CVE-2024-7918

The Pocket Widget WordPress plugin through 0.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-7918 Pocket Widget <= 0.1.3 - Admin+ Stored XSS

The Pocket Widget WordPress plugin through 0.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-7689 Snapshot Backup <= 2.1.1 - Stored XSS via CSRF

The Snapshot Backup WordPress plugin through 2.1.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-7687 AZIndex <= 0.8.1 - Stored XSS via CSRF

The AZIndex WordPress plugin through 0.8.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-6910 EventON < 2.2.17 - Admin+ Stored XSS

The EventON WordPress plugin before 2.2.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

CVE-2024-7687

AZIndex WordPress plugin (

CVE-2024-7918 Pocket Widget <= 0.1.3 - Admin+ Stored XSS

The Pocket Widget WordPress plugin through 0.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5561 Popup Maker < 1.19.1 - Admin+ Stored XSS

The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-44725

AutoCMS v5.4 is affected by a SQL injection in the sidebar parameter of /admin/robot.php. This CVE (CVE-2024-44725) is documented with a high impact (C/H I/H A/H) and CVSS v3.1 score of 7.2. Root cause: lack of input validation in the sidebar parameter leading to SQL statement manipulation. Explo...

CVE-2024-6925

The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-6925 TrueBooker < 1.0.3 - Settings Update via CSRF

The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-6925 TrueBooker < 1.0.3 - Settings Update via CSRF

The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-6852

CVE-2024-6852 concerns the WordPress plugin WP MultiTasking (versions ≤ 0.1.12). The issue is a missing CSRF check when updating plugin settings, which could allow an attacker to force a logged-in admin to modify settings via CSRF. Public sources in connected documents confirm the root cause as l...

Online Shopping Portal Project 2.0 SQL Injection

============================================================================================================================================= | Title : Online Shopping Portal Project 2.0 auth by pass Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox...

CVE-2024-8466

SQL injection vulnerability, by which an attacker could send a specially designed query through CATEGORY parameter in /jobportal/admin/category/controller.php, and retrieve all the information stored in it...

CVE-2024-6889

The Secure Copy Content Protection and Content Locking WordPress plugin before 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2024-6722 Chatbot Support AI <= 1.0.2 - Admin+ Stored XSS

The Chatbot Support AI: Free ChatGPT Chatbot, Woocommerce Chatbot WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

CVE-2024-6722 Chatbot Support AI <= 1.0.2 - Admin+ Stored XSS

The Chatbot Support AI: Free ChatGPT Chatbot, Woocommerce Chatbot WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

CVE-2024-43801

Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI e.g. via "view image" in a...

CVE-2024-43801

CVE-2024-43801 affects Jellyfin (self-hosted media server). The vulnerability arises from accepting SVG uploads for user profiles, enabling a stored XSS that could let an admin load a crafted SVG outside Jellyfin’s Web UI, interact with the browser LocalStorage, and exfiltrate an AccessToken to e...