-2584MedJun 9, 2023
Pixelyoursite
Pixelyoursite
risk 0.29cvss 4.4epss 0.00
The PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 9.3.6 (9.6.1 in the Pro version) due to insufficient input sanitization and output escaping. This makes it possible for authenticated…
CVE-2023-2452MedJun 9, 2023
Advanced Woo Search
Advanced Woo Search
risk 0.29cvss 4.4epss 0.00
The Advanced Woo Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.77 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
CVE-2023-2836MedMay 31, 2023
Crmperks
CRM Perks Forms
risk 0.29cvss 4.4epss 0.00
The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
CVE-2023-2436MedMay 31, 2023
Blog In Blog Project
Blog In Blog
risk 0.29cvss 4.4epss 0.00
The Blog-in-Blog plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blog_in_blog' shortcode in versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for…
CVE-2023-1913MedApr 6, 2023
Webfactoryltd
Maps Widget For Google Maps
risk 0.29cvss 4.4epss 0.00
The Maps Widget for Google Maps for WordPress is vulnerable to Stored Cross-Site Scripting via widget settings in versions up to, and including, 4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
CVE-2023-1840MedApr 4, 2023
Followmedarling
Spotify Play Button For Wordpress
risk 0.29cvss 4.4epss 0.00
The Sp*tify Play Button for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.07 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
CVE-2023-1374MedMar 13, 2023
Solidres
Solidres
risk 0.29cvss 4.4epss 0.00
The Solidres plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'currency_name' parameter in versions up to, and including, 0.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with…
CVE-2023-0585MedFeb 24, 2023
Aioseo
All In One Seo
risk 0.29cvss 4.4epss 0.04
The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with…
CVE-2022-3144MedSep 23, 2022
Wordfence Security Project
Wordfence Security
risk 0.29cvss 4.4epss 0.00
The Wordfence Security – Firewall & Malware Scan plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 7.6.0 via a setting on the options page due to insufficient escaping on the stored value. This makes it possible for authenticated…
CVE-2017-17094MedDec 2, 2017
Debian
Debian Linux
risk 0.29cvss 5.4epss 0.08
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
CVE-2017-17093MedDec 2, 2017
Debian
Debian Linux
risk 0.29cvss 5.4epss 0.08
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.
CVE-2017-6817MedMar 12, 2017
Debian
Debian Linux
risk 0.29cvss 5.4epss 0.06
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
CVE-2026-39964MedMay 22, 2026
Baptistearno
Typebot.io
risk 0.28cvss 5.4epss 0.00
TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer (packages/embeds/js) renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the…
CVE-2026-8139MedMay 21, 2026
Concrete5
Concrete
risk 0.28cvss 5.4epss 0.00
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/V…
CVE-2026-22678MedMay 21, 2026
Webmin
Webmin
risk 0.28cvss 5.4epss 0.00
Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by…
CVE-2026-8203MedMay 21, 2026
Concrete5
Concrete
risk 0.28cvss 5.4epss 0.00
Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session…
CVE-2026-48230MedMay 21, 2026
Openises
Tickets
risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdb_import.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (mdbhost, mdbdb, mdbuser,…
CVE-2026-48229MedMay 21, 2026
Openises
Tickets
risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into HTML form hidden input…
CVE-2026-48228MedMay 21, 2026
Openises
Tickets
risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form…