PT-2025-2013 · Unknown · Crelly Slider

Name of the Vulnerable Software and Affected Versions: Crelly Slider versions prior to 1.4.7 Description: The issue arises from the plugin not sanitizing and escaping some of its settings, potentially allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting...

CVE-2024-13505

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ayssections5questions8title’ parameter in all versions up to, and including, 5.1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2025-2195 · WordPress · Survey Maker

Name of the Vulnerable Software and Affected Versions: Survey Maker plugin for WordPress versions up to, and including, 5.1.3.3 Description: The issue is related to Stored Cross-Site Scripting via the ays sections5questions8title parameter due to insufficient input sanitization and output escapin...

CVE-2024-13450

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.17.4 via the Webhooks integration. This makes it possible for...

CVE-2024-13450

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.17.4 via the Webhooks integration. This makes it possible for...

CVE-2024-13450 Contact Form by Bit Form <= 2.17.4 - Authenticated (Administrator+) Server-Side Request Forgery

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.17.4 via the Webhooks integration. This makes it possible for...

CVE-2024-13450

CVE-2024-13450 refers to the WordPress plugin “Contact Form by Bit Form” (versions ≤ 2.17.4). The issue is an authenticated SSRF via the Webhooks integration, allowing an attacker with Administrator-level access (and in multisite) to trigger web requests from the application to arbitrary internal...

CVE-2024-13517

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-12567

The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-12568

The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Workflow settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example...

CVE-2024-12566

The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-12568

The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Workflow settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example...

CVE-2024-12717

The Aklamator INfeed WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-12717

CVE-2024-12717 affects the Aklamator INfeed WordPress plugin (≤2.0.0); insufficient sanitization/escaping of settings can let high-privilege users (e.g., Admin) perform Stored XSS even when unfiltered_html is disallowed (e.g., multisite). Public remediation/fix details are not provided in the sup...

CVE-2024-12045

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the maker title value of the Google Maps block in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping...

WordPress MIPL WC Multisite Sync plugin <= 1.1.5 - Unauthenticated Arbitrary File Download vulnerability

Unauthenticated Arbitrary File Download vulnerability discovered by nvthien in WordPress Plugin MIPL WC Multisite Sync versions = 1.1.5...

CVE-2024-12152 MIPL WC Multisite Sync <= 1.1.5 - Unauthenticated Arbitrary File Download

The MIPL WC Multisite Sync plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.5 via the 'miplwcsyncdownloadlog' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain...

CVE-2024-12152

CVE-2024-12152 concerns the MIPL WC Multisite Sync WordPress plugin. The Wordfence entry confirms a directory traversal vulnerability that affects all versions up to 1.1.5 via the mipl_wc_sync_download_log action, enabling unauthenticated reading of arbitrary server files containing potentially s...

CVE-2024-9638

The Category Posts Widget WordPress plugin before 4.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-10562 Form Maker by 10Web < 1.15.31 - Admin+ Stored XSS

The Form Maker by 10Web WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...