CVE-2024-11416 WIP Incoming Lite <= 1.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The WIP Incoming Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the saveoption function. This makes it possible for unauthenticated attackers to update settings and inject...

CVE-2024-11385

CVE-2024-11385 affects the WordPress plugin Pure CSS Circle Progress bar (versions ≤ 1.2). The issue is a Stored Cross-Site Scripting vulnerability in the circle_progress shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. Exploitation requires at lea...

CVE-2024-11360 Page Parts <= 1.4.3 - Reflected Cross-Site Scripting

The Page Parts plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of removequeryarg without appropriate escaping on the URL in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages...

CVE-2024-11360

CVE-2024-11360 → WordPress Page Parts plugin

CVE-2024-11435 salavat counter Plugin <= 0.9.4 - Reflected Cross-Site Scripting

The salavat counter Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 0.9.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

CVE-2024-11435

The CVE-2024-11435 entry refers to the salavat counter Plugin for WordPress with a Reflected Cross‑Site Scripting vulnerability via the page parameter in all versions up to and including 0.9.1. The issue allows unauthenticated attackers to inject scripts in pages that users may execute after cert...

CVE-2024-10726 Friendly Functions for Welcart <= 1.2.4 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious w...

CVE-2024-10726 Friendly Functions for Welcart <= 1.2.4 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious w...

CVE-2024-11370

CVE-2024-11370 concerns the WordPress plugin “Subaccounts for WooCommerce”. The connected sources confirm a reflected Cross-Site Scripting (XSS) weakness caused by improper escaping in URLs using add_query_arg, affecting all versions up to and including 1.6.0. This enables unauthenticated attacke...

CVE-2024-9111 Product Designer <= 1.0.36 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...

CVE-2024-10682

CVE-2024-10682: WordPress Bulletin Announcements plugin is vulnerable to Reflected XSS via add_query_arg/remove_query_arg without proper escaping in all versions up to 3.11.7. Exploitation requires user interaction (tricking a user into clicking a link) and is possible for unauthenticated attacke...

CVE-2024-52702

A stored cross-site scripting XSS vulnerability in the component install\index.php of MyBB v1.8.38 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Name parameter. NOTE: this is disputed by the Supplier because Website Name can only be set ...

CVE-2024-9239

The Booster for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg & removequeryarg without appropriate escaping on the URL in all versions up to, and including, 7.2.3. This makes it possible for unauthenticated attackers to inject...

CVE-2024-9239

CVE-2024-9239: Booster for WooCommerce (WordPress)

CVE-2024-9239 Booster for WooCommerce <= 7.2.3 - Reflected Cross-Site Scripting

The Booster for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg & removequeryarg without appropriate escaping on the URL in all versions up to, and including, 7.2.3. This makes it possible for unauthenticated attackers to inject...

CVE-2024-8726

CVE-2024-8726 : MailChimp Forms by MailMunch (WordPress) is vulnerable to Reflected Cross-Site Scripting due to improper escaping in URLs via add_query_arg in all versions up to and including 3.2.3. Unauthenticated attackers can inject scripts in pages that a user might trigger by clicking links,...

CVE-2024-8726 MailChimp Forms by MailMunch <= 3.2.3 - Reflected Cross-Site Scripting

The MailChimp Forms by MailMunch plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 3.2.3. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2024-8726 MailChimp Forms by MailMunch <= 3.2.3 - Reflected Cross-Site Scripting

The MailChimp Forms by MailMunch plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 3.2.3. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2024-9653

Restaurant Menu – Food Ordering System – Table Reservation (WordPress)

CVE-2024-9653 Restaurant Menu – Food Ordering System – Table Reservation <= 2.4.2 - Reflected Cross-Site Scripting

The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'action' parameter in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for...