Lucene search

K

Event Calendar – Calendar (WordPress Plugin) Security Vulnerabilities

nvd
nvd

CVE-2024-4477

The WP Logs Book WordPress plugin through 1.0.1 does not sanitise and escape some of its log data before outputting them back in an admin dashboard, leading to an Unauthenticated Stored Cross-Site...

0.0004EPSS

2024-06-21 06:15 AM
1
nvd
nvd

CVE-2024-4969

The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF...

0.0004EPSS

2024-06-21 06:15 AM
1
nvd
nvd

CVE-2024-5448

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to...

0.0004EPSS

2024-06-21 06:15 AM
1
cve
cve

CVE-2024-4474

The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF...

6.4AI Score

0.0004EPSS

2024-06-21 06:15 AM
11
cve
cve

CVE-2024-4477

The WP Logs Book WordPress plugin through 1.0.1 does not sanitise and escape some of its log data before outputting them back in an admin dashboard, leading to an Unauthenticated Stored Cross-Site...

5.5AI Score

0.0004EPSS

2024-06-21 06:15 AM
10
cve
cve

CVE-2024-4616

The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated...

6AI Score

0.0004EPSS

2024-06-21 06:15 AM
13
nvd
nvd

CVE-2024-4474

The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF...

0.0004EPSS

2024-06-21 06:15 AM
1
nvd
nvd

CVE-2024-4755

The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

0.0004EPSS

2024-06-21 06:15 AM
2
nvd
nvd

CVE-2024-5447

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is...

0.0004EPSS

2024-06-21 06:15 AM
3
cve
cve

CVE-2024-5448

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to...

5.6AI Score

0.0004EPSS

2024-06-21 06:15 AM
13
nvd
nvd

CVE-2024-4382

The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF...

0.0004EPSS

2024-06-21 06:15 AM
2
nvd
nvd

CVE-2024-4970

The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

0.0004EPSS

2024-06-21 06:15 AM
2
cve
cve

CVE-2024-4475

The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF...

6.4AI Score

0.0004EPSS

2024-06-21 06:15 AM
14
nvd
nvd

CVE-2024-4616

The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated...

0.0004EPSS

2024-06-21 06:15 AM
2
cve
cve

CVE-2024-5447

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is...

5.4AI Score

0.0004EPSS

2024-06-21 06:15 AM
24
cve
cve

CVE-2024-4384

The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

0.0004EPSS

2024-06-21 06:15 AM
13
cve
cve

CVE-2024-4970

The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

0.0004EPSS

2024-06-21 06:15 AM
10
nvd
nvd

CVE-2024-4377

The DOP Shortcodes WordPress plugin through 1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

0.0004EPSS

2024-06-21 06:15 AM
2
cve
cve

CVE-2024-4377

The DOP Shortcodes WordPress plugin through 1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

5.6AI Score

0.0004EPSS

2024-06-21 06:15 AM
12
cve
cve

CVE-2024-4381

The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

0.0004EPSS

2024-06-21 06:15 AM
11
nvd
nvd

CVE-2024-4381

The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

0.0004EPSS

2024-06-21 06:15 AM
1
cvelist
cvelist

CVE-2024-5447 PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode <= 1.7 - Admin+ Stored XSS

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is...

0.0004EPSS

2024-06-21 06:00 AM
3
vulnrichment
vulnrichment

CVE-2024-5448 PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode <= 1.7 - Contributor+ Stored XSS

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to...

5.9AI Score

0.0004EPSS

2024-06-21 06:00 AM
cvelist
cvelist

CVE-2024-5448 PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode <= 1.7 - Contributor+ Stored XSS

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to...

0.0004EPSS

2024-06-21 06:00 AM
1
cvelist
cvelist

CVE-2024-4755 Google CSE <= 1.0.7 - Admin+ Stored XSS

The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

0.0004EPSS

2024-06-21 06:00 AM
4
vulnrichment
vulnrichment

CVE-2024-4970 Widget Bundle <= 2.0.0 - Admin+ Stored XSS

The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.6AI Score

0.0004EPSS

2024-06-21 06:00 AM
1
cvelist
cvelist

CVE-2024-4969 Widget Bundle <= 2.0.0 - Widget Disable/Enable via CSRF

The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF...

0.0004EPSS

2024-06-21 06:00 AM
2
cvelist
cvelist

CVE-2024-4970 Widget Bundle <= 2.0.0 - Admin+ Stored XSS

The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

0.0004EPSS

2024-06-21 06:00 AM
1
cvelist
cvelist

CVE-2024-4616 Widget Bundle <= 2.0.0 - Unauthencated Reflected XSS

The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated...

0.0004EPSS

2024-06-21 06:00 AM
2
cvelist
cvelist

CVE-2024-4477 WP Logs Book <= 1.0.1 - Unauthenticated Stored XSS

The WP Logs Book WordPress plugin through 1.0.1 does not sanitise and escape some of its log data before outputting them back in an admin dashboard, leading to an Unauthenticated Stored Cross-Site...

0.0004EPSS

2024-06-21 06:00 AM
2
vulnrichment
vulnrichment

CVE-2024-4382 CB (legacy) <= 0.9.4.18 - Code/Timeframe/Booking Deletion via CSRF

The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF...

6.8AI Score

0.0004EPSS

2024-06-21 06:00 AM
1
cvelist
cvelist

CVE-2024-4474 WP Logs Book <= 1.0.1 - Disable Logging via CSRF

The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF...

0.0004EPSS

2024-06-21 06:00 AM
1
cvelist
cvelist

CVE-2024-4475 WP Logs Book <= 1.0.1 - Log Clearing via CSRF

The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF...

0.0004EPSS

2024-06-21 06:00 AM
2
cvelist
cvelist

CVE-2024-4384 CSSable Countdown <= 1.5 - Admin+ Stored XSS

The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

0.0004EPSS

2024-06-21 06:00 AM
1
cvelist
cvelist

CVE-2024-4382 CB (legacy) <= 0.9.4.18 - Code/Timeframe/Booking Deletion via CSRF

The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF...

0.0004EPSS

2024-06-21 06:00 AM
2
cvelist
cvelist

CVE-2024-4377 DOP Shortcodes <= 1.2 - Contributor+ Stored XSS via Shortcode

The DOP Shortcodes WordPress plugin through 1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

0.0004EPSS

2024-06-21 06:00 AM
1
vulnrichment
vulnrichment

CVE-2024-4381 CB (legacy) <= 0.9.4.18 - Admin+ Stored XSS

The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.6AI Score

0.0004EPSS

2024-06-21 06:00 AM
1
cvelist
cvelist

CVE-2024-4381 CB (legacy) <= 0.9.4.18 - Admin+ Stored XSS

The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

0.0004EPSS

2024-06-21 06:00 AM
1
nvd
nvd

CVE-2024-5756

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied...

9.8CVSS

0.001EPSS

2024-06-21 05:15 AM
3
cve
cve

CVE-2024-5756

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied...

9.8CVSS

9.7AI Score

0.001EPSS

2024-06-21 05:15 AM
16
cvelist
cvelist

CVE-2024-5756 Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.23 - Unauthenticated SQL Injection via optin

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied...

9.8CVSS

0.001EPSS

2024-06-21 04:34 AM
4
cve
cve

CVE-2024-5455

The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level.....

8.8CVSS

8.9AI Score

0.0004EPSS

2024-06-21 04:15 AM
16
nvd
nvd

CVE-2024-5455

The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level.....

8.8CVSS

0.0004EPSS

2024-06-21 04:15 AM
2
nvd
nvd

CVE-2024-3961

The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for...

5.3CVSS

0.0005EPSS

2024-06-21 04:15 AM
5
cve
cve

CVE-2024-3961

The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for...

5.3CVSS

5.1AI Score

0.0005EPSS

2024-06-21 04:15 AM
18
cvelist
cvelist

CVE-2024-3961 ConvertKit <= 2.4.9 - Missing Authorization

The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for...

5.3CVSS

0.0005EPSS

2024-06-21 03:49 AM
4
cvelist
cvelist

CVE-2024-5455 The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.5.6 - Authenticated (Contributor+) Local File Inclusion

The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level.....

8.8CVSS

0.0004EPSS

2024-06-21 03:24 AM
5
vulnrichment
vulnrichment

CVE-2024-5455 The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.5.6 - Authenticated (Contributor+) Local File Inclusion

The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level.....

8.8CVSS

7.7AI Score

0.0004EPSS

2024-06-21 03:24 AM
cve
cve

CVE-2024-5503

The WP Blog Post Layouts plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the...

8.8CVSS

8.9AI Score

0.001EPSS

2024-06-21 02:15 AM
13
nvd
nvd

CVE-2024-5344

The The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘forgoturl’ attribute within the plugin's WP Login & Register widget in all versions up to, and including, 5.5.6 due to insufficient input sanitization and output escaping....

6.1CVSS

0.0005EPSS

2024-06-21 02:15 AM
2
Total number of security vulnerabilities271182