CVE-2024-11929

The Responsive FlipBook Plugin Wordpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the rfbwpsavesettings functionin all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2024-12819 Searchie <= 1.17.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Searchie plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sioembedmedia' shortcode in all versions up to, and including, 1.17.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-12814 Loan Comparison <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Loan Comparison plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'loancomparison' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-11230

The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘size’ parameter in all versions up to, and including, 1.6.46 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-12721

The Custom Product Tabs For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.4 via deserialization of untrusted input from the 'wbcustomtabs' parameter. This makes it possible for authenticated attackers, with Shop Manager-level acce...

CVE-2024-12066

The CVE-2024-12066 entry concerns the SMSA Shipping (official) WordPress plugin. Affected versions up to 2.2 are vulnerable due to insufficient file path validation in the smsa_delete_label() function, enabling authenticated users with Subscriber+ privileges to delete arbitrary files on the serve...

CVE-2024-12596

The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to arbitrary post deletion due to a missing capability check on the 'llmsdeletecert' action in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with...

CVE-2024-12446

CVE-2024-12446 is a stored cross-site scripting vulnerability in the WordPress Post to Pdf plugin (all versions up to 1.0) exploitable by authenticated users with contributor+ privileges via the gmptp_single_post shortcode. The issue arises from insufficient input sanitization and output escaping...

CVE-2024-12501

CVE-2024-12501 concerns the WordPress Simple Locator plugin (versions up to 2.0.3) with Stored XSS via shortcode attributes due to insufficient input sanitization and output escaping. Exploitation requires authenticated access at contributor level or higher; an attacker can inject scripts that ex...

CVE-2024-12458

The Smart PopUp Blaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spb-button' shortcode in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-11884

CVE-2024-11884 affects the WordPress plugin WP Photo Text Slider 50 (wp-photo-text-slider-50). The vulnerability is a Stored XSS via the plugin’s shortcode wp-photo-slider, caused by insufficient input sanitization and output escaping of user-supplied attributes. Impact: authenticated attackers w...

CVE-2024-12040

The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.10 via the 'theme' attribute of the wcpcsu shortcode. This makes it possible for authenticated attackers, with Contributor-level access...

CVE-2024-11882 FAQ And Answers – Create Frequently Asked Questions Area on WP Sites <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The FAQ And Answers – Create Frequently Asked Questions Area on WP Sites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'faq' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-11410 Top and footer bars for announcements, notifications, advertisements, promotions – YooBar <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Top and footer bars for announcements, notifications, advertisements, promotions – YooBar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Yoo Bar settings in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This mak...

CVE-2024-11413 HostFact bestelformulier integratie <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The HostFact bestelformulier integratie plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bestelformulier' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-11430

CVE-2024-11430 affects the SQL Chart Builder WordPress plugin. Affected component: gv n_schart_2 shortcode arg1 parameter; root cause is insufficient escaping and poor query preparation, enabling SQL Injection. Impact: with Contributor+ authentication, an attacker can append additional SQL to exi...

PT-2024-37875 · WordPress · Jeg Elementor Kit

Name of the Vulnerable Software and Affected Versions: Jeg Elementor Kit plugin for WordPress versions up to, and including, 2.6.7 Description: The issue is related to Stored Cross-Site Scripting via SVG File uploads due to insufficient input sanitization and output escaping. This allows...

CVE-2024-6666

The WP ERP plugin for WordPress is vulnerable to SQL Injection via the ‘vendorid’ parameter in all versions up to, and including, 1.13.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticat...

CVE-2024-3592

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'questionid' parameter in all versions up to, and including, 9.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio...

CVE-2024-2765

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and Spotify URL parameters in all versions up to, and including, 2.8.4 due to insufficient input...