1360 matches found
CVE-2024-9638 Category Posts Widget < 4.9.18 - Admin+ Stored XSS
The Category Posts Widget WordPress plugin before 4.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-9638 Category Posts Widget < 4.9.18 - Admin+ Stored XSS
The Category Posts Widget WordPress plugin before 4.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-9638
CVE-2024-9638 affects Category Posts Widget for WordPress (Category Posts Widget) up to version 4.9.17. The issue is improper sanitization/escaping of widget settings, enabling stored XSS by high-privilege users (e.g., Admin) even when unfiltered_html is disallowed (e.g., multisite). The root cau...
CVE-2024-10562 Form Maker by 10Web < 1.15.31 - Admin+ Stored XSS
The Form Maker by 10Web WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-56320
GoCD before 24.5.0 is vulnerable to admin privilege escalation via improper authorization of the admin “Configuration XML” UI and related API. An authenticated GoCD user with an existing account can access information intended only for admins or elevate privileges to admin, with exploitation requ...
CVE-2024-56320 GoCD vulnerable to admin privilege escalation by a malicious internal/existing authenticated user
GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD...
CVE-2024-11605
The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...
CVE-2024-11223
Summary (CVE-2024-11223): The WPForms WordPress plugin, versions prior to 1.9.2.3, fails to sanitise and escape certain settings. This allows high-privilege users (e.g., admins) to perform Stored Cross-Site Scripting (XSS) even when unfiltered_html is disallowed (e.g., multisite). The vulnerabili...
CVE-2024-11223 WPForms < 1.9.2.3 - Admin+ Stored XSS
The WPForms WordPress plugin before 1.9.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-10706 Download Manager < 3.3.03 - Admin+ Stored XSS
The Download Manager WordPress plugin before 3.3.03 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-10555 MaxButtons < 9.8.1 - Admin+ Stored XSS via Button Width
The WordPress Button Plugin MaxButtons WordPress plugin before 9.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisit...
CVE-2024-10939 Image Widget < 4.4.11 - Admin+ Stored XSS
The Image Widget WordPress plugin before 4.4.11 does not sanitise and escape some of its Image Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-10517
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Drag & Drop Builder fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripti...
CVE-2024-10568
The Ajax Search Lite WordPress plugin before 4.12.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-10010
The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-9641 LuckyWP Table of Contents < 2.1.7 - Admin+ Stored XSS
The LuckyWP Table of Contents WordPress plugin before 2.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-9651 Contact Form Plugin by Fluent Forms < 5.2.1 - Admin+ Stored XSS
The Fluent Forms WordPress plugin before 5.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-6393
CVE-2024-6393 affects the WordPress plugin NextGEN Gallery (Photo Gallery, Sliders, Proofing and Themes). The issue is a lack of sanitization/escaping in the plugin’s Images settings, enabling stored XSS by high-privilege users (e.g., Administrators) even if unfiltered_html is disallowed. Affecte...
CVE-2024-10710
CVE-2024-10710 (YaDisk Files WordPress plugin) affects YaDisk Files up to version 1.2.5. The Red Hat and other sources confirm the issue: the plugin does not sanitise/escape certain settings, enabling Stored XSS by high-privilege users (admin) even when unfiltered_html is disallowed. Technical de...
CVE-2024-10710 YaDisk Files <= 1.2.5 - Admin+ Stored XSS
The YaDisk Files WordPress plugin through 1.2.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...