11 matches found
CVE-2024-9886 WP Baidu Map <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The WP Baidu Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'baidumap' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2024-9704 Social Sharing (by Danny) <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Social Sharing by Danny plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dvksocialsharing' shortcode in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...
CVE-2024-6879 Quiz and Survey Master (QSM) < 9.1.1 - Contributor+ Stored XSS
The Quiz and Survey Master QSM WordPress plugin before 9.1.1 fails to validate and escape certain Quiz fields before displaying them on a page or post where the Quiz is embedded, which could allows contributor and above roles to perform Stored Cross-Site Scripting XSS attacks...
CVE-2024-1219 Easy Social Feed < 6.5.6 - Contributor+ Stored XSS
The Easy Social Feed WordPress plugin before 6.5.6 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...
CVE-2024-31121
Contributor Cross Site Scripting XSS in HeartThis = 0.1.0 versions...
CVE-2024-31121
CVE-2024-31121 is a Cross-Site Scripting (XSS) vulnerability in the HeartThis WordPress plugin, affecting version
CVE-2022-4115 Editorial Calendar < 3.8.3 - Contributor+ Stored XSS
The Editorial Calendar WordPress plugin before 3.8.3 does not sanitise and escape its settings, allowing users with roles as low as contributor to inject arbitrary web scripts in the plugin admin panel, enabling a Stored Cross-Site Scripting vulnerability targeting higher privileged users...
CVE-2022-4832 Store Locator WordPress < 1.4.9 - Contributor+ Stored XSS via Shortcode
The Store Locator WordPress plugin before 1.4.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privileg...
CVE-2022-4484 Super Socializer < 7.13.44 - Contributor+ Stored XSS
The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.44 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
Get Custom Field Values < 4.0.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks PoC As a contributor, create a custom field in a post, with the following payload: Then add the following shortcode to the...
GenerateBlocks < 1.4.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks. PoC Add the following code in a post/page while in code editor mode with an Contributor account: Then view/previe...