CVE-2024-13610

The Simple Social Media Share Buttons WordPress plugin before 6.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-13207 Widget for Social Page Feeds < 6.4.2 - Admin+ Stored XSS

The Widget for Social Page Feeds WordPress plugin before 6.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setu...

CVE-2024-12682

The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-12683

The CVE-2024-12683 issue affects the WordPress plugin Smart Maintenance Mode (affected versions before 1.5.2). The root cause is inadequate sanitisation/escaping of certain settings, which could allow stored Cross-Site Scripting (XSS) by high-privilege users (e.g., admins), even when unfiltered_h...

CVE-2024-13122

The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-11272

The Contact Form & SMTP Plugin for WordPress by PirateForms WordPress plugin before 2.6.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed fo...

CVE-2024-10703

The Registrations for the Events Calendar WordPress plugin before 2.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2025-1452

The CVE-2025-1452 entry concerns the Favorites WordPress plugin (versions prior to 2.3.5). The issue is that certain settings are not properly sanitized/escaped, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (including multisite setups). Connec...

CVE-2024-13122

The CVE-2024-13122 entry describes an issue in the AFI WordPress plugin prior to version 1.100.0 where some settings are not properly sanitised/escaped. This enables stored Cross-Site Scripting by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (including multisite con...

CVE-2024-13122 AFI < 1.100.0 - Admin+ Stored XSS

The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-13123

The AFI WordPress plugin (versions prior to 1.100.0) is affected. Affected component: plugin settings sanitisation/escaping path in AFI before 1.100.0. Root cause: certain settings are not properly sanitised and escaped, enabling Stored Cross-Site Scripting (Stored XSS) by high-privilege users (e...

CVE-2024-13123 AFI < 1.100.0 - Admin+ Stored XSS

The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-10679 Quiz and Survey Master (QSM) < 9.2.1 - Author+ Stored XSS

The Quiz and Survey Master QSM WordPress plugin before 9.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-10560

CVE-2024-10560 affects the WordPress plugin Form Maker by 10Web, specifically versions before 1.15.30. The issue is a failure to sanitize/escape certain settings, enabling stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as in multisite setups). The ...

CVE-2024-10472

The CVE-2024-10472 affects the WordPress plugin Stylish Price List, prior to version 7.1.12. The issue arises because the plugin does not adequately sanitize and escape certain settings, enabling Stored Cross-Site Scripting (Stored XSS) by high-privilege users (e.g., contributors), even when unfi...

CVE-2024-10105

The CVE-2024-10105 issue affects the WordPress Job Postings plugin (versions prior to 2.7.11). The root cause is inadequate sanitisation and escaping of certain plugin settings, enabling Stored XSS by high-privilege users (e.g., contributors) even when unfiltered_html is disallowed, including mul...

CVE-2025-1203

The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.95.0 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example ...

CVE-2025-1619

The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-1623

CVE-2025-1623 affects the GDPR Cookie Compliance WordPress plugin

CVE-2025-1621 GDPR Cookie Compliance < 4.15.7 - Admin+ Stored XSS

The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...