CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,297)

page 86 of 965

CVE	Vendor / Product	Sev	Risk	CVSS	Published	Description
CVE-2025-23431	WordPress Envato Affiliater	Hig	0.46	7.1	Feb 14, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in khaninejad Envato Affiliater envato-affiliater allows Reflected XSS.This issue affects Envato Affiliater: from n/a through <= 1.2.4.
CVE-2025-23428	WordPress Qmean	Hig	0.46	7.1	Feb 14, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arash Safari QMean – WordPress Did You Mean qmean allows Reflected XSS.This issue affects QMean – WordPress Did You Mean: from n/a through <= 2.0.
CVE-2025-26552	WordPress Badr Naver Syndication	Hig	0.46	7.1	Feb 13, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in badrHan Naver Syndication V2 badr-naver-syndication allows Stored XSS.This issue affects Naver Syndication V2: from n/a through <= 0.8.3.
CVE-2025-26551	WordPress Bootstrap Collapse	Hig	0.46	7.1	Feb 13, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sureshdsk Bootstrap collapse bootstrap-collapse allows Stored XSS.This issue affects Bootstrap collapse: from n/a through <= 1.0.4.
CVE-2025-25203	Ctrlpanel Gg Panel	Hig	0.46	8.1	Feb 11, 2025	CtrlPanel is open-source billing software for hosting providers. Prior to version 1.0, a Cross-Site Scripting (XSS) vulnerability exists in the `TicketsController` and `Moderation/TicketsController` due to insufficient input validation on the `priority` field during ticket creation and unsafe rendering of this field in the moderator panel. Version 1.0 contains a patch for the issue.
CVE-2025-25159	WordPress Wpdoodlez	Hig	0.46	7.1	Feb 7, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robert_kolatzek WP doodlez wpdoodlez allows Stored XSS.This issue affects WP doodlez: from n/a through <= 1.0.10.
CVE-2025-25144	—	Hig	0.46	7.1	Feb 7, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in theasys Theasys theasys allows Stored XSS.This issue affects Theasys: from n/a through <= 1.0.1.
CVE-2025-24602	WordPress Wp24 Domain Check	Hig	0.46	7.1	Feb 4, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP24 WP24 Domain Check wp24-domain-check allows Reflected XSS.This issue affects WP24 Domain Check: from n/a through <= 1.10.14.
CVE-2025-24599	WordPress Newsletters Lite	Hig	0.46	7.1	Feb 4, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tribulant Software Newsletters newsletters-lite allows Reflected XSS.This issue affects Newsletters: from n/a through <= 4.9.9.6.
CVE-2025-24598	Wpmailster Wp Mailster	Hig	0.46	7.1	Feb 4, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster wp-mailster allows Reflected XSS.This issue affects WP Mailster: from n/a through <= 1.8.17.0.
CVE-2025-23645	WordPress Find Content Ids	Hig	0.46	7.1	Feb 4, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Optimize Worldwide Find Content IDs find-content-ids allows Reflected XSS.This issue affects Find Content IDs: from n/a through <= 1.0.
CVE-2025-22794	WordPress World Cup Predictor	Hig	0.46	7.1	Feb 4, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ianhaycox World Cup Predictor world-cup-predictor allows Reflected XSS.This issue affects World Cup Predictor: from n/a through <= 1.9.8.
CVE-2025-24781	WordPress Wpjobboard	Hig	0.46	7.1	Feb 3, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WPJobBoard allows Reflected XSS. This issue affects WPJobBoard: from n/a through 5.10.1.
CVE-2025-24707	WordPress Gt3 Photo Video Gallery	Hig	0.46	7.1	Feb 3, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gt3themes Photo Gallery gt3-photo-video-gallery allows Reflected XSS.This issue affects Photo Gallery: from n/a through <= 2.7.7.24.
CVE-2025-24684	WordPress Media Downloader	Hig	0.46	7.1	Feb 3, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ederson Peka Media Downloader media-downloader allows Reflected XSS.This issue affects Media Downloader: from n/a through <= 0.4.7.5.
CVE-2025-24676	WordPress Custom Store Locator	Hig	0.46	7.1	Feb 3, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in umangmetatagg Custom WP Store Locator custom-store-locator allows Reflected XSS.This issue affects Custom WP Store Locator: from n/a through <= 1.4.7.
CVE-2025-24660	WordPress Simple Membership Custom Messages	Hig	0.46	7.1	Feb 3, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wp.insider Simple Membership Custom Messages simple-membership-custom-messages allows Reflected XSS.This issue affects Simple Membership Custom Messages: from n/a through <= 2.4.
CVE-2025-24656	WordPress Realtyna Provisioning	Hig	0.46	7.1	Feb 3, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Realtyna Realtyna Provisioning realtyna-provisioning allows Reflected XSS.This issue affects Realtyna Provisioning: from n/a through <= 1.2.2.
CVE-2025-24646	WordPress Xml For Avito	Hig	0.46	7.1	Feb 3, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icopydoc XML for Avito xml-for-avito allows Reflected XSS.This issue affects XML for Avito: from n/a through <= 2.5.2.
CVE-2025-24631	WordPress Bp Email Assign Templates	Hig	0.46	7.1	Feb 3, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shanebp BP Email Assign Templates bp-email-assign-templates allows Reflected XSS.This issue affects BP Email Assign Templates: from n/a through <= 1.5.

