CVE-2024-3823

The Base64 Encoder/Decoder WordPress plugin through 0.9.2 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-2785

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Age Gate widget in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

PT-2024-23562 · WordPress · Custom Field Suite

Name of the Vulnerable Software and Affected Versions: Custom Field Suite plugin for WordPress versions up to, and including, 2.6.5 Description: The issue is related to Stored Cross-Site Scripting via the cfsfieldsname parameter due to insufficient input sanitization and output escaping. This...

PT-2024-25895 · Unknown · Easy Affiliate Links

Name of the Vulnerable Software and Affected Versions: Easy Affiliate Links versions 3.7.2 and earlier Description: The issue is related to improper neutralization of input during web page generation, which leads to a Stored XSS vulnerability. This allows for the storage of malicious scripts that...

WordPress Folders Pro plugin <= 3.0.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via User First Name and Last Name vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via User First Name and Last Name vulnerability discovered by mike harris in WordPress Plugin Folders versions = 3.0.2...

PT-2024-26241 · WordPress · Wp Recipe Maker

Name of the Vulnerable Software and Affected Versions: WP Recipe Maker plugin for WordPress versions up to, and including, 9.3.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's wprm-recipe-roundup-item shortcode due to insufficient input sanitization and output...

PT-2024-24873 · WordPress · Follow Us Badges

Name of the Vulnerable Software and Affected Versions: Follow Us Badges plugin for WordPress versions up to, and including, 3.1.10 Description: The issue is related to Stored Cross-Site Scripting via the plugin's wpsite follow us badges shortcode due to insufficient input sanitization and output...

WordPress Mhr Post Ticker plugin <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Benedictus Jovan in WordPress Plugin Mhr Post Ticker versions = 1.1...

PT-2024-25440 · Pdfcrowd · Save As Pdf Plugin

Name of the Vulnerable Software and Affected Versions: Save as PDF plugin by Pdfcrowd versions 3.2.0 and earlier Description: The issue is related to a Missing Authorization vulnerability in the Save as PDF plugin by Pdfcrowd, which allows Stored XSS. Recommendations: For versions 3.2.0 and...

CVE-2024-3076

The MM-email2image WordPress plugin through 0.2.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-3075

The MM-email2image WordPress plugin through 0.2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

PT-2024-24702 · Unknown · Averta Master Slider

Name of the Vulnerable Software and Affected Versions: Averta Master Slider versions through 3.9.8 Description: The issue is related to improper neutralization of input during web page generation, which allows for stored cross-site scripting XSS. This means that an attacker can inject malicious...

PT-2024-24696 · Kraftplugins · Kraftplugins Mega Elements

Name of the Vulnerable Software and Affected Versions: Kraftplugins Mega Elements versions 1.1.9 and earlier Description: The issue is related to improper neutralization of input during web page generation, which allows for Stored XSS. This means an attacker can inject malicious scripts into the...

PT-2024-24718 · Unknown · Dsgvo Youtube

Name of the Vulnerable Software and Affected Versions: DSGVO Youtube versions 1.4.5 and earlier Description: The issue is related to improper neutralization of input during web page generation, also known as Cross-site Scripting. This allows for Stored XSS attacks. Recommendations: For versions...

CVE-2024-2101

The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the...

CVE-2024-2102

The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field and 'smsprefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the...

WordPress EleForms plugin <= 2.9.9.7 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Francesco Carlucci in WordPress Plugin EleForms versions = 2.9.9.7...

PT-2024-24671 · Unknown · Bmi Adult & Kid Calculator

Name of the Vulnerable Software and Affected Versions: BMI Adult & Kid Calculator versions 1.2.1 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS in the BMI Adult & Kid Calculator. Recommendations: For versions 1.2.1 and earlier, update ...

UBUNTU-CVE-2024-3092

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a Stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims...

CVE-2024-2736

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML Tags in all versions up to, and including, 4.8.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...