VYPR

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

VariantIncompleteLikelihood: High

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-18 · CAPEC-193 · CAPEC-32 · CAPEC-86

CVEs mapped to this weakness (275)

page 3 of 14
  • CVE-2025-11241MedOct 3, 2025
    risk 0.42cvss 6.4epss 0.00

    The Yoast SEO Premium plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 25.7 to 25.9 due to a flawed regex used to remove an attribute in post content, which can be abused to inject arbitrary HTML attributes, including JavaScript event handlers. This…

  • CVE-2025-10128MedSep 30, 2025
    risk 0.42cvss 6.4epss 0.00

    The Eulerpool Research Systems plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aaq' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…

  • CVE-2025-10125MedSep 17, 2025
    risk 0.42cvss 6.4epss 0.00

    The Memberlite Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'row' shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible…

  • CVE-2025-8621MedAug 12, 2025
    risk 0.42cvss 6.4epss 0.00

    The Mosaic Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘c’ parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

  • CVE-2025-5686MedJun 6, 2025
    risk 0.42cvss 6.4epss 0.00

    The Paged Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for…

  • CVE-2025-4126MedMay 15, 2025
    risk 0.42cvss 6.4epss 0.00

    The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function.…

  • CVE-2025-4168MedMay 3, 2025
    risk 0.42cvss 6.4epss 0.00

    The Subpage List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'subpages' shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for…

  • CVE-2025-3521MedMay 1, 2025
    risk 0.42cvss 6.4epss 0.00

    The Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Social Link icons in all versions up to, and including, 3.4.1 due to insufficient input sanitization and output…

  • CVE-2025-39524MedApr 16, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in bPlugins Html5 Audio Player html5-audio-player allows Stored XSS.This issue affects Html5 Audio Player: from n/a through <= 2.2.28.

  • CVE-2025-31604MedMar 31, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Cal.com Cal.com cal-com allows Stored XSS.This issue affects Cal.com: from n/a through <= 1.0.0.

  • CVE-2025-31075MedMar 28, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in videowhisper MicroPayments paid-membership allows Stored XSS.This issue affects MicroPayments: from n/a through <= 2.9.29.

  • CVE-2025-24678MedJan 24, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in listamester Listamester listamester allows Stored XSS.This issue affects Listamester: from n/a through <= 2.3.4.

  • CVE-2025-24673MedJan 24, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in AyeCode Ketchup Shortcodes ketchup-shortcodes-pack allows Stored XSS.This issue affects Ketchup Shortcodes: from n/a through <= 0.1.2.

  • CVE-2024-10621MedNov 8, 2024
    risk 0.42cvss 6.4epss 0.00

    The Simple Shortcode for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's pw_map shortcode in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes…

  • CVE-2023-49852MedJun 4, 2024
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Vsourz Digital Responsive Slick Slider WordPress allows Code Injection.This issue affects Responsive Slick Slider WordPress: from n/a through 1.4.

  • CVE-2025-58970MedOct 22, 2025
    risk 0.41cvss 6.3epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in AmentoTech Doctreat doctreat allows Code Injection.This issue affects Doctreat: from n/a through <= 1.6.7.

  • CVE-2026-46492HigJun 9, 2026
    risk 0.40cvss 7.2epss 0.00

    md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including…

  • CVE-2026-9646MedMay 28, 2026
    risk 0.40cvss 6.1epss 0.00

    A reflected cross-site scripting issue exists in URL handling.

  • CVE-2025-15345MedMay 14, 2026
    risk 0.40cvss 6.1epss 0.00

    The MapGeo – Interactive Geo Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'map' parameter in the display-map shortcode in all versions up to, and including, 1.6.27 due to insufficient input sanitization and output escaping. This makes it…

  • CVE-2026-42030MedMay 8, 2026
    risk 0.40cvss 6.1epss 0.00

    MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a…