10 matches found
CVE-2024-2430
The Website Content in Page or Post WordPress plugin before 2024.04.09 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...
EUVD-2012-4356
Malware in sbrugna...
EUVD-2021-11610
Malware in sbrugna...
CVE-2024-1204
The Meta Box WordPress plugin before 5.9.4 does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts...
CVE-2021-24819
The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as...
CVE-2025-3471 SureForms < 1.4.4 - Contributor+ Settings Update
The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action...
CVE-2024-12708
CVE-2024-12708 affects Bulk Me Now! WordPress plugin (versions up to 2.0). It reports stored XSS via shortcode attributes not properly validated/escaped before output in posts/pages. This could enable contributors and above to store and trigger XSS. Public patch status is not clearly documented i...
PT-2024-17414 · WordPress · Meta Box
Name of the Vulnerable Software and Affected Versions: Meta Box WordPress plugin versions prior to 5.9.4 Description: The issue allows users with at least the contributor role to access arbitrary custom fields assigned to other user's posts. Recommendations: For versions prior to 5.9.4, update to...
CVE-2023-0419 Shortcode for Font Awesome < 1.4.1 - Contributor+ Stored XSS
The Shortcode for Font Awesome WordPress plugin before 1.4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...
CVE-2023-0095 Page View Count < 2.6.1 - Contributor+ Stored XSS
The Page View Count WordPress plugin before 2.6.1 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...