VYPR

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

VariantIncompleteLikelihood: High

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-18 · CAPEC-193 · CAPEC-32 · CAPEC-86

CVEs mapped to this weakness (275)

page 2 of 14
  • CVE-2026-39344HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter…

  • CVE-2025-14835HigJan 7, 2026
    risk 0.46cvss 7.1epss 0.00

    The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated…

  • CVE-2025-60244HigNov 6, 2025
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RealMag777 TableOn posts-table-filterable allows Code Injection.This issue affects TableOn: from n/a through <= 1.0.5.1.

  • CVE-2025-51989HigAug 21, 2025
    risk 0.46cvss 7.0epss 0.00

    HTML injection vulnerability in the registration interface in Evolution Consulting Kft. HRmaster module v235 allows an attacker to inject HTML tags into the "keresztnév" (firstname) field, which will be sent out in an email resulting in possible Phishing scenarios against any,…

  • CVE-2025-31384HigApr 4, 2025
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos allows Reflected XSS.This issue affects Videos: from n/a through 1.0.5.

  • CVE-2025-22501HigMar 28, 2025
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Improve My City Improve My City improve-my-city allows Reflected XSS.This issue affects Improve My City: from n/a through <= 1.6.

  • CVE-2025-24680HigJan 27, 2025
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in WPExperts.io WP Multistore Locator wp-multi-store-locator allows Reflected XSS.This issue affects WP Multistore Locator: from n/a through <= 2.4.7.

  • CVE-2024-51689HigNov 9, 2024
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Saleswonder Team: Tobias CF7 WOW Styler cf7-styler allows Reflected XSS.This issue affects CF7 WOW Styler: from n/a through <= 1.6.8.

  • CVE-2026-50146higJun 16, 2026
    risk 0.45cvss epss 0.00

    ## Summary When a component uses a `client:*` directive, Astro inserts named slot content into a `data-astro-template` attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS…

  • CVE-2025-8386MedNov 15, 2025
    risk 0.45cvss 6.9epss 0.00

    The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of "aaConfigTools") to tamper with App Objects' help files and persist a cross-site scripting (XSS) injection that when executed by a victim user, can result in horizontal or vertical …

  • CVE-2024-10592MedNov 16, 2024
    risk 0.45cvss 6.4epss 0.01

    The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the popup class parameter in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

  • CVE-2022-36325MedAug 10, 2022
    risk 0.44cvss 6.8epss 0.01

    Affected devices do not properly sanitize data introduced by an user when rendering the web interface. This could allow an authenticated remote attacker with administrative privileges to inject code and lead to a DOM-based XSS.

  • CVE-2025-12803MedFeb 7, 2026
    risk 0.42cvss 6.4epss 0.00

    The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…

  • CVE-2025-15058MedJan 7, 2026
    risk 0.42cvss 6.4epss 0.00

    The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…

  • CVE-2025-64225MedDec 18, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Stockie Extra stockie-extra allows Code Injection.This issue affects Stockie Extra: from n/a through <= 1.2.11.

  • CVE-2025-11267MedNov 18, 2025
    risk 0.42cvss 6.4epss 0.00

    The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_veu_custom_css' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom…

  • CVE-2025-11265MedNov 18, 2025
    risk 0.42cvss 6.4epss 0.00

    The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text' parameters in all versions up to, and including, 9.112.1. This is due to a logic error in the CTA save function that reads…

  • CVE-2025-12753MedNov 11, 2025
    risk 0.42cvss 6.4epss 0.00

    The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pmzez_chart' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it…

  • CVE-2025-49398MedNov 6, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Easy Appointments Easy Appointments easy-appointments allows Code Injection.This issue affects Easy Appointments: from n/a through <= 3.12.14.

  • CVE-2025-11745MedNov 5, 2025
    risk 0.42cvss 6.4epss 0.00

    The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field through the plugin's 'adinserter' shortcode in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping on…