277 matches found
CVE-2024-13385
CVE-2024-13385 – JSM Screenshot Machine Shortcode (WordPress) is a Stored Cross-Site Scripting vulnerability in the JSM Screenshot Machine Shortcode plugin for WordPress, affecting all versions up to 2.3.0. The issue arises from insufficient input sanitization and lack of proper output escaping o...
CVE-2024-13323 Booking Calendar <= 10.9.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'booking' Shortcode
The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'booking' shortcode in all versions up to, and including, 10.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2024-11758 WP SPID Italia <= 2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
The WP SPID Italia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wit...
CVE-2024-9673
...
CVE-2024-12439
The Marketplace Items plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'marketplace' shortcode in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2024-11899
The Slider Pro Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sliderpro' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2024-9545
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's auxcontactbox and auxgmaps shortcodes in all versions up to, and including, 2.17.0 due to insufficient input sanitization and output escaping on user supplied...
CVE-2024-12500
The Philantro – Donations and Donor Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'donate' in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...
CVE-2024-11384
CVE-2024-11384 applies to the Arena.IM – Live Blogging for real-time events WordPress plugin. The vulnerability is a Stored Cross-Site Scripting (XSS) in the plugin’s arena blog shortcode that affects all versions up to and including 0.3.0, arising from insufficient input sanitization and output ...
CVE-2024-11339
The CVE-2024-11339 entry concerns the WordPress plugin Smart PopUp Blaster. It describes a Stored Cross-Site Scripting vulnerability in the spb-button shortcode, affecting all versions up to 1.4.3, due to insufficient input sanitization and output escaping on user-supplied attributes. Exploitatio...
CVE-2024-11769
The Flower Delivery by Florist One plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flower-delivery' shortcode in all versions up to, and including, 3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...
WordPress plugin多款产品 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin that supports personal blogs on PHP and MySQL servers. A cross-site scripting vulnerability exists in...
CVE-2024-11782
The WP Mailster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mstsubscribe' shortcode in all versions up to, and including, 1.8.17.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...
CVE-2024-11761
The LegalWeb Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'legalweb-popup' shortcode in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2024-11786 Login with Vipps and MobilePay <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Login with Vipps and MobilePay plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'continue-with-vipps' shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2024-11192
The Spotify Play Button for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's spotifyplaybutton shortcode in all versions up to, and including, 2.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2024-11229
The 코드엠샵 소셜톡 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's addplusfriends and addplustalk shortcodes in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2024-11231
CVE-2024-11231 concerns the WordPress plugin “우커머스 네이버페이” (WooCommerce Naver Pay) for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) via the plugin’s mnp_purchase shortcode in all versions up to and including 3.3.7, caused by insufficient input sanitization and output escapin...
CVE-2024-10113
The WP AdCenter – Ad Manager & Adsense Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpadcenterad shortcode in all versions up to, and including, 2.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2024-10887
CVE-2024-10887 affects the NiceJob WordPress plugin. It is a Stored XSS via multiple shortcodes (nicejob-lead, -review, -engage, -badge, -stories) in all versions up to 3.6.5 due to insufficient input sanitization and output escaping. Exploitation requires Contributor+ authentication; injected sc...