CVE-2025-23431HigFeb 14, 2025
WordPress
Envato Affiliater
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in khaninejad Envato Affiliater envato-affiliater allows Reflected XSS.This issue affects Envato Affiliater: from n/a through <= 1.2.4.
CVE-2025-23428HigFeb 14, 2025
WordPress
Qmean
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arash Safari QMean – WordPress Did You Mean qmean allows Reflected XSS.This issue affects QMean – WordPress Did You Mean: from n/a through <= 2.0.
CVE-2025-26552HigFeb 13, 2025
WordPress
Badr Naver Syndication
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in badrHan Naver Syndication V2 badr-naver-syndication allows Stored XSS.This issue affects Naver Syndication V2: from n/a through <= 0.8.3.
CVE-2025-26551HigFeb 13, 2025
WordPress
Bootstrap Collapse
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sureshdsk Bootstrap collapse bootstrap-collapse allows Stored XSS.This issue affects Bootstrap collapse: from n/a through <= 1.0.4.
CVE-2025-25203HigFeb 11, 2025
Ctrlpanel Gg
Panel
risk 0.46cvss 8.1epss 0.00
CtrlPanel is open-source billing software for hosting providers. Prior to version 1.0, a Cross-Site Scripting (XSS) vulnerability exists in the `TicketsController` and `Moderation/TicketsController` due to insufficient input validation on the `priority` field during ticket creation and unsafe rendering of this field in the moderator panel. Version 1.0 contains a patch for the issue.
CVE-2025-25159HigFeb 7, 2025
WordPress
Wpdoodlez
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robert_kolatzek WP doodlez wpdoodlez allows Stored XSS.This issue affects WP doodlez: from n/a through <= 1.0.10.
CVE-2025-25144HigFeb 7, 2025
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in theasys Theasys theasys allows Stored XSS.This issue affects Theasys: from n/a through <= 1.0.1.
CVE-2025-24602HigFeb 4, 2025
WordPress
Wp24 Domain Check
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP24 WP24 Domain Check wp24-domain-check allows Reflected XSS.This issue affects WP24 Domain Check: from n/a through <= 1.10.14.
CVE-2025-24599HigFeb 4, 2025
WordPress
Newsletters Lite
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tribulant Software Newsletters newsletters-lite allows Reflected XSS.This issue affects Newsletters: from n/a through <= 4.9.9.6.
CVE-2025-24598HigFeb 4, 2025
Wpmailster
Wp Mailster
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster wp-mailster allows Reflected XSS.This issue affects WP Mailster: from n/a through <= 1.8.17.0.
CVE-2025-23645HigFeb 4, 2025
WordPress
Find Content Ids
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Optimize Worldwide Find Content IDs find-content-ids allows Reflected XSS.This issue affects Find Content IDs: from n/a through <= 1.0.
CVE-2025-22794HigFeb 4, 2025
WordPress
World Cup Predictor
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ianhaycox World Cup Predictor world-cup-predictor allows Reflected XSS.This issue affects World Cup Predictor: from n/a through <= 1.9.8.
CVE-2025-24781HigFeb 3, 2025
WordPress
Wpjobboard
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WPJobBoard allows Reflected XSS. This issue affects WPJobBoard: from n/a through 5.10.1.
CVE-2025-24707HigFeb 3, 2025
WordPress
Gt3 Photo Video Gallery
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gt3themes Photo Gallery gt3-photo-video-gallery allows Reflected XSS.This issue affects Photo Gallery: from n/a through <= 2.7.7.24.
CVE-2025-24684HigFeb 3, 2025
WordPress
Media Downloader
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ederson Peka Media Downloader media-downloader allows Reflected XSS.This issue affects Media Downloader: from n/a through <= 0.4.7.5.
CVE-2025-24676HigFeb 3, 2025
WordPress
Custom Store Locator
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in umangmetatagg Custom WP Store Locator custom-store-locator allows Reflected XSS.This issue affects Custom WP Store Locator: from n/a through <= 1.4.7.
CVE-2025-24660HigFeb 3, 2025
WordPress
Simple Membership Custom Messages
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wp.insider Simple Membership Custom Messages simple-membership-custom-messages allows Reflected XSS.This issue affects Simple Membership Custom Messages: from n/a through <= 2.4.
CVE-2025-24656HigFeb 3, 2025
WordPress
Realtyna Provisioning
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Realtyna Realtyna Provisioning realtyna-provisioning allows Reflected XSS.This issue affects Realtyna Provisioning: from n/a through <= 1.2.2.
CVE-2025-24646HigFeb 3, 2025
WordPress
Xml For Avito
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icopydoc XML for Avito xml-for-avito allows Reflected XSS.This issue affects XML for Avito: from n/a through <= 2.5.2.
CVE-2025-24631HigFeb 3, 2025
WordPress
Bp Email Assign Templates
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shanebp BP Email Assign Templates bp-email-assign-templates allows Reflected XSS.This issue affects BP Email Assign Templates: from n/a through <= 1.5.