CVE-2025-4405

MEDIUM Year: 2025
CVSS v3 Score
4.9
Medium
Weakness Type
CWE-79
View all →

Vulnerability Description

The Hot Random Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Related Vulnerabilities

CVE-2021-20571

MEDIUM
CVSS:4.9(Medium)

IBM Sterling B2B Integrator 5.2.0.0 through 6.1.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the int...

CWE-792021

CVE-2021-3646

MEDIUM
CVSS:4.9(Medium)

btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-792021

CVE-2023-32969

MEDIUM
CVSS:4.9(Medium)

A cross-site scripting (XSS) vulnerability has been reported to affect Network & Virtual Switch. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a...

CWE-792023

CVE-2024-53257

MEDIUM
CVSS:4.9(Medium)

Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries ...

CWE-792024

CVE-2025-0862

MEDIUM
CVSS:4.9(Medium)

The SuperSaaS – online appointment scheduling plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘after’ parameter in all versions up to, and including, 2.1.12 due to insufficie...

CWE-792025

CVE-2025-2580

MEDIUM
CVSS:4.9(Medium)

The Contact Form by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.18.3 due to insufficient input sanitization ...

CWE-792025