CVE-2024-6724

The Generate Images WordPress plugin before 5.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6724 Generate Images – Magic Post Thumbnail < 5.2.8 - Admin+ Stored XSS

The Generate Images WordPress plugin before 5.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

WordPress Term And Category Based Posts Widget plugin < 4.9.13 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Term And Category Based Posts Widget versions 4.9.13...

WordPress MapFig Studio 0.2.1 Cross Site Request Forgery / Cross Site Scripting

Exploit Title: MapFig Studio alert1" / alert1" / history.pushState'', '', '/'; document.forms0.submit; Reference: https://wpscan.com/vulnerability/0346b62c-a856-4554-a24a-ef2c2943bda9/...

CVE-2024-6158 Category Posts Widget (Free < 4.9.17, Pro < 4.9.13) - Admin+ Stored XSS

The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Posts" widget settings before outputting them back in a page/post where the Widget is embed, which could allow high...

CVE-2024-6133 WP eStore < 8.5.6 - Reflected XSS in Customer Search

The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-6133

The vulnerability CVE-2024-6133 affects the WordPress plugin wp-cart-for-digital-products (pre-8.5.6). The issue is a Reflected Cross-Site Scripting flaw where a parameter is not sanitized/escaped before output, potentially affecting high-privilege users (e.g., admins). Root cause: inadequate inp...

CVE-2024-6481 Search Filter Pro < 2.5.18 - Admin+ Stored XSS

The Search & Filter Pro WordPress plugin before 2.5.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Cross-site Scripting (XSS)

microweber/microweber is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper input sanitization in userfiles\modules\settings\admin.php by which an admin authenticated attacker can inject malicious scripts by submitting crafted input to the group field...

CVE-2024-3973

The House Manager WordPress plugin through 1.0.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-3973 House Manager <= 1.0.8.4 - Reflected XSS

The House Manager WordPress plugin through 1.0.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-3973

CVE-2024-3973 relates to the House Manager WordPress plugin (

CVE-2024-3973 House Manager <= 1.0.8.4 - Reflected XSS

The House Manager WordPress plugin through 1.0.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-23464

In certain cases, Zscaler Internet Access ZIA can be disabled by PowerShell commands with admin rights. This affects Zscaler Client Connector on Windows 4.2.1...

CVE-2024-33980

Cross-Site Scripting XSS vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could create a specially crafted URL and send it to a victim to obtain details of their session cookie via the 'start' parameter in '/admin/modreports/printreport.php'...

CVE-2024-33980 Cross-site Scripting in Janobe products

Cross-Site Scripting XSS vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could create a specially crafted URL and send it to a victim to obtain details of their session cookie via the 'start' parameter in '/admin/modreports/printreport.php'...

BIT-WORDPRESS-2024-3992

The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6651 WordPress File Upload < 4.24.8 - Reflected XSS

The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-6651 WordPress File Upload < 4.24.8 - Reflected XSS

The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-6498 CollectChat < 2.4.4 - Admin+ XSS

The Chatbot for WordPress by Collect.chat ⚡️ WordPress plugin before 2.4.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...