CVE-2024-12285

The SEMA API plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘catid’ parameter in all versions up to, and including, 5.27 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts i...

CVE-2023-3199

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatestatusordertitle function. This makes it possible for unauthenticated attackers to update status order title via a forged request granted they can trick a site...

CVE-2023-3201

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatenewordertitle function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrato...

CVE-2023-3197

The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible...

CVE-2023-3076

The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. This is only exploitable if the site owner paid to access the plugin's pro features...

CVE-2023-3203

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatelimitproduct function. This makes it possible for unauthenticated attackers to update limit the number of product per category to use cache data in home screen via a...

CVE-2020-2193

Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the parser identifier when rendering charts, resulting in a stored cross-site scripting vulnerability...

CVE-2020-2194

Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the display name of the builds in the trend chart, resulting in a stored cross-site scripting vulnerability...

CVE-2020-2106

Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view, resulting in a stored XSS vulnerability exploitable by users able to change job configurations...

CVE-2025-1311

The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in the updatedeliverystatus function in all versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient...

CVE-2024-13565

The Simple Map No Api plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

CVE-2020-36713

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'updateuserprofile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delet...

CVE-2024-11907

The Skyword API Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skywordiframe' shortcode in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-11907

CVE-2024-11907 : Skyword API Plugin for WordPress is vulnerable to authenticated Stored Cross-Site Scripting via the skyword_iframe shortcode in versions up to 2.5.2. An attacker with contributor+ privileges can inject scripts that run on pages viewed by other users. Connected sources confirm thi...

CVE-2024-11907 Skyword API Plugin <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Skyword API Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skywordiframe' shortcode in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

WordPress SEMA API plugin <= 5.27 - Reflected Cross-Site Scripting via catid Parameter vulnerability

Reflected Cross-Site Scripting via catid Parameter vulnerability discovered by vgo0 in WordPress Plugin SEMA API versions = 5.27...

WordPress plugin Skyword API Plugin 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

CVE-2024-12042

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for...

WordPress MStore API plugin <= 4.16.4 - Authenticated (Subscriber+) HTML File Upload (Stored Cross-Site Scripting) vulnerability

Authenticated Subscriber+ HTML File Upload Stored Cross-Site Scripting vulnerability discovered by shaman0x01 in WordPress Plugin MStore API versions = 4.16.4...

CVE-2024-11804

The Planaday API plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 11.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts...