3452 matches found
CVE-2024-3755
The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-0904
The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-0904 Fancy Product Designer < 6.1.81 - Admin+ Cross Site Scripting
The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-3752 Crelly Slider <= 1.4.5 - Admin+ Stored XSS
The Crelly Slider WordPress plugin through 1.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-0904
CVE-2024-0904 affects Fancy Product Designer (WordPress plugin) versions prior to 6.1.81. The issue is due to incomplete sanitization/escaping of certain settings, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (e.g., multisite). Reported impact...
CVE-2024-3755 MF Gig Calendar <= 1.2.1 - Editor+ Stored XSS
The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-3755
CVE-2024-3755 affects MF Gig Calendar for WordPress up to version 1.2.1. The root cause is that the plugin does not sanitize/escape certain settings, enabling a stored XSS when a high-privilege user (e.g., Editor) interacts with the plugin, even if unfiltered_html is disallowed (such as in multis...
CVE-2024-3755 MF Gig Calendar <= 1.2.1 - Editor+ Stored XSS
The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-3752 Crelly Slider <= 1.4.5 - Admin+ Stored XSS
The Crelly Slider WordPress plugin through 1.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-3637
The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin through 1.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...
CVE-2024-3637 Responsive Contact Form Builder & Lead Generation Plugin <= 1.8.9 - Admin+ Stored XSS
The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin through 1.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...
CVE-2024-2958
The SVS Pricing Tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via pricing table settings in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
Button contact VR <= 4.7 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Click on the "Button contact" and...
PT-2024-20231 · WordPress · Admin Page Spider
Name of the Vulnerable Software and Affected Versions: Admin Page Spider plugin for WordPress versions up to, and including, 3.20 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticat...
PT-2024-29106 · WordPress · Tabellen Von Faustball.Com
Name of the Vulnerable Software and Affected Versions: The Tabellen von faustball.com plugin for WordPress versions up to, and including, 2.0.4 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allo...
PT-2024-22957 · WordPress · Wp Front User Submit / Front Editor
Name of the Vulnerable Software and Affected Versions: WP Front User Submit / Front Editor plugin for WordPress versions up to, and including, 4.4.1 Description: The issue is related to Stored Cross-Site Scripting via form settings due to insufficient input sanitization and output escaping. This...
IDonate <= 1.9.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Navigate to...
Sailthru Triggermail <= 1.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...
CVE-2024-1905
CVE-2024-1905 concerns the Smart Forms WordPress plugin, prior to version 2.6.96. It allows stored XSS via unsanitised/未 escaped plugin settings, potentially affecting high-privilege users (e.g., admins), even when unfiltered_html is disallowed (including multisite). The issue is mitigated by upg...
CVE-2024-2603
The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin or editor depending on Salon booking system WordPress plugin through 9.6.5 configuration to perform Stored Cross-Site Scripting attacks...