CVSS: 4.8EPSS: %CPEs: 1EXPL: 0CVE-2024-39311 – Publify Vulnerable To Cross-Site Scripting (XSS) Via Redirects Requiring User Interaction
https://notcve.org/view.php?id=CVE-2024-39311
28 Mar 2025 — Prior to version 10.0.1 of Publify, corresponding to versions prior to 10.0.2 of the `publify_core` rubygem, publisher on a `publify` application is able to perform a cross-site scripting (XSS) attack on an administrator using the redirect functionality. The exploitation of this XSS vulnerability requires the administrator to click a malicious link. • https://github.com/publify/publify/security/advisories/GHSA-8fm5-gg2f-f66q • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: %CPEs: 1EXPL: 0CVE-2024-11180 – ElementsKit Elementor addons <= 3.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-11180
28 Mar 2025 — The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Timer Widget ekit_countdown_timer_title parameter in all versions up to, and including, 3.4.7 due to insufficient input sanitization and output escaping. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: %CPEs: 1EXPL: 0CVE-2024-58128
https://notcve.org/view.php?id=CVE-2024-58128
28 Mar 2025 — ., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link. • https://github.com/MISP/MISP/commit/33a1eb66408e16a7535b2bae48303efd9501a26a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: %CPEs: 1EXPL: 0CVE-2024-58129
https://notcve.org/view.php?id=CVE-2024-58129
28 Mar 2025 — ., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page. • https://github.com/MISP/MISP/commit/09a43870e733f79ffa33753ddc7bce3cbb5a5647 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: %CPEs: 1EXPL: 0CVE-2024-58130
https://notcve.org/view.php?id=CVE-2024-58130
28 Mar 2025 — In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses. • https://github.com/MISP/MISP/commit/f08a2eaec25f0212c22b225c0b654bd60d089ef9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-12683 – Smart Maintenance Mode < 1.5.2 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-12683
26 Mar 2025 — The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). • https://wpscan.com/vulnerability/1569ee00-56c3-4a1b-940e-e0256a748675 •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13702 – CRM and Lead Management by vcita <= 2.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-13702
25 Mar 2025 — The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vCitaMeetingScheduler' and 'vCitaSchedulingCalendar' shortcodes in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. • source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53679 – Apache VCL: XSS vulnerability in User Lookup impacting user privileges
https://notcve.org/view.php?id=CVE-2024-53679
25 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the User Lookup form. ... Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web ('Cross-site Scripting') en Apache VCL en el formulario de búsqueda de usuarios. • https://lists.apache.org/thread/bq5vs0hndt9cz9b6rpfr5on1nd4qrmyr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13863 – Stylish Google Sheet Reader < 4.1 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-13863
25 Mar 2025 — The Stylish Google Sheet Reader 4.0 WordPress plugin before 4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin • https://wpscan.com/vulnerability/a6161595-0934-4baa-9da6-73792f4b87fd •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13123 – AFI < 1.100.0 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-13123
25 Mar 2025 — The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). • https://wpscan.com/vulnerability/417178de-17ff-438c-a36c-b90db6486a46 •