GHSA-XW32-6422-FRQM Pagekit Cross-site Scripting vulnerability

Pagekit 1.0.18 is vulnerable to Cross Site Scripting XSS in index.php/admin/site/widget...

CVE-2024-8379 Cost Calculator Builder < 3.2.29 - Admin+ SQL Injection

The Cost Calculator Builder WordPress plugin before 3.2.29 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin...

CVE-2024-8379 Cost Calculator Builder < 3.2.29 - Admin+ SQL Injection

The Cost Calculator Builder WordPress plugin before 3.2.29 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin...

CVE-2024-45983

A Cross-Site Request Forgery CSRF vulnerability exists in kishan0725's Hospital Management System version 6.3.5. The vulnerability allows an attacker to craft a malicious HTML form that submits a request to delete a doctor record. By enticing an authenticated admin user to visit the specially...

CVE-2024-7878

The WP ULike WordPress plugin before 4.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2022-2439 Easy Digital Downloads – Simple eCommerce for Selling Digital Files <= 3.3.3 - Authenticated (Admin+) PHAR Deserialization

The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the 'uploadfile' parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using...

CVE-2024-8758

CVE-2024-8758 affects the Quiz and Survey Master (QSM) WordPress plugin prior to version 9.1.3. The issue is stored XSS caused by insufficient sanitization/escaping of settings, potentially allowing high-privilege users (e.g., admins) to inject scripts even when unfiltered_html is disallowed (e.g...

CVE-2024-8680

The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.9.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Men Salon Management System 2.0 Insecure Settings

==================================================================================================================================== | Title : Men Salon Management System 2.0 Insecure Settings Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox 130.0....

CVE-2024-8043

The Vikinghammer Tweet WordPress plugin through 0.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-8092 Accordion Image Menu <= 3.1.3 - Stored XSS via CSRF

The Accordion Image Menu WordPress plugin through 3.1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-8052 Review Ratings <= 1.6 - Stored XSS via CSRF

The Review Ratings WordPress plugin through 1.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-8051

CVE-2024-8051 concerns the WordPress plugin Special Feed Items (versions up to 1.0.1). The vulnerability stems from missing CSRF checks and insufficient sanitization/escaping, which could allow a logged-in administrator to inject a Stored XSS payload via a CSRF attack. The Red Hat/NVD/CVE records...

CVE-2024-8052 Review Ratings <= 1.6 - Stored XSS via CSRF

The Review Ratings WordPress plugin through 1.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-8047 Visual Sound (old) <= 1.06 - Settings Update via CSRF

The Visual Sound old WordPress plugin through 1.06 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-8043 Vikinghammer Tweet <= 0.2.4 - Stored XSS via CSRF

The Vikinghammer Tweet WordPress plugin through 0.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-5170 Logo Manager For Enamad <= 0.7.1 - Admin+ Stored XSS via Widget

The Logo Manager For Enamad WordPress plugin through 0.7.1 does not sanitise and escape in its widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-45800

CVE-2024-45800 concerns SnappyMail (Snappymail), a web-based email client. The issue lies in the HTML sanitizer: the cleanHtml() function allows too many invalid HTML elements, which can be coerced by malformed markup into valid markup, enabling a targeted mXSS javascript injection. The documente...

Auto/Taxi Stand Management System 1.0 SQL Injection

==================================================================================================================================== | Title : Auto/Taxi Stand Management System 1.0 Auth By Pass Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox 130.0...

CVE-2024-7863

The Favicon Generator CLOSED WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server...