CVE-2024-26559 - An issue in uverif v.2.0 allows a remote attacker to obtain sensitive information.
Published: February 28, 2024; 6:15:09 PM -0500

CVE-2022-36677 - Obsidian Mind Map v1.1.0 allows attackers to execute arbitrary code via a crafted payload injected into an uploaded document.
Published: February 28, 2024; 8:35:29 PM -0500

CVE-2023-27151 - openCRX 5.2.0 was discovered to contain an HTML injection vulnerability for Search Criteria-Activity Number (in the Saved Search Activity) via the Name, Description, or Activity Number field.
Published: February 28, 2024; 8:38:30 PM -0500

CVE-2023-51774 - The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode.
Published: February 28, 2024; 8:42:05 PM -0500

CVE-2023-51775 - The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
Published: February 28, 2024; 8:42:05 PM -0500

CVE-2024-25006 - XenForo before 2.2.14 allows Directory Traversal (with write access) by an authenticated user who has permissions to administer styles, and uses a ZIP archive for Styles Import.
Published: February 28, 2024; 8:44:14 PM -0500

CVE-2024-2428 - The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping... read CVE-2024-2428
Published: April 10, 2024; 1:15:49 AM -0400

CVE-2024-2729 - The Otter Blocks WordPress plugin before 2.6.6 does not properly escape its mainHeadings blocks' attribute before appending it to the final rendered block, allowing contributors to conduct Stored XSS attacks.
Published: April 18, 2024; 1:15:48 AM -0400

CVE-2024-2118 - The Social Media Share Buttons & Social Sharing Icons WordPress plugin before 2.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when th... read CVE-2024-2118
Published: April 17, 2024; 1:15:48 AM -0400

CVE-2024-1219 - The Easy Social Feed WordPress plugin before 6.5.6 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scrip... read CVE-2024-1219
Published: April 17, 2024; 1:15:48 AM -0400

CVE-2024-2858 - The Simple Buttons Creator WordPress plugin through 1.04 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
Published: April 15, 2024; 1:15:15 AM -0400

CVE-2024-2857 - The Simple Buttons Creator WordPress plugin through 1.04 does not have any authorisation as well as CSRF in its add button function, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of s... read CVE-2024-2857
Published: April 15, 2024; 1:15:15 AM -0400

CVE-2024-2836 - The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.64 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when ... read CVE-2024-2836
Published: April 15, 2024; 1:15:15 AM -0400

CVE-2024-2739 - The Advanced Search WordPress plugin through 1.1.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
Published: April 15, 2024; 1:15:15 AM -0400

CVE-2024-1849 - The WP Customer Reviews WordPress plugin before 3.7.1 does not validate a parameter allowing contributor and above users to redirect a page to a malicious URL
Published: April 15, 2024; 1:15:15 AM -0400

CVE-2024-1755 - The NPS computy WordPress plugin through 2.7.5 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
Published: April 15, 2024; 1:15:15 AM -0400

CVE-2024-1754 - The NPS computy WordPress plugin through 2.7.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disal... read CVE-2024-1754
Published: April 15, 2024; 1:15:15 AM -0400

CVE-2024-10562 - The Form Maker by 10Web WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabilit... read CVE-2024-10562
Published: January 07, 2025; 1:15:14 AM -0500

CVE-2024-11223 - The WPForms WordPress plugin before 1.9.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallo... read CVE-2024-11223
Published: December 26, 2024; 1:15:05 AM -0500

CVE-2024-10678 - The Ultimate Blocks WordPress plugin before 3.2.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform S... read CVE-2024-10678
Published: December 13, 2024; 1:15:24 AM -0500