WordPress Grey Opaque theme <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Download-Button Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Download-Button Shortcode vulnerability discovered by Francesco Carlucci in WordPress Theme Grey Opaque versions = 2.0.1...

CVE-2024-5965

The Mosaic theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme's Button shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-5966

The Grey Opaque theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Download-Button shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-5965 Mosaic <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode

The Mosaic theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme's Button shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-5966 Grey Opaque <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Download-Button Shortcode

The Grey Opaque theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Download-Button shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

WordPress Empty Cart Button for WooCommerce plugin <= 1.4.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by LVT-tholv2k Patchstack Alliance in WordPress Plugin Empty Cart Button for WooCommerce versions = 1.4.1...

CVE-2024-5447

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowe...

WordPress Empty Cart Button for WooCommerce Plugin <= 1.4.1 is vulnerable to Cross Site Scripting (XSS)

Software Empty Cart Button for WooCommerce Type Plugin Vulnerable versions = 1.4.1 Fixed in 1.4.2 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-37217 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID b607245d91ba Credits LVT-tholv2k Required...

SUSE CVE-2024-5689

In addition to detecting when a user was taking a screenshot XXX, a website was able to overlay the 'My Shots' button that appeared, and direct the user to a replica Firefox Screenshots page that could be used for phishing. This vulnerability affects Firefox 127...

CVE-2024-3925

The Element Pack Elementor Addons Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Creative Button widget in all versions up to, and including, 5.6.7 due to insufficient input sanitization an...

CVE-2024-5691

By tricking the browser with a X-Frame-Options header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12...

UBUNTU-CVE-2024-5689

In addition to detecting when a user was taking a screenshot XXX, a website was able to overlay the 'My Shots' button that appeared, and direct the user to a replica Firefox Screenshots page that could be used for phishing. This vulnerability affects Firefox 127...

UBUNTU-CVE-2024-5691

By tricking the browser with a X-Frame-Options header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12...

CVE-2024-5645

The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘buttoncssid’ parameter within the Button widget in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

CVE-2024-5645

The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘buttoncssid’ parameter within the Button widget in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

CVE-2024-5645

The CVE-2024-5645 issue affects the Envo Extra WordPress plugin and is a Stored XSS in the Button widget via the button_css_id parameter in all versions up to 1.8.23. An authenticated attacker with Contributor+ rights can inject scripts that execute when pages are viewed. Public advisories indica...

CVE-2024-5645 Envo Extra <= 1.8.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget

The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘buttoncssid’ parameter within the Button widget in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

WordPress Envo Extra plugin <= 1.8.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Button Widget vulnerability discovered by wesley wcraft in WordPress Plugin Envo Extra versions = 1.8.23...

CVE-2024-4364

The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button widgets in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

PT-2024-36719 · WordPress · Essential Addons For Elementor

Name of the Vulnerable Software and Affected Versions: The Essential Addons for Elementor Pro plugin for WordPress versions up to, and including, 5.8.15 Description: The issue is related to Stored Cross-Site Scripting via the eael lightbox open btn icon parameter within the Lightbox & Modal widge...