CVE-2024-7056

CVE-2024-7056 affects WPForms for WordPress (pre-1.9.1.6). The issue is caused by insufficient sanitization/escaping of certain settings, enablingStored XSS by high-privilege users (e.g., Administrator) even when unfiltered_html is disabled (such as in multisite setups). The Red Hat and CVE lists...

CVE-2024-6393 NextGEN Gallery < 3.59.5 - Admin+ Stored XSS

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.5 does not sanitise and escape some of its Images settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example i...

CVE-2024-6393

CVE-2024-6393 affects the WordPress plugin NextGEN Gallery (Photo Gallery, Sliders, Proofing and Themes). The issue is a lack of sanitization/escaping in the plugin’s Images settings, enabling stored XSS by high-privilege users (e.g., Administrators) even if unfiltered_html is disallowed. Affecte...

CVE-2024-6393 NextGEN Gallery < 3.59.5 - Admin+ Stored XSS

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.5 does not sanitise and escape some of its Images settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example i...

CVE-2024-10710

CVE-2024-10710 (YaDisk Files WordPress plugin) affects YaDisk Files up to version 1.2.5. The Red Hat and other sources confirm the issue: the plugin does not sanitise/escape certain settings, enabling Stored XSS by high-privilege users (admin) even when unfiltered_html is disallowed. Technical de...

CVE-2024-10710 YaDisk Files <= 1.2.5 - Admin+ Stored XSS

The YaDisk Files WordPress plugin through 1.2.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2024-38048

Name of the Vulnerable Software and Affected Versions WPForms versions prior to 1.9.1.6 Description The issue allows high privilege users, such as Admin, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This i...

CVE-2024-9768

The Formidable Forms WordPress plugin before 6.14.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-9768

Formidable Forms WordPress plugin prior to version 6.14.1 is affected: it does not sanitize/escape certain settings, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as in multisite). Impact is a stored XSS vector within plugin settings; rem...

CVE-2024-9768 Formidable Forms < 6.14.1 - Admin+ Stored XSS

The Formidable Forms WordPress plugin before 6.14.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

WordPress Really Simple Security Pro multisite Plugin 9.0.0-9.1.1.1 - Account Takeover vulnerability

Account Takeover vulnerability discovered by István Márton in WordPress Plugin Really Simple Security Pro multisite versions 9.0.0-9.1.1.1...

CVE-2024-10038

The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

PT-2024-15989 · WordPress · Wp-Strava

Name of the Vulnerable Software and Affected Versions: WP-Strava plugin for WordPress versions up to, and including, 2.12.1 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated...

PT-2024-39833 · WordPress · The Anih - Creative Agency Wordpress Theme

Name of the Vulnerable Software and Affected Versions: The Anih - Creative Agency WordPress Theme versions up to, and including, 2024 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to an incomplete blacklist, insufficient input sanitization, and output...

CVE-2024-10027

The WP Booking Calendar WordPress plugin before 10.6.3 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setu...

CVE-2024-10027 WP Booking Calendar < 10.6.3 - Admin+ Stored XSS

The WP Booking Calendar WordPress plugin before 10.6.3 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setu...

CVE-2024-9878

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-9883

The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-9883 Pods < 3.2.7.1 - Admin+ Stored XSS

The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-9883 Pods < 3.2.7.1 - Admin+ Stored XSS

The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...