Better Comments < 1.5.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. From the WordPress menu on the...

Save as PDF by Pdfcrowd < 3.2.2 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Settings Save as Image"...

BIT-DISCOURSE-2024-27100 Denial of service via Staff Actions in Discourse

Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren't enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could...

CVE-2024-2278

Themify WordPress plugin before 1.4.4 does not sanitise and escape some of its Filters settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-2278 WooCommerce Product Filter < 1.4.4 - Admin+ Stored XSS

Themify WordPress plugin before 1.4.4 does not sanitise and escape some of its Filters settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-2278

The CVE-2024-2278 entry corresponds to the Themify WordPress plugin prior to version 1.4.4. The vulnerability arises because the plugin does not sanitize and escape some Filter settings, potentially allowing high-privilege users (e.g., administrators) to perform Stored Cross-Site Scripting even w...

CVE-2024-2968

The WP-Eggdrop plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

CVE-2024-2963

The Pocket News Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings such as "Consumer Key" and "Access Token" in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

Breeze < 2.1.4 - Admin+ Stored XSS

Description The plugin does not sanitise and escape its breezeapitoken settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2024-22960 · WordPress · Wp-Eggdrop

Name of the Vulnerable Software and Affected Versions: WP-Eggdrop plugin for WordPress versions up to, and including, 0.1 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated...

PT-2024-22943 · WordPress · Pocket News Generator

Name of the Vulnerable Software and Affected Versions: The Pocket News Generator plugin for WordPress versions up to, and including, 0.2.0 Description: The issue is related to Stored Cross-Site Scripting via admin settings, specifically Consumer Key and Access Token, due to insufficient input...

CVE-2024-29910

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Alordiel Dropdown Multisite selector allows Stored XSS.This issue affects Dropdown Multisite selector: from n/a through 0.9.2...

CVE-2024-29910

CVE-2024-29910 refers to a Stored Cross-Site Scripting (XSS) flaw in the WordPress plugin “Dropdown Multisite selector.” The connected data indicate this affects versions up to 0.9.2 (listed as &lt;= 0.9.2) with the issue described as Stored XSS via shortcode. The vulnerability is categorized as ...

CVE-2024-29910 WordPress Dropdown Multisite selector plugin <= 0.9.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Alordiel Dropdown Multisite selector allows Stored XSS.This issue affects Dropdown Multisite selector: from n/a through 0.9.2...

WP Staging (Free < 3.4.0, Pro < 5.4.0) - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "WP Staging Backup &...

Social Media Share Buttons < 2.8.9 - Admin+ Stored XSS via settings

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Ultimate Social Media...

WordPress Plugin Dropdown multisite selector 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

PT-2024-22937 · WordPress · The Simple Ajax Chat

Name of the Vulnerable Software and Affected Versions: The Simple Ajax Chat – Add a Fast, Secure Chat Box plugin for WordPress versions up to, and including, 20231101 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and...

WordPress Dropdown Multisite selector Plugin <= 0.9.2 is vulnerable to Cross Site Scripting (XSS)

Software Dropdown Multisite selector Type Plugin Vulnerable versions = 0.9.2 Fixed in 0.9.2.1 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-29910 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 070110679b87 Credits LVT-tholv2k Required...

NPS computy < 2.7.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Settings NPS Monitoring"...