CVE-2024-54006

CVE-2024-54006 concerns multiple authenticated command injection vulnerabilities in the web interface of the Hewlett Packard Enterprise 501 Wireless Client Bridge. The root cause is command injection in the device’s web UI, allowing an attacker with administrative credentials to execute arbitrary...

CVE-2024-12495

CVE-2024-12495 – Bootstrap Blocks for WP Editor (WordPress) Stored XSS Affected product: Bootstrap Blocks for WP Editor plugin, WordPress. Vulnerability type: Stored Cross-Site Scripting in the gtb-bootstrap/column block due to insufficient input sanitization and output escaping. Root cause: lack...

CVE-2024-12073

CVE-2024-12073 affects the Meteor Slides WordPress plugin. The vulnerability is a Stored Cross-Site Scripting (XSS) in the slide_url_value parameter across all versions up to and including 1.5.7, arising from insufficient input sanitization and output escaping. Exploitation requires authenticatio...

CVE-2024-9702 Social Rocket <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialrocket-floating' shortcode in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This...

CVE-2024-11445

CVE-2024-11445 describes a stored cross-site scripting vulnerability in the WordPress plugin Image Magnify . The issue affects all versions up to and including 1.1 and stems from insufficient input sanitization and output escaping on attributes supplied to the plugin’s shortcode image_magnify . W...

CVE-2024-11899

CVE-2024-11899 : Slider Pro Lite (WordPress) is vulnerable to Stored Cross-Site Scripting via the plugin shortcode sliderpro in all versions up to and including 1.4.1. Root cause: insufficient input sanitization and output escaping on user-supplied attributes. Impact: authenticated attackers with...

CVE-2024-12195 WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts <= 2.6.16 - Authenticated (Subscriber+) SQL Injection

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to SQL Injection via the 'projectid' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint in all versions up to, and including, 2.6.16 d...

CVE-2024-11930

CVE-2024-11930 affects the Taskbuilder – WordPress Project & Task Management plugin for WordPress. The vulnerability is Stored Cross‑Site Scripting via the wppm_tasks shortcode in versions up to and including 3.0.6, caused by insufficient input sanitization and output escaping on user-supplied at...

CVE-2024-12583

CVE-2024-12583 affects the Dynamics 365 Integration plugin for WordPress (versions up to and including 1.3.23). Root cause: missing input validation on the render function enables Twig Server-Side Template Injection. Impact: authenticated attackers with Contributor-level access and above can exec...

CVE-2024-12856

CVE-2024-12856 affects Four-Faith router models F3x24 and F3x36. The OS command-injection vulnerability exists in the adjust_sys_time functionality exposed via /apply.cgi, allowing an authenticated user to modify system time and execute arbitrary OS commands over HTTP. In firmware v2.0, default c...

CVE-2024-11885

CVE-2024-11885 affects NinjaTeam Chat for Telegram plugin for WordPress. It is a stored cross-site scripting (XSS) in the njtele_button shortcode caused by insufficient input sanitization and output escaping of user-supplied attributes. Exploitation requires authenticated access at Contributor le...

ABB Cylon Aspect 3.08.02 (WatchDogServlet) Authenticated Reflected XSS

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The ABB BMS/BAS controller suffers from an authenticated reflected...

CVE-2024-11774 Outdooractive Embed <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Outdooractive Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'list2go' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-11783 Financial Calculator <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Financial Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'financecalculator' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-11776

CVE-2024-11776 affects the PCRecruiter Extensions plugin for WordPress. It is a Stored XSS vulnerability in the plugin’s PCRecruiter shortcode, exploitable by authenticated users with contributor-level access or higher, due to insufficient input sanitization and output escaping in versions up to ...

CVE-2024-11439

CVE-2024-11439 : The ScanCircle WordPress plugin is vulnerable to a stored XSS via the plugin’s scancircle shortcode in all versions up to and including 2.9.2. Exploitation requires authentication at Contributor level or higher, and scripts injected by an attacker could execute in pages viewed by...

BIT-MATTERMOST-2024-1952

Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of...

CVE-2024-12517 WooCommerce Cart Count Shortcode <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WooCommerce Cart Count Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cartbutton' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

CVE-2024-11879

...

CVE-2024-12465

CVE-2024-12465 (Property Hive Stamp Duty Calculator for WordPress) is a stored XSS flaw in the stamp_duty_calculator_scotland shortcode present in all versions up to 1.0.22. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes, ena...