Search Results (Refine Search)
- Keyword (text search): wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2024-3188 |
The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: April 26, 2024; 1:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3075 |
The MM-email2image WordPress plugin through 0.2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: April 26, 2024; 1:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3060 |
The ENL Newsletter WordPress plugin through 1.0.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin+ to perform SQL injection attacks Published: April 26, 2024; 1:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3059 |
The ENL Newsletter WordPress plugin through 1.0.1 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary Campaigns via a CSRF attack Published: April 26, 2024; 1:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3058 |
The ENL Newsletter WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Published: April 26, 2024; 1:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3048 |
The Bannerlid WordPress plugin through 1.1.0 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as administrators Published: April 26, 2024; 1:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-2908 |
The Call Now Button WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: April 26, 2024; 1:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-2837 |
The WP Chat App WordPress plugin before 3.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed Published: April 26, 2024; 1:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-2603 |
The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin (or editor depending on Salon booking system WordPress plugin through 9.6.5 configuration) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: April 26, 2024; 1:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-2439 |
The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: April 26, 2024; 1:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-2429 |
The Salon booking system WordPress plugin through 9.6.5 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Published: April 26, 2024; 1:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-2310 |
The WP Google Review Slider WordPress plugin before 13.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: April 26, 2024; 1:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-2159 |
The Social Sharing Plugin WordPress plugin before 3.3.61 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: April 26, 2024; 1:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-0905 |
The Fancy Product Designer WordPress plugin before 6.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against unauthenticated and admin-level users Published: April 26, 2024; 1:15:49 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3265 |
The Advanced Search WordPress plugin through 1.1.6 does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations. Published: April 25, 2024; 6:15:09 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3730 |
The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: April 25, 2024; 7:15:46 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-4035 |
The Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alt text in all versions up to, and including, 2.7.7.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: April 25, 2024; 6:15:09 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3994 |
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutor_instructor_list' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: April 25, 2024; 6:15:09 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3733 |
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.9.15 via the ajax_load_more() , eael_woo_pagination_product_ajax(), and ajax_eael_product_gallery() functions. This makes it possible for unauthenticated attackers to extract posts that may be in private or draft status. Published: April 25, 2024; 5:15:08 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3988 |
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sina Fancy Text Widget in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: April 25, 2024; 4:15:07 AM -0400 |
V3.x:(not available) V2.0:(not available) |