CVE-2024-6393 NextGEN Gallery < 3.59.5 - Admin+ Stored XSS

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.5 does not sanitise and escape some of its Images settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example i...

CVE-2024-10710

CVE-2024-10710 (YaDisk Files WordPress plugin) affects YaDisk Files up to version 1.2.5. The Red Hat and other sources confirm the issue: the plugin does not sanitise/escape certain settings, enabling Stored XSS by high-privilege users (admin) even when unfiltered_html is disallowed. Technical de...

PT-2024-38048

Name of the Vulnerable Software and Affected Versions WPForms versions prior to 1.9.1.6 Description The issue allows high privilege users, such as Admin, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This i...

CVE-2024-9768

The Formidable Forms WordPress plugin before 6.14.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-10027

The WP Booking Calendar WordPress plugin before 10.6.3 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setu...

CVE-2024-9883 Pods < 3.2.7.1 - Admin+ Stored XSS

The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5968 Photo Gallery by 10Web <= 1.8.27 - Admin+ Stored XSS

The Photo Gallery by 10Web WordPress plugin before 1.8.28 does not properly sanitise and escape some of its Gallery settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-8283 Slider by 10Web < 1.2.59 - Admin+ Stored XSS

The Slider by 10Web WordPress plugin before 1.2.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-3635 The Post Grid < 7.5.0 - Editor+ Stored XSS via Grid Creation

The Post Grid WordPress plugin before 7.5.0 does not sanitise and escape some of its Grid settings, which could allow high privilege users such as Editor and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-8758

CVE-2024-8758 affects the Quiz and Survey Master (QSM) WordPress plugin prior to version 9.1.3. The issue is stored XSS caused by insufficient sanitization/escaping of settings, potentially allowing high-privilege users (e.g., admins) to inject scripts even when unfiltