Lucene search

K

Style Kits – Advanced Theme Styles For Elementor Security Vulnerabilities

cve
cve

CVE-2024-5994 WP Go Maps (formerly WP Google Maps) <= 9.0.38 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with...

6.4CVSS

6.1AI Score

EPSS

2024-06-14 06:53 AM
cvelist
cvelist

CVE-2024-5994 WP Go Maps (formerly WP Google Maps) <= 9.0.38 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with...

6.4CVSS

EPSS

2024-06-14 06:53 AM
openbugbounty
openbugbounty

directory.hardmantrust.org.uk Cross Site Scripting vulnerability OBB-3934998

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

6.2AI Score

2024-06-14 06:30 AM
nvd
nvd

CVE-2024-5551

The WP STAGING Pro WordPress Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the 'sub' parameter called from the WP STAGING WordPress Backup Plugin - Backup...

7.5CVSS

EPSS

2024-06-14 06:15 AM
2
cve
cve

CVE-2024-5551

The WP STAGING Pro WordPress Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the 'sub' parameter called from the WP STAGING WordPress Backup Plugin - Backup...

7.5CVSS

7.2AI Score

EPSS

2024-06-14 06:15 AM
1
cve
cve

CVE-2024-3966

The Pray For Me WordPress plugin through 1.0.4 does not sanitise and escape some parameters, which could unauthenticated visitors to perform Cross-Site Scripting attacks that trigger when an admin visits the Prayer Requests in the WP...

5.9AI Score

EPSS

2024-06-14 06:15 AM
1
cve
cve

CVE-2024-3977

The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

EPSS

2024-06-14 06:15 AM
1
nvd
nvd

CVE-2024-3992

The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

EPSS

2024-06-14 06:15 AM
2
nvd
nvd

CVE-2024-3966

The Pray For Me WordPress plugin through 1.0.4 does not sanitise and escape some parameters, which could unauthenticated visitors to perform Cross-Site Scripting attacks that trigger when an admin visits the Prayer Requests in the WP...

EPSS

2024-06-14 06:15 AM
2
nvd
nvd

CVE-2024-4404

The ElementsKit PRO plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.6.2 via the 'render_raw' function. This can allow authenticated attackers, with contributor-level permissions and above, to make web requests to arbitrary locations originating....

8.5CVSS

EPSS

2024-06-14 06:15 AM
3
cve
cve

CVE-2024-4005

The Social Pixel WordPress plugin through 2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

EPSS

2024-06-14 06:15 AM
1
cve
cve

CVE-2024-4404

The ElementsKit PRO plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.6.2 via the 'render_raw' function. This can allow authenticated attackers, with contributor-level permissions and above, to make web requests to arbitrary locations originating....

8.5CVSS

8.3AI Score

EPSS

2024-06-14 06:15 AM
1
nvd
nvd

CVE-2024-3977

The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

EPSS

2024-06-14 06:15 AM
2
nvd
nvd

CVE-2024-4005

The Social Pixel WordPress plugin through 2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

EPSS

2024-06-14 06:15 AM
2
cve
cve

CVE-2024-3965

The Pray For Me WordPress plugin through 1.0.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF...

6.4AI Score

EPSS

2024-06-14 06:15 AM
1
nvd
nvd

CVE-2024-3965

The Pray For Me WordPress plugin through 1.0.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF...

EPSS

2024-06-14 06:15 AM
2
cve
cve

CVE-2024-3992

The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

EPSS

2024-06-14 06:15 AM
1
nvd
nvd

CVE-2024-3754

The Alemha watermarker WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

EPSS

2024-06-14 06:15 AM
2
nvd
nvd

CVE-2024-2218

The LuckyWP Table of Contents WordPress plugin through 2.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

EPSS

2024-06-14 06:15 AM
2
nvd
nvd

CVE-2024-2122

The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via album gallery custom URLs in all versions up to, and including, 2.4.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS

EPSS

2024-06-14 06:15 AM
2
cve
cve

CVE-2024-2122

The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via album gallery custom URLs in all versions up to, and including, 2.4.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS

5.7AI Score

EPSS

2024-06-14 06:15 AM
1
cve
cve

CVE-2024-3754

The Alemha watermarker WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

EPSS

2024-06-14 06:15 AM
1
cve
cve

CVE-2024-2218

The LuckyWP Table of Contents WordPress plugin through 2.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

EPSS

2024-06-14 06:15 AM
4
cvelist
cvelist

CVE-2024-4005 Social Pixel <= 2.1 - Admin+ Stored XSS

The Social Pixel WordPress plugin through 2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

EPSS

2024-06-14 06:00 AM
1
cvelist
cvelist

CVE-2024-3992 Amen <= 3.3.1 - Admin+ Stored XSS

The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

EPSS

2024-06-14 06:00 AM
1
cvelist
cvelist

CVE-2024-3977 WordPress Jitsi Shortcode <= 0.1 - Admin+ Stored XSS

The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

EPSS

2024-06-14 06:00 AM
1
cvelist
cvelist

CVE-2024-3965 Pray For Me <= 1.0.4 - Settings Update via CSRF

The Pray For Me WordPress plugin through 1.0.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF...

EPSS

2024-06-14 06:00 AM
1
cvelist
cvelist

CVE-2024-2218 LuckyWP Table of Contents <= 2.1.4 - Admin+ Stored XSS

The LuckyWP Table of Contents WordPress plugin through 2.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

EPSS

2024-06-14 06:00 AM
1
cvelist
cvelist

CVE-2024-3754 Alemha Watermarker <= 1.3.1 - Author+ Stored XSS

The Alemha watermarker WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

EPSS

2024-06-14 06:00 AM
1
cvelist
cvelist

CVE-2024-3966 Pray For Me <= 1.0.4 - Unauthenticated Stored XSS

The Pray For Me WordPress plugin through 1.0.4 does not sanitise and escape some parameters, which could unauthenticated visitors to perform Cross-Site Scripting attacks that trigger when an admin visits the Prayer Requests in the WP...

EPSS

2024-06-14 06:00 AM
1
cvelist
cvelist

CVE-2024-4404 ElementsKit PRO <= 3.6.1 - Authenticated (Contributor+) Server-Side Request Forgery

The ElementsKit PRO plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.6.2 via the 'render_raw' function. This can allow authenticated attackers, with contributor-level permissions and above, to make web requests to arbitrary locations originating....

8.5CVSS

EPSS

2024-06-14 05:39 AM
1
cvelist
cvelist

CVE-2024-2122 FooGallery <= 2.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Custom URL

The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via album gallery custom URLs in all versions up to, and including, 2.4.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS

EPSS

2024-06-14 05:39 AM
1
cvelist
cvelist

CVE-2024-5551 WP STAGING PRO - Backup Duplicator & Migration <= 5.6.0 - Cross-Site Request Forgery to Limited Local File Inclusion

The WP STAGING Pro WordPress Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the 'sub' parameter called from the WP STAGING WordPress Backup Plugin - Backup...

7.5CVSS

EPSS

2024-06-14 05:39 AM
1
openbugbounty
openbugbounty

apps.rhs.org.uk Cross Site Scripting vulnerability OBB-3934997

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

6.2AI Score

2024-06-14 05:26 AM
2
openbugbounty
openbugbounty

rock.geosociety.org Cross Site Scripting vulnerability OBB-3934996

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

6.2AI Score

2024-06-14 05:16 AM
3
nvd
nvd

CVE-2024-3498

Attackers can then execute malicious files by enabling certain services of the printer via the web configuration page and elevate its privileges to root. As for the affected products/models/versions, see the reference...

7.8CVSS

EPSS

2024-06-14 05:15 AM
1
nvd
nvd

CVE-2024-4936

The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. This required allow_url_include to...

9.8CVSS

EPSS

2024-06-14 05:15 AM
1
cve
cve

CVE-2024-4936

The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. This required allow_url_include to...

9.8CVSS

9.7AI Score

EPSS

2024-06-14 05:15 AM
4
cve
cve

CVE-2024-3498

Attackers can then execute malicious files by enabling certain services of the printer via the web configuration page and elevate its privileges to root. As for the affected products/models/versions, see the reference...

7.8CVSS

7.8AI Score

EPSS

2024-06-14 05:15 AM
2
cve
cve

CVE-2024-1094

The Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the make_staff() function in all versions up to, and including, 1.0.21. This makes it...

7.3CVSS

7AI Score

EPSS

2024-06-14 05:15 AM
3
nvd
nvd

CVE-2024-3497

Path traversal vulnerability in the web server of the Toshiba printer enables attacker to overwrite orginal files or add new ones to the printer. As for the affected products/models/versions, see the reference...

8.8CVSS

EPSS

2024-06-14 05:15 AM
1
cve
cve

CVE-2024-3496

Attackers can bypass the web login authentication process to gain access to the printer's system information and upload malicious drivers to the printer. As for the affected products/models/versions, see the reference...

8.8CVSS

9.1AI Score

EPSS

2024-06-14 05:15 AM
1
nvd
nvd

CVE-2024-3496

Attackers can bypass the web login authentication process to gain access to the printer's system information and upload malicious drivers to the printer. As for the affected products/models/versions, see the reference...

8.8CVSS

EPSS

2024-06-14 05:15 AM
2
cve
cve

CVE-2024-3497

Path traversal vulnerability in the web server of the Toshiba printer enables attacker to overwrite orginal files or add new ones to the printer. As for the affected products/models/versions, see the reference...

8.8CVSS

8.7AI Score

EPSS

2024-06-14 05:15 AM
3
nvd
nvd

CVE-2024-1094

The Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the make_staff() function in all versions up to, and including, 1.0.21. This makes it...

7.3CVSS

EPSS

2024-06-14 05:15 AM
1
redhatcve
redhatcve

CVE-2024-35328

No description is available for this...

7AI Score

EPSS

2024-06-14 05:12 AM
1
cvelist
cvelist

CVE-2024-4936 Canto <= 3.0.8 - Unauthenticated Remote File Inclusion

The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. This required allow_url_include to...

9.8CVSS

EPSS

2024-06-14 04:36 AM
3
cvelist
cvelist

CVE-2024-1094 Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling Plugin <= 1.0.21 - Missing Authorization to Limited Privilege Escalation

The Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the make_staff() function in all versions up to, and including, 1.0.21. This makes it...

7.3CVSS

EPSS

2024-06-14 04:36 AM
3
mageia
mageia

Updated golang packages fix security vulnerabilities

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects...

6.3AI Score

0.0004EPSS

2024-06-14 04:31 AM
2
cvelist
cvelist

CVE-2024-3498 Incorrect Permission Assignment Privilege Escalation Vulnerability

Attackers can then execute malicious files by enabling certain services of the printer via the web configuration page and elevate its privileges to root. As for the affected products/models/versions, see the reference...

7.8CVSS

EPSS

2024-06-14 04:20 AM
2
Total number of security vulnerabilities2100166