3452 matches found
CVE-2024-2908
The Call Now Button WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-2439
The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-2439
The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-2439 Salon booking system <= 9.6.5 - Editor+ Stored XSS
The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-2603
CVE-2024-2603 affects the Salon booking system WordPress plugin (versions ≤ 9.6.5). The issue is due to incomplete sanitization/escaping of certain settings, enabling Stored XSS by high-privilege users (admin or editor, depending on configuration) even when unfiltered_html is disallowed (e.g., mu...
CVE-2024-2908 Call Now Button < 1.4.7 - Admin+ Stored XSS
The Call Now Button WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-2439
CVE-2024-2439 affects the Salon booking system WordPress plugin up to version 9.6.5. The vulnerability is a Stored XSS arising from insufficient sanitization/escaping of plugin settings, enabling high-privilege users (e.g., Editor) to inject script even if unfiltered_html is disabled (e.g., multi...
CVE-2024-2439 Salon booking system <= 9.6.5 - Editor+ Stored XSS
The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-2603 Salon booking system <= 9.6.5 - Editor+ Stored XSS via Email Settings
The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin or editor depending on Salon booking system WordPress plugin through 9.6.5 configuration to perform Stored Cross-Site Scripting attacks...
CVE-2024-2310 WP Google Review Slider < 13.6 - Admin+ Stored XSS
The WP Google Review Slider WordPress plugin before 13.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Popup4Phone <= 1.3.2 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Popup4Phone Settings...
CVE-2024-3265
The Advanced Search WordPress plugin through 1.1.6 does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations...
CVE-2024-3265
The Advanced Search WordPress plugin through 1.1.6 does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations...
CVE-2024-3265
The CVE-2024-3265 entry affects the WordPress plugin Advanced Search (versions up to and including 1.1.6). The root cause is improper escaping of parameters appended to an SQL query, which can enable an SQL Injection in multisite WordPress configurations when performed by users with the administr...
CVE-2024-3265 WP Advanced Search <= 1.1.6 - Admin+ SQL Injection
The Advanced Search WordPress plugin through 1.1.6 does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations...
CVE-2024-3265 WP Advanced Search <= 1.1.6 - Admin+ SQL Injection
The Advanced Search WordPress plugin through 1.1.6 does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations...
CVE-2024-2907
The AGCA WordPress plugin before 7.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-2907
The AGCA WordPress plugin before 7.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-2907
CVE-2024-2907 affects the AGCA – Custom Dashboard & Login Page WordPress plugin before version 7.2.2. The flaw stems from insufficient sanitisation/escaping of certain settings, enabling Stored XSS by high-privilege users (e.g., administrators) even when unfiltered_html is disallowed (such as in ...
PT-2024-24743 · WordPress · Advanced Search
Name of the Vulnerable Software and Affected Versions: Advanced Search WordPress plugin versions 1.1.6 and earlier Description: The issue allows users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configuration due to improper escaping of...