Stored-Xss

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting (CVE-2026-7052) via the 'file_upload' parameter in versions up to 2.8.2, allowing unauthenticated attackers to inject arbitrary web scripts.

Typebot is vulnerable to stored cross-site scripting (XSS) due to the rating block's custom icon feature, which accepts arbitrary HTML/SVG via the `customIcon.svg` field without sanitization. When a malicious typebot is imported or crafted by a workspace collaborator, the payload executes in the builder's DOM context, bypassing the `isUnsafe` Web Worker sandbox that protects Script blocks during preview, allowing session hijacking and privilege escalation within the builder application.

A cross-site scripting (XSS) vulnerability exists in md-fileserver's Markdown rendering logic, where user-supplied Markdown content containing raw HTML, including <script> tags, is processed and injected into the resulting page without sanitization, leading to arbitrary JavaScript execution and potential account takeover.

A stored XSS vulnerability (CVE-2026-45270) exists in the Pages module of CI4MS due to improper sanitization of page content, allowing an attacker with `pages.create` permissions to inject malicious code and escalate privileges if an administrator views the page.

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments, potentially leading to session hijacking and application takeover.

NukeViet CMS version 4.5.08 and earlier is vulnerable to stored cross-site scripting (XSS) via insufficient server-side input sanitization in the Request class, allowing attackers to inject malicious payloads that can lead to session hijacking, defacement, and phishing attacks.

Open WebUI is vulnerable to stored cross-site scripting (XSS) via OAuth profile picture handling, allowing an attacker to inject malicious SVG code and potentially takeover user accounts by exfiltrating JWT tokens.

Adobe Commerce versions 2.4.9-beta1 and earlier are susceptible to a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-34686) that allows low-privileged attackers to inject malicious scripts into form fields, leading to potential account compromise.

The LifePress plugin for WordPress is vulnerable to stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping within the `lp_update_mds` AJAX action, allowing unauthenticated attackers to inject arbitrary web scripts via the 'n' parameter that execute when a user accesses the injected page; this affects versions up to and including 2.2.2.

A stored cross-site scripting (XSS) vulnerability exists in PrestaShop's back-office customer service view, where an unauthenticated attacker can submit a malicious email address via the Contact Us form, leading to session hijacking and full back-office takeover when an employee opens the affected customer thread; patched in PrestaShop 8.2.6 and 9.1.1.

DivvyDrive versions 4.8.2.9 before 4.8.3.2 are susceptible to stored cross-site scripting (XSS) due to improper neutralization of user-supplied input during web page generation, potentially allowing attackers to execute arbitrary JavaScript in a user's browser.

The NEX-Forms WordPress plugin is vulnerable to stored XSS via POST parameter key names, allowing unauthenticated attackers to inject arbitrary web scripts.

The Gravity Forms plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via Consent field hidden inputs, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the entries list page.

The netbox-data-flows plugin is vulnerable to stored cross-site scripting (XSS). An authenticated user with permissions to create or edit ObjectAlias objects can inject arbitrary HTML/JavaScript into the alias name. This payload is then rendered unescaped in DataFlow table views, leading to XSS when another user views the affected page. Successful exploitation can result in session theft, privileged action execution, and data exfiltration.

The LatePoint WordPress plugin is vulnerable to stored XSS via the booking_form_page_url parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user accesses the injected page.

A stored XSS vulnerability in YAFNET.Core allows an attacker to inject arbitrary JavaScript into forum posts, which executes in the browsers of other users viewing the thread, potentially leading to account compromise and malware delivery.

A stored XSS vulnerability in phpMyFAQ version 4.1.1 allows an authenticated user to inject JavaScript code into comments, leading to session cookie theft and potential admin account takeover when other users view the affected FAQ or News page.

The livewire-markdown-editor versions before v1.3 contain an arbitrary file upload vulnerability in the MarkdownEditor::updatedAttachments() Livewire handler, allowing authenticated users to upload any file type, potentially leading to stored XSS, phishing, malware distribution, and markdown injection.