CVE-2024-5730

The Pagerank tools WordPress plugin through 1.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-5728

The Animated AL List WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

PT-2024-32087 · WordPress · Wp Chat App

Name of the Vulnerable Software and Affected Versions: WP Chat App WordPress plugin versions prior to 3.6.5 Description: The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks even when unfiltered html is disallowed, due to the plugin not sanitising and...

CVE-2024-5169

The Video Widget WordPress plugin through 1.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-4755

The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-4381

The CB legacy WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Cross Site Scripting (XSS)

magento/community-edition is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper sanitization of user input in the product and category management sections, allowing attackers to inject malicious scripts that can affect other admin users accessing those sections...

CVE-2024-3977

The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

WordPress plugin AZAN security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2024-28969

Dell SCG prior to version 5.24.00.00 contains an Improper Access Control vulnerability in an internal update REST API that is only accessible if enabled by an Admin from the UI. A remote low-privileged attacker could potentially trigger this API and cause execution of certain admin-only APIs agai...

CVE-2024-28969

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal update REST API if enabled by Admin user from UI. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs...

CVE-2024-28966

CVE-2024-28966 affects Dell SCG with versions prior to 5.24.00.00, due to an Improper Access Control vulnerability in an internal update REST API that a Admin UI-enabled function exposes. A remote, low-privileged attacker could access APIs intended for Admin Users on the backend database and pote...

CVE-2024-28966

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal update REST API if enabled by Admin user from UI. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs...

CVE-2024-28965

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal enable REST API if enabled by Admin user from UI. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain Internal...

CVE-2024-30162

Invision Community through 4.7.16 allows remote code execution via the applications/core/modules/admin/editor/toolbar.php IPS\core\modules\admin\editor\toolbar::addPlugin method. This method handles uploaded ZIP files that are extracted into the...

Widget4Call <= 1.0.7 - Reflected XSS

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make an admin open the URL:...

CVE-2024-30162

Invision Community through 4.7.16 allows remote code execution via the applications/core/modules/admin/editor/toolbar.php IPS\core\modules\admin\editor\toolbar::addPlugin method. This method handles uploaded ZIP files that are extracted into the...

CVE-2024-3921 Gianism <= 5.1.0 - Admin+ Stored XSS

The Gianism WordPress plugin through 5.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-4533

The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks...

CVE-2024-4533

CVE-2024-4533 affects the KKProgressbar2 Free WordPress plugin up to version 1.1.4.2, where an unsanitized parameter is used directly in a SQL statement, enabling admin users to perform SQL injection. The connected documents confirm the issue but do not provide a remediation version or patch deta...