CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13884 – Limit Bio <= 1.0 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-13884
20 Feb 2025 — The Limit Bio WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The Limit Bio plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. • https://wpscan.com/vulnerability/759a60ac-c890-4961-91e4-53db5096eb3c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13885 – WP E Customers <= 0.0.1 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-13885
20 Feb 2025 — The WP e-Customers Beta WordPress plugin through 0.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. The WP e-Customers Beta plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping. • https://wpscan.com/vulnerability/b64d17d6-8416-476e-ad78-b7b9cb85b84f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13891 – Schedule <= 1.0.0 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-13891
20 Feb 2025 — The Schedule WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The Schedule plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. • https://wpscan.com/vulnerability/58c8b73c-3a29-4a66-9b2e-f24b5c2769ac • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-54958
https://notcve.org/view.php?id=CVE-2024-54958
20 Feb 2025 — Nagios XI 2024R1.2.2 is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the Tools page. • https://github.com/Sharpe-nl/CVEs/tree/main/CVE-2024-54958 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-54959
https://notcve.org/view.php?id=CVE-2024-54959
20 Feb 2025 — Nagios XI 2024R1.2.2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack through the Favorites component, enabling POST-based Cross-Site Scripting (XSS). • https://github.com/Sharpe-nl/CVEs/tree/main/CVE-2024-54959 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37361 – Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2024-37361
19 Feb 2025 — The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods. When developers place no restrictions on "gadget chains," or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object ... • https://support.pentaho.com/hc/en-us/articles/34298351866893--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37360 • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37360 – Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
https://notcve.org/view.php?id=CVE-2024-37360
19 Feb 2025 — Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. • https://support.pentaho.com/hc/en-us/articles/34298351866893--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-CVE-2024-37360 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6432 – Content Blocks (Custom Post Widget) <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter
https://notcve.org/view.php?id=CVE-2024-6432
19 Feb 2025 — The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter within the plugin's shortcode Content Block in all versions up to, and including, 3.3.5 due to insufficient input sanitization and output escaping. • source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13748 – Ultimate Classified Listings <= 1.4 Authenticated (Administrator+) Stored Cross-Site Scripting via Title Parameter
https://notcve.org/view.php?id=CVE-2024-13748
19 Feb 2025 — The Ultimate Classified Listings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title parameter in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. • source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13802 – Bandsintown Events <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-13802
19 Feb 2025 — The Bandsintown Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bandsintown_events' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. • source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •