Lucene search
K

24 matches found

Cvelist
Cvelist
added 2026/06/26 6:0 a.m.41 views

CVE-2026-10835 SALESmanago & Leadoo < 3.11.3 - Subscriber+ SQL Injection

The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as...

0.00215EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 2:16 a.m.11 views

CVE-2026-50745

A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input t...

6.1CVSS0.00224EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/26 1:11 a.m.42 views

CVE-2026-50745

A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input t...

4.7CVSS0.00224EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 7:9 a.m.13 views

CVE-2024-13057

The Dyn Business Panel WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

7.1CVSS5.8AI score0.00154EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 6:38 a.m.13 views

CVE-2024-7816

The Gixaw Chat WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

6.1CVSS5.8AI score0.00177EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 5:40 a.m.6 views

CVE-2023-0058

The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

6.1CVSS6AI score0.00237EPSS
Exploits2References1
Cvelist
Cvelist
added 2025/05/15 8:7 p.m.14 views

CVE-2024-8085 PeoplePond <= 1.1.9 - CSRF to Stored XSS

The PeoplePond WordPress plugin through 1.1.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

0.00143EPSS
Exploits1References1
Cvelist
Cvelist
added 2025/03/09 6:0 a.m.42 views

CVE-2025-1382 Contact Us By Lord Linus <= 2.6 - Admin+ Stored XSS via CSRF

The Contact Us By Lord Linus WordPress plugin through 2.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

0.00165EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/02/08 4:35 a.m.8 views

CVE-2024-13115

The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

6.1CVSS5.8AI score0.00173EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2025/02/04 6:0 a.m.7 views

CVE-2024-13115 WP Projects Portfolio with Client Testimonials <= 3.0 - Stored XSS via CSRF

The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

6AI score0.00173EPSS
Exploits1References1
OSV
OSV
added 2024/09/12 6:15 a.m.7 views

CVE-2024-7822

The Quick Code WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

6.1CVSS5.8AI score0.00177EPSS
Exploits1References1
OSV
OSV
added 2024/07/13 6:15 a.m.5 views

CVE-2024-5280

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make non-logged in users execute an XSS payload via a CSRF attack...

4.7CVSS5.9AI score0.00211EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2024/07/13 6:0 a.m.11 views

CVE-2024-5280 WP Affiliate Platform < 6.5.1 - POST Reflected XSS

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make non-logged in users execute an XSS payload via a CSRF attack...

6.2AI score0.00211EPSS
Exploits1References1
CVE
CVE
added 2024/05/15 6:0 a.m.80 views

CVE-2024-3823

CVE-2024-3823 affects the WordPress plugin Base64 Encoder/Decoder (versions ≤ 0.9.2). The underlying issue is lack of CSRF protection when updating settings, combined with insufficient sanitization and escaping. This could allow a logged-in attacker to trigger a CSRF that enables Stored XSS paylo...

2.4CVSS5.7AI score0.00217EPSS
Exploits2References1Affected Software1
OSV
OSV
added 2024/05/14 3:41 p.m.7 views

CVE-2024-3582

The UnGallery WordPress plugin through 2.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

4.8CVSS5.8AI score0.00224EPSS
Exploits2References1
OSV
OSV
added 2024/01/29 3:15 p.m.3 views

CVE-2023-5943

The Wp-Adv-Quiz WordPress plugin before 1.0.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

4.8CVSS5.8AI score0.00402EPSS
Exploits2References1
WPVulnDB
WPVulnDB
added 2024/01/10 12:0 a.m.12 views

Voting Record <= 2.0 - Subscriber+ Stored XSS

Description The plugin is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks PoC Have a subscriber open an HTML file containing the following: See the XSS when logged in as an admin and viewing recorded votes...

5.4CVSS5.5AI score0.00403EPSS
Exploits2References1
WPVulnDB
WPVulnDB
added 2023/04/17 12:0 a.m.11 views

Sloth Logo Customizer <= 2.0.2 - Stored XSS via CSRF

The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack PoC Make a logged in Admin open a page containing the HTML code below...

8.8CVSS7.9AI score0.13871EPSS
Exploits2Affected Software1
OSV
OSV
added 2022/12/19 2:15 p.m.7 views

CVE-2022-4125

The Popup Manager WordPress plugin through 1.6.6 does not have authorisation and CSRF check when creating/updating popups, and is missing sanitisation as well as escaping, which could allow unauthenticated attackers to create arbitrary popups and add Stored XSS payloads as well...

4.3CVSS5.9AI score0.00285EPSS
Exploits2References1
WPVulnDB
WPVulnDB
added 2022/09/28 12:0 a.m.18 views

Store Locator < 1.4.6 - Stored XSS via CSRF

The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

6.1CVSS4.4AI score0.00227EPSS
Exploits0Affected Software1
Rows per page
Query Builder