CVE-2024-13493 Sensly Online Presence <= 0.6 - Admin+ Stored XSS

The Sensly Online Presence WordPress plugin through 0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-0692

The Simple Video Management System WordPress plugin through 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2025-0692 Simple Video Management System <= 1.0.4 - Admin+ Stored XSS

The Simple Video Management System WordPress plugin through 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2025-0692 Simple Video Management System <= 1.0.4 - Admin+ Stored XSS

The Simple Video Management System WordPress plugin through 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-13121 Paid Membership Plugin < 4.15.20 - Admin+ Stored XSS

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even wh...

CVE-2025-0522 LikeBot – Decentralized like-system <= 0.85 - Admin+ Stored XSS via CSRF

The LikeBot WordPress plugin through 0.85 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-13330

The JustRows free WordPress plugin through 0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

WordPress plugin WooCommerce Customers Manager 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2024-12872

CVE-2024-12872 affects the Zalomení WordPress plugin (versions up to 1.5). The issue stems from insufficient sanitisation/escaping of certain settings, allowing a high-privilege user (e.g., an admin) to perform Stored Cross-Site Scripting, even when unfiltered_html is disallowed (notably in multi...

CVE-2024-12129

The Royal Core plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'royalrestorebackup' function in all versions up to, and including, 2.9.2. This makes it possible for authenticated attackers, with...

CVE-2024-13116 Crelly Slider < 1.4.7 - Admin+ Stored XSS

The Crelly Slider WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-12321 WC Affiliate <= 2.3.9 - Reflected XSS

The WC Affiliate WordPress plugin through 2.3.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-55954 OpenObserve Improper Authorization Allows Admin User to Remove Root User

OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint /api/orgid/users/emailid allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the...

CVE-2024-12568 Email Subscribers < 5.7.45 - Admin+ Stored XSS

The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Workflow settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example...

CVE-2024-12567 Email Subscribers < 5.7.45 - Admin+ Stored XSS

The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-12566 Email Subscribers < 5.7.45 - Admin+ Stored XSS

The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-11636

CVE-2024-11636 affects the Email Subscribers by Icegram Express WordPress plugin prior to 5.7.45. The issue is that certain Text Block options are not properly sanitised/escaped, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as in multisi...

CVE-2024-12587 Contact Form Master <= 1.0.7 - Reflected XSS

The Contact Form Master WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-12717 aklamator-infeed <= 2.0.0 - Admin+ Stored XSS

The Aklamator INfeed WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-12717 aklamator-infeed <= 2.0.0 - Admin+ Stored XSS

The Aklamator INfeed WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...