CVE-2024-5644 WordPress Plugin Tournamatch < 4.6.1 - Admin+ Stored XSS via Ladders

The Tournamatch WordPress plugin before 4.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5644

CVE-2024-5644 affects the Tournamatch WordPress plugin prior to 4.6.1. The issue arises from insufficient sanitisation/escaping of certain plugin settings, enabling Stored XSS by high-privilege users (e.g., administrators) even when unfiltered_html is disabled (such as in multisite). Impact is li...

CVE-2024-5644 WordPress Plugin Tournamatch < 4.6.1 - Admin+ Stored XSS via Ladders

The Tournamatch WordPress plugin before 4.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5472 WP QuickLaTeX < 3.8.7 - Admin+ Stored XSS in Background Color field

The WP QuickLaTeX WordPress plugin before 3.8.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5442 NextGEN Gallery < 3.59.3 - Admin+ Stored XSS

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-5286 WP Affiliate Platform < 6.5.1 - Reflected XSS via Banner Editing

The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-5472

The exploit details for CVE-2024-5472 indicate that WP QuickLaTeX for WordPress (pre-3.8.7) fails to sanitise/escape certain plugin settings, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as multisite). The Red Hat and CVE records corrobo...

CVE-2024-5281 WP Affiliate Platform < 6.5.1 - Reflected XSS via Affiliate Editing

The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-5281

The CVE-2024-5281 entry is valid and supported by connected sources describing a Reflected XSS in the WP Affiliate Platform plugin (versions before 6.5.1) caused by not sanitising/escaping a parameter before echoing it to the page. Impact is noted as potentially exploitable against admin/high-pri...

CVE-2024-5282 WP Affiliate Platform < 6.5.1 - Reflected XSS via Registration Form

The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-5283 WP Affiliate Platform < 6.5.1 - Reflected XSS via Lead Editing

The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-5167 CM Email Registration Blacklist and Whitelist < 1.4.9 - Add/Delete Emails via CSRF Add and delete any item from blacklist/whitelist

The CM Email Registration Blacklist and Whitelist WordPress plugin before 1.4.9 does not have CSRF check when adding or deleting an item from the blacklist or whitelist, which could allow attackers to make a logged in admin add or delete settings from the blacklist or whitelist menu via a CSRF...

CVE-2024-5080 WP eMember < 10.6.6 - Admin+ Arbitrary File Upload

The wp-eMember WordPress plugin before 10.6.6 does not validate files to be uploaded, which could allow admins to upload arbitrary files such as PHP on the server...

CVE-2024-5077 WP eMember < 10.6.6 - Stored XSS in Blacklist via CSRF

The wp-eMember WordPress plugin before 10.6.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-5151 SULly < 4.3.1 - Admin+ Stored XSS

The SULly WordPress plugin before 4.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5151

The CVE-2024-5151 entry concerns the SULly WordPress plugin prior to version 4.3.1. The vulnerability is a Stored XSS caused by insufficient sanitization/escaping of plugin settings, potentially allowing high-privilege users (e.g., administrators) to inject scripts even when unfiltered_html is di...

CVE-2024-5151 SULly < 4.3.1 - Admin+ Stored XSS

The SULly WordPress plugin before 4.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5080 WP eMember < 10.6.6 - Admin+ Arbitrary File Upload

The wp-eMember WordPress plugin before 10.6.6 does not validate files to be uploaded, which could allow admins to upload arbitrary files such as PHP on the server...

CVE-2024-5077 WP eMember < 10.6.6 - Stored XSS in Blacklist via CSRF

The wp-eMember WordPress plugin before 10.6.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-5074 WP eMember < 10.6.6 - Reflected XSS

The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...