WordPress Social Rocket plugin <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Social Rocket versions = 1.3.4...

PT-2024-36672 · Unknown · Ibnuyahya Category Post Shortcode

Name of the Vulnerable Software and Affected Versions: ibnuyahya Category Post Shortcode versions 2.4 and earlier Description: The issue is related to an Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Stored XSS in the ibnuyahya...

WordPress WP-SVG plugin <= 0.9 - Contributor+ Stored XSS via Shortcode vulnerability

Contributor+ Stored XSS via Shortcode vulnerability discovered by Bob Matyas in WordPress Plugin WP-SVG versions = 0.9...

PT-2024-17353 · WordPress · One Click Upsell Funnel For Woocommerce

Name of the Vulnerable Software and Affected Versions: The One Click Upsell Funnel for WooCommerce – Funnel Builder for WordPress versions up to, and including, 3.4.9 Description: The issue is related to Stored Cross-Site Scripting via the plugin's wps wocuf pro yes shortcode due to insufficient...

PT-2024-17668 · WordPress · Magicpost

Name of the Vulnerable Software and Affected Versions: MagicPost plugin for WordPress versions up to, and including, 1.2.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's wb share social shortcode due to insufficient input sanitization and output escaping on...

WordPress One Click Upsell Funnel for WooCommerce plugin <= 3.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via wps_wocuf_pro_yes Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wpswocufproyes Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin One Click Upsell Funnel for WooCommerce versions = 3.4.9...

WordPress Serious Slider plugin < 1.2.7 - Contributor+ Stored XSS via Shortcode vulnerability

Contributor+ Stored XSS via Shortcode vulnerability discovered by Bob Matyas in WordPress Plugin Serious Slider versions 1.2.7...

PT-2024-17631 · WordPress · Nacc Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: NACC WordPress Plugin versions up to, and including, 4.1.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'nacc' shortcode due to insufficient input sanitization and output escaping on user-supplied...

PT-2024-17255 · WordPress · Financial Calculator

Name of the Vulnerable Software and Affected Versions: Financial Calculator plugin for WordPress versions up to, and including, 2.2.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's finance calculator shortcode due to insufficient input sanitization and output...

PT-2024-17250 · WordPress · Pcrecruiter Extensions

Name of the Vulnerable Software and Affected Versions: PCRecruiter Extensions plugin for WordPress versions up to, and including, 1.4.10 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'PCRecruiter' shortcode due to insufficient input sanitization and output...

CVE-2024-12061

The Events Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.3 via the naeventselementortemplate shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, wi...

PT-2024-17598 · WordPress · Video Share Vod – Turnkey Video Site Builder Script

Name of the Vulnerable Software and Affected Versions: Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress versions prior to 2.6.31 Description: The issue is related to Stored Cross-Site Scripting in the plugin's videowhisper player html shortcode due to insufficient input...

PT-2024-17318 · WordPress · Easy Waveform Player

Name of the Vulnerable Software and Affected Versions: Easy Waveform Player plugin for WordPress versions up to, and including, 1.2.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'easywaveformplayer' shortcode due to insufficient input sanitization and output...

WordPress Tithe.ly Giving Button plugin <= 1.1 - Contributor+ Stored XSS via Shortcode vulnerability

Contributor+ Stored XSS via Shortcode vulnerability discovered by Bob Matyas in WordPress Plugin Tithe.ly Giving Button versions = 1.1...

CVE-2024-11766

CVE-2024-11766 affects WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more (WordPress GS Books Showcase) up to version 1.3.1. It enables Stored Cross-Site Scripting via the gs_book_showcase shortcode due to insufficient input sanitization/output escaping on use...

CVE-2024-12461 WP-Revive Adserver <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP-Revive Adserver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpreviveasync' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

WordPress Arena.IM – Live Blogging for real-time events plugin <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via arena_embed_amp Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via arenaembedamp Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Arena.IM – Live Blogging for real-time events versions = 0.4.1...

PT-2024-16819 · WordPress · Mycred

Name of the Vulnerable Software and Affected Versions: myCred – Loyalty Points and Rewards plugin versions up to, and including, 2.7.5.2 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes in the...

WordPress myCred plugin <= 2.7.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_send Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via mycredsend Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin myCred versions = 2.7.5.2...

WordPress Luna Web Radio Player plugin <= 6.24.11.07 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by István Márton in WordPress Plugin Luna Web Radio Player versions = 6.24.11.07...