CVE-2024-3021

The CVE-2024-3021 entry concerns the Mhr Post Ticker WordPress plugin. Reported vulnerability: Stored Cross-Site Scripting via the Header Title value in all versions up to and including 1.1, caused by insufficient input sanitization and output escaping. Impact is limited to multi-site WordPress i...

CVE-2024-2840

CVE-2024-2840 affects the Enhanced Media Library WordPress plugin, vulnerable to stored XSS via media upload in all versions up to 2.8.9. An authenticated attacker (author+ or higher) can upload dfxp files to inject scripts executed on page loads. Patch: upgrade to version 2.8.10 or later (per ch...

CVE-2024-2840 Enhanced Media Library <= 2.8.9 - Authenticated (Author+) Stored Cross-Site Scripting

The Enhanced Media Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via media upload functionality in all versions up to, and including, 2.8.9 due to the plugin allowing 'dfxp' files to be uploaded. This makes it possible for authenticated attackers, with author-level...

CVE-2024-2345 FileBird – WordPress Media Library Folders & File Manager <= 5.6.3 - Authenticated (Author+) Stored Cross-Site Scripting

The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the folder name parameter in all versions up to, and including, 5.6.3 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-2345

CVE-2024-2345 refers to the FileBird WordPress plugin (Folders & File Manager). Red Hat and Wordfence document Stored Cross-Site Scripting via the folder name parameter in all versions up to 5.6.3, exploitable by authenticated attackers with author access or higher, allowing injected scripts to r...

CVE-2024-1959 Social Sharing Plugin – Social Warfare <= 4.4.6.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

The Social Sharing Plugin – Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialWarfare' shortcode in all versions up to, and including, 4.4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

CVE-2024-2085 HT Mega – Absolute Addons For Elementor <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'size'

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' value in several widgets all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-3074 Elementor ImageBox <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Elementor ImageBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image box widget in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

Cross Site Scripting (XSS)

yapi-vendor is vulnerable to Cross Site Scripting XSS. The vulnerability is due to insufficient input validation in its Advanced Expectation - Response module, allowing attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the body field...

CVE-2024-33423

Cross-Site Scripting XSS vulnerability in the Settings menu of CMSimple v5.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Logout parameter under the Language section...

CVE-2024-33424

A cross-site scripting XSS vulnerability in the Settings menu of CMSimple v5.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Downloads parameter under the Language section...

Easy Set Favicon <= 1.1 - Reflected Cross-Site Scripting

Description The Easy Set Favicon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...

CVE-2024-33424

A cross-site scripting XSS vulnerability in the Settings menu of CMSimple v5.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Downloads parameter under the Language section...

XStore < 9.3.9 - Reflected Cross-Site Scripting

Description The theme is vulnerable to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an...

CVE-2024-33424

CMSimple v5.15 is affected by an XSS in the Settings menu, via the Downloads parameter under Language. The vulnerability allows arbitrary web scripts/HTML to run in the user context when a crafted payload is used. Documented by multiple sources (CVE-2024-33424; RH; CNVD/CNNVD variants) with no ex...

CVE-2024-33102

A stored cross-site scripting XSS vulnerability in the component /pubs/counter.php of ThinkSAAS v3.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the code parameter...

CVE-2024-33101

A stored cross-site scripting XSS vulnerability in the component /action/anti.php of ThinkSAAS v3.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the word parameter...

CVE-2024-33831

A stored cross-site scripting XSS vulnerability in the Advanced Expectation - Response module of yapi v1.10.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the body field...

CVE-2024-33102

A stored cross-site scripting XSS vulnerability in the component /pubs/counter.php of ThinkSAAS v3.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the code parameter...

Cross-site Scripting (XSS)

knowledge-repo is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper user input validation in the post comments functionality. This allows an attacker to inject arbitrary web scripts or HTML content into the application, potentially leading to cross-site scripting XSS...