CVE-2024-5200 Postie < 1.9.71 - Admin+ Stored XSS

The Postie WordPress plugin before 1.9.71 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-30745

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Phan Chuong IP Metaboxes plugin = 2.1.1 versions...

CVE-2023-23723

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Winwar Media WP Email Capture plugin = 3.9.3 versions...

WordPress Contact Form & SMTP Plugin for WordPress by PirateForms plugin < 2.6.0 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Contact Form & SMTP Plugin versions 2.6.0...

CVE-2025-0717 Social Slider Feed < 2.2.9 - Admin+ Stored XSS

To exploit the vulnerability, it is necessary:...

WordPress NextGEN Gallery plugin < 3.59.9 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Erwan LR WPScan in WordPress Plugin NextGEN Gallery versions 3.59.9...

WordPress Download Manager plugin < 3.3.03 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Download Manager versions 3.3.03...

WordPress YaDisk Files plugin <= 1.2.5 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by WPscan in WordPress Plugin YaDisk Files versions = 1.2.5...

CVE-2024-7877 Appointment Booking Calendar < 1.6.7.55 - Admin+ Stored XSS

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is...

CVE-2024-8983 Custom Twitter Feeds < 2.2.3 - Admin+ Stored XSS

Custom Twitter Feeds WordPress plugin before 2.2.3 is not filtering some of its settings allowing high privilege users to inject scripts...

WordPress Starbox plugin < 3.5.2 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Krugov Artyom in WordPress Plugin Starbox versions 3.5.2...

CVE-2024-7891 Floating Contact Button < 2.8 - Admin+ Stored XSS

The Floating Contact Button WordPress plugin before 2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

CVE-2024-5033 SULly < 4.3.1 - Admin+ Stored XSS via CSRF

The SULly WordPress plugin before 4.3.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-4384 CSSable Countdown <= 1.5 - Admin+ Stored XSS

The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Save as PDF by Pdfcrowd < 3.2.2 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Settings Save as Image" 2...

CVE-2024-30193

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in andymoyle Church Admin church-admin.This issue affects Church Admin: from n/a through = 4.1.17...

Testimonial Slider < 2.3.8 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Testimonial Shortcode" 2. Ad...

CVE-2024-0951 Advanced Social Feeds Widget & Shortcode <= 1.7 - Admin+ Stored XSS

The Advanced Social Feeds Widget & Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

Inline Related Posts < 3.5.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Put the following payload in the CSS margin-top settings: 0 em" onmouseover=alert/XSS/// Th...

CVE-2024-0561 Ultimate Posts Widget < 2.3.1 - Admin+ Stored XSS

The Ultimate Posts Widget WordPress plugin before 2.3.1 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...