ARI Fancy Lightbox – WordPress Popup Security Vulnerabilities

Exploit for CVE-2024-30491

CVE-2024-30491-Poc ProfileGrid <= 5.7.8 - Authenticated...

CVE-2024-1050

The Import and export users and customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_force_reset_password_delete_metas() function in all versions up to, and including, 1.26.5. This makes it possible for authenticated...

CVE-2023-7065

The Stop Spammers Security | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. This is due to missing or incorrect nonce validation on the sfs_process AJAX action. This makes it possible for...

CVE-2024-3237

The ConvertPlug plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cp_dismiss_notice() function in all versions up to, and including, 3.5.25. This makes it possible for authenticated attackers, with subscriber-level access and above, to....

CVE-2024-3240

The ConvertPlug plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.25 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_info_bar' shortcode. This makes it possible for authenticated attackers, with...

CVE-2024-3868

The Folders Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's First Name and Last Name in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level.....

Exploit for CVE-2024-27971

CVE-2024-27971-Note WordPress Premmerce Permalink Manager for...

CVE-2024-33925

Missing Authorization vulnerability in Adrian Mörchen Embed Google Fonts.This issue affects Embed Google Fonts: from n/a through...

CVE-2024-33929

Missing Authorization vulnerability in wpWax Directorist.This issue affects Directorist: from n/a through...

CVE-2024-33937

Missing Authorization vulnerability in Nico Martin Progressive WordPress (PWA).This issue affects Progressive WordPress (PWA): from n/a through...

CVE-2024-33921

Broken Access Control vulnerability in ReviewX.This issue affects ReviewX: from n/a through...

CVE-2024-33931

Missing Authorization vulnerability in ilGhera JW Player for WordPress.This issue affects JW Player for WordPress: from n/a through...

CVE-2024-33923

Missing Authorization vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager : from n/a through...

CVE-2024-33914

Missing Authorization vulnerability in Exclusive Addons Exclusive Addons Elementor.This issue affects Exclusive Addons Elementor: from n/a through...

CVE-2024-33919

Missing Authorization vulnerability in Rometheme RomethemeKit For Elementor.This issue affects RomethemeKit For Elementor: from n/a through...

CVE-2024-33915

Missing Authorization vulnerability in Bowo Debug Log Manager.This issue affects Debug Log Manager: from n/a through...

CVE-2024-33920

Missing Authorization vulnerability in Kama Democracy Poll.This issue affects Democracy Poll: from n/a through...

CVE-2024-33918

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maxim K AJAX Login and Registration modal popup + inline form allows Stored XSS.This issue affects AJAX Login and Registration modal popup + inline form: from n/a through...

CVE-2024-33927

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Team GIPHY Giphypress allows Stored XSS.This issue affects Giphypress: from n/a through...

CVE-2024-33924

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Realtyna Realtyna Organic IDX plugin allows Reflected XSS.This issue affects Realtyna Organic IDX plugin: from n/a through...

CVE-2024-33941

Missing Authorization vulnerability in Avirtum iPanorama 360 WordPress Virtual Tour Builder.This issue affects iPanorama 360 WordPress Virtual Tour Builder: from n/a through...

CVE-2024-33926

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Karl Kiesinger GWP-Histats allows Stored XSS.This issue affects GWP-Histats: from n/a through...

CVE-2024-24710

Missing Authorization vulnerability in SlickRemix Feed Them Social.This issue affects Feed Them Social: from n/a through...

CVE-2024-32810

Missing Authorization vulnerability in ShortPixel ShortPixel Critical CSS.This issue affects ShortPixel Critical CSS: from n/a through...

CVE-2024-32831

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lorna Timbah (webgrrrl) Accessibility Widget allows Stored XSS.This issue affects Accessibility Widget: from n/a through...

CVE-2024-33916

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MachoThemes CPO Companion allows Stored XSS.This issue affects CPO Companion: from n/a through...

CVE-2023-44472

Missing Authorization vulnerability in ThemeFuse Unyson.This issue affects Unyson: from n/a through...

CVE-2023-25457

Missing Authorization vulnerability in Richteam Slider Carousel – Responsive Image Slider.This issue affects Slider Carousel – Responsive Image Slider: from n/a through...

CVE-2024-33945

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in solverwp.Com Eleblog – Elementor Blog And Magazine Addons allows Stored XSS.This issue affects Eleblog – Elementor Blog And Magazine Addons: from n/a through...

CVE-2024-33947

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic allows Reflected XSS.This issue affects RegistrationMagic: from n/a through...

CVE-2024-33946

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPify s.R.O. WPify Woo Czech allows Reflected XSS.This issue affects WPify Woo Czech: from n/a through...

CVE-2024-33940

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashan Jay EventON allows Stored XSS.This issue affects EventON: from n/a through...

CVE-2024-33936

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Twinpictures Print-O-Matic allows Stored XSS.This issue affects Print-O-Matic: from n/a through...

CVE-2024-33935

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pascal Bajorat PB MailCrypt allows Stored XSS.This issue affects PB MailCrypt: from n/a through...

CVE-2024-33943

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HappyKite Ultimate Under Construction allows Stored XSS.This issue affects Ultimate Under Construction: from n/a through...

CVE-2024-33934

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kailey Lampert Mini Loops allows Stored XSS.This issue affects Mini Loops: from n/a through...

CVE-2024-33932

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vinod Dalvi Login Logout Register Menu allows Stored XSS.This issue affects Login Logout Register Menu: from n/a through...

CVE-2024-33928

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeBard CodeBard's Patron Button and Widgets for Patreon allows Reflected XSS.This issue affects CodeBard's Patron Button and Widgets for Patreon: from n/a through...

CVE-2024-3703

The Carousel Slider WordPress plugin before 2.2.10 does not validate and escape some of its Slide options before outputting them back in the page/post where the related Slide shortcode is embed, which could allow users with the Editor role and above to perform Stored Cross-Site Scripting...

CVE-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

CVE-2024-3637

The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin through 1.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.....

CVE-2024-3692

The Gutenverse WordPress plugin before 1.9.1 does not validate the htmlTag option in various of its block before outputting it back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

WP Travel Engine < 5.8.1 - Unauthenticated Price Manipulation

Description The WP Travel Engine – Best Travel Booking WordPress Plugin plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 5.8.0. This is due to the plugin not properly validating a price. This makes it possible for unauthenticated attackers to...

FG Joomla to WordPress < 4.21.0 - Sensitive Information Exposure

Description The FG Joomla to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.20.2 via log files. This makes it possible for unauthenticated attackers to view potentially sensitive information in log...

Royal Elementor Addons < 1.3.95 - Unauthenticated IP Spoofing

Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to IP Address Spoofing due to insufficient IP address validation. This makes it possible for unauthenticated attackers to spoof their IP...

Royal Elementor Addons < 1.3.95 - Unauthenticated IP Spoofing

Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to IP Address Spoofing due to insufficient IP address validation. This makes it possible for unauthenticated attackers to spoof their IP addresses. PoC Set any of the following server headers as used in...

Appointment Hour Booking < 1.4.57 - Captcha Bypass

Description The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.4.56. This makes it possible for unauthenticated attackers to bypass the Captcha...

Hummingbird < 3.7.4 - Missing Authorization

Description The Hummingbird plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /admin/class-ajax.php file in versions up to, and including, 3.7.3. This makes it possible for unauthenticated attackers to perform unauthorized...

ColibriWP Theme framework - Various Versions and Themes - Missing Authorization

Description The ColibriWP Theme framework used by multiple themes for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_plugin' AJAX action in various versions. This makes it possible for authenticated attackers, with subscriber-level...