CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2891 – WP Pro Real Estate 7 <= 3.5.4 - Authenticated (Custom) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-2891
31 Mar 2025 — The Real Estate 7 WordPress theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'template-submit-listing.php' file in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with Seller-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible if front-end listing submission has been enabled. • https://www.wordfence.com/threat-intel/vulnerabilities/id/5c83457d-ba06-43c5-acdd-77dbfb0d4af4?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2025-3005 – Sayski ForestBlog Friend Link cross site scripting
https://notcve.org/view.php?id=CVE-2025-3005
31 Mar 2025 — A vulnerability was found in Sayski ForestBlog up to 20250321 and classified as problematic. Affected by this issue is some unknown functionality of the component Friend Link Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/saysky/ForestBlog/issues/105 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2025-3004 – Sayski ForestBlog search cross site scripting
https://notcve.org/view.php?id=CVE-2025-3004
31 Mar 2025 — A vulnerability has been found in Sayski ForestBlog up to 20250321 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /search. The manipulation of the argument keywords leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/saysky/ForestBlog/issues/104 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2008 – Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-2008
31 Mar 2025 — The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/changeset/3261521/wp-ultimate-csv-importer/trunk/SingleImportExport.php • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 0CVE-2025-2981 – Legrand SMS PowerView cross site scripting
https://notcve.org/view.php?id=CVE-2025-2981
31 Mar 2025 — A vulnerability, which was classified as problematic, has been found in Legrand SMS PowerView 1.x. This issue affects some unknown processing. The manipulation of the argument redirect leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?ctiid.302033 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: -EXPL: 1CVE-2025-2979 – WCMS Registration setregister cross site scripting
https://notcve.org/view.php?id=CVE-2025-2979
31 Mar 2025 — A vulnerability classified as problematic has been found in WCMS 11. This affects an unknown part of the file /index.php?anonymous/setregister of the component Registration. The manipulation of the argument Username leads to cross site scripting. It is possible to initiate the attack remotely. • https://github.com/caigo8/CVE-md/blob/main/wcms11/%E5%AD%98%E5%82%A8%E5%9E%8BXSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2977 – GFI KerioConnect PDF File cross site scripting
https://notcve.org/view.php?id=CVE-2025-2977
31 Mar 2025 — A vulnerability was found in GFI KerioConnect 10.0.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. • https://github.com/0xs1ash/poc/blob/main/portable_data_exfiltration.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2976 – GFI KerioConnect File Upload cross site scripting
https://notcve.org/view.php?id=CVE-2025-2976
31 Mar 2025 — A vulnerability was found in GFI KerioConnect 10.0.6. It has been classified as problematic. Affected is an unknown function of the component File Upload. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. • https://github.com/0xs1ash/poc/blob/main/xss.md#2-when-a-file-with-a-malicious-javascript-code-in-its-name-is-uploaded-to-the-system-it-is-displayed-again-on-the-page-within-the-input-field-without-being-sanitized-this-creates-the-potential-for-an-xss-att • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2975 – GFI KerioConnect Signature EditHtmlSource cross site scripting
https://notcve.org/view.php?id=CVE-2025-2975
31 Mar 2025 — A vulnerability was found in GFI KerioConnect 10.0.6 and classified as problematic. This issue affects some unknown processing of the file Settings/Email/Signature/EditHtmlSource of the component Signature Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/0xs1ash/poc/blob/main/xss.md#1-stored-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 2EXPL: 1CVE-2025-2974 – CodeCanyon Perfex CRM Contracts contract cross site scripting
https://notcve.org/view.php?id=CVE-2025-2974
31 Mar 2025 — This vulnerability affects unknown code of the file /contract of the component Contracts. • https://bytium.com/stored-xss-in-perfex-crm-3-2-1-contracts-module • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •