CVE-2024-13120

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even wh...

CVE-2024-13120

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even wh...

CVE-2024-13121

The CVE-2024-13121 entry concerns the WordPress Paid Membership Plugin (and related components) prior to version 4.15.20. The root cause is insufficient sanitisation/escaping of certain plugin settings, enabling stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disall...

CVE-2024-13120

The CVE-2024-13120 entry concerns the ProfilePress WordPress plugin (Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress) prior to version 4.15.20. Technical details in connected records show the issue is a stored XSS caused by not...

CVE-2024-13119

CVE-2024-13119 affects the ProfilePress family in WordPress via the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content suite. The public description confirms that versions prior to 4.15.20 do not sanitize/escape certain settings, enabling Stored...

PT-2025-6532 · WordPress · Everest Forms

Name of the Vulnerable Software and Affected Versions: Everest Forms WordPress plugin versions prior to 3.0.8.1 Description: The issue allows high privilege users, such as admin, to perform Stored Cross-Site Scripting attacks even when the unfiltered html capability is disallowed, for example in ...

PT-2025-6531 · WordPress · Paid Membership Plugin

Name of the Vulnerable Software and Affected Versions: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin versions prior to 4.15.20 Description: The issue concerns the Paid Membership Plugin, Ecommerce, User Registration Form,...

CVE-2024-13544

The Zarinpal Paid Download WordPress plugin through 2.3 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to for example in multisite setup...

PT-2025-6159 · WordPress · Zarinpal Paid Download

Name of the Vulnerable Software and Affected Versions: Zarinpal Paid Download WordPress plugin versions prior to 2.4 Description: The issue arises from the plugin's failure to properly validate uploaded files, allowing high-privilege users, such as administrators, to upload arbitrary files to the...

CVE-2024-13850

The Simple add pages or posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject...

PT-2025-6018 · WordPress · Simple Add Pages/Posts

Name of the Vulnerable Software and Affected Versions: Simple Add Pages or Posts plugin for WordPress versions up to, and including, 2.0.0 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attacke...

CVE-2024-7492

The MainWP Child Reports plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the networkoptionsaction function. This makes it possible for unauthenticated attackers to update arbitrary...

CVE-2024-12152

The MIPL WC Multisite Sync plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.5 via the 'miplwcsyncdownloadlog' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain...

CVE-2024-38673

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Obtain Infotech Multisite Content Copier/Updater allows Reflected XSS.This issue affects Multisite Content Copier/Updater: from n/a through 1.5.0...

CVE-2024-12872 Zalomení <= 1.5 - Admin+ Stored XSS

The Zalomení WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-12807

The Social Share Buttons for WordPress plugin through 2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2025-2013 · Unknown · Crelly Slider

Name of the Vulnerable Software and Affected Versions: Crelly Slider versions prior to 1.4.7 Description: The issue arises from the plugin not sanitizing and escaping some of its settings, potentially allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting...

CVE-2024-13505

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ayssections5questions8title’ parameter in all versions up to, and including, 5.1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2025-2195 · WordPress · Survey Maker

Name of the Vulnerable Software and Affected Versions: Survey Maker plugin for WordPress versions up to, and including, 5.1.3.3 Description: The issue is related to Stored Cross-Site Scripting via the ays sections5questions8title parameter due to insufficient input sanitization and output escapin...

CVE-2024-13450

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.17.4 via the Webhooks integration. This makes it possible for...