CVE-2024-3075

The MM-email2image WordPress plugin through 0.2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

WordPress plugin MM-email2image 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

WordPress plugin Social Sharing 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in the...

Swift Framework < 2024.0.0 - Contributor+ Stored XSS via Shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. P...

Swift Framework < 2024.0.0 - Contributor+ Stored XSS via Shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. 1...

WordPress Simple Membership plugin <= 4.4.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

AuthenticatedContributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Thanh Nam Tran in WordPress Plugin Simple Membership versions = 4.4.3...

WordPress WOOCS plugin <= 1.4.1.8 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by stealthcopter in WordPress Plugin FOX versions = 1.4.1.8...

WordPress Collapse-O-Matic plugin <= 1.8.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Richard Telleng stueotue in WordPress Plugin Collapse-O-Matic versions = 1.8.5.5...

Tutor LMS – eLearning and online course solution < 2.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tutor_instructor_list' Shortcode

Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutorinstructorlist' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user suppli...

Shortcodes Ultimate < 7.1.2 - Contributor+ Stored XSS

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Add the following shortcode to a post: sulightbox src='123"onmouseover="alert1"'Click...

FOX – Currency Switcher Professional for WooCommerce < 1.4.1.9 - Unauthenticated Arbitrary Shortcode Execution

Description The FOX – Currency Switcher Professional for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 1.4.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on...

CVE-2024-3732

The GeoDirectory – WordPress Business Directory Plugin, or Classified Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gdsingletabs' shortcode in all versions up to, and including, 2.3.48 due to insufficient input sanitization and output escaping on us...

WordPress Social Sharing Plugin – Social Warfare plugin <= 4.4.6.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

AuthenticatedContributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin Social Warfare versions = 4.4.6.1...

WordPress rtMedia for WordPress, BuddyPress and bbPress plugin <= 4.6.18 - Authenticated (Contributor+) SQL Injection via rtmedia_gallery Shortcode vulnerability

Authenticated Contributor+ SQL Injection via rtmediagallery Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin rtMedia for WordPress, BuddyPress and bbPress versions = 4.6.18...

PT-2024-24985 · WordPress · Rtmedia For Wordpress

Name of the Vulnerable Software and Affected Versions: rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress versions up to, and including, 4.6.18 Description: The issue allows authenticated attackers with contributor-level access and above to perform blind SQL Injection via the...

PT-2024-27475 · WordPress · Geodirectory

Name of the Vulnerable Software and Affected Versions: The GeoDirectory – WordPress Business Directory Plugin versions up to, and including, 2.3.48 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'gd single tabs' shortcode due to insufficient input sanitization a...

WordPress Shortcode Addons plugin <= 3.2.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by NinTechNet in WordPress Plugin Shortcode Addons versions = 3.2.5...

WordPress Icon Widget plugin <= 1.3.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode vulnerability

AuthenticatedContributor+ Stored Cross-Site Scripting via shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin Icon Widget versions = 1.3.0...

WordPress hCaptcha plugin <= 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via cf7-hcaptcha Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via cf7-hcaptcha Shortcode vulnerability discovered by haidv35 in WordPress Plugin hCaptcha for WP versions = 4.0.0...

Colibri Page Builder < 1.0.272 - Contributor+ Stored Cross-Site Scripting via the plugin's 'colibri_breadcrumb_element' shortcode

Description The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibribreadcrumbelement' shortcode in all versions up to, and including, 1.0.272 due to insufficient input sanitization and output escaping on user supplied attributes. This...