Simply Schedule Appointments < 1.6.6.24 - Reflected Cross-Site Scripting

Description The Simply Schedule Appointments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.6.6.20 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

Unlimited Elements For Elementor < 1.5.97 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the link field of an installed widget e.g., 'Button Link' due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level acce...

List category posts < 0.89.7 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode due to insufficient input sanitization and output escaping on user supplied attributes like 'titletag'. This makes it possible for authenticated attackers with contributor-level and above...

ElementsKit Elementor addons < 3.0.7 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the button ID parameter due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will...

PowerPack Addons for Elementor < 2.7.19 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the Twitter Tweet widget due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that...

Shipping with Venipak for WooCommerce < 1.19.6 - Reflected Cross-Site Scripting via 'venipak_labels_link'

Description The Shipping with Venipak for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'venipaklabelslink' parameter in versions up to, and including, 1.19.5 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-2491 PowerPack Addons for Elementor <= 2.7.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via *_html_tag*

The PowerPack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the htmltag attribute of multiple widgets in all versions up to, and including, 2.7.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-2141

The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-2144

The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Separator widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...

CVE-2024-1238

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button ID parameter in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contribut...

CVE-2024-1051

The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.89.6 due to insufficient input sanitization and output escaping on user supplied attributes like 'titletag'. This makes it possibl...

CVE-2024-2250 130+ Widgets | Best Addons For Elementor – FREE <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The 130+ Widgets | Best Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

CVE-2024-2108

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes ...

CVE-2024-0609

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apikey' parameter in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. Th...

CVE-2024-0609 WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting <= 1.13.1 - Unauthenticated Stored Cross-Site Scripting

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apikey' parameter in all versions up to, and including, 1.13.1 due to insufficient input sanitization and output escaping. Th...

CVE-2024-0609

CVE-2024-0609 is a Stored Cross-Site Scripting vulnerability in the WP ERP plugin for WordPress (WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting). Public records describe the issue as: unauthenticated (WordPress users) can inject scripts via the api_ke...

CVE-2024-2108 Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.8.0 - Authenticated (Author+) Stored Cross-Site Scripting

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes ...

CVE-2024-2116 Christmas Greetings <= 1.2.5 - Reflected Cross-Site Scripting

The Christmas Greetings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the code parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2024-2475

CVE-2024-2475 refers to a Stored Cross-Site Scripting vulnerability in the WordPress plugin Media Library Assistant. The issue stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes, allowing an attacker with contributor-level access or higher to inje...

Church Admin < 4.0.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Description The Church Admin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 4.0.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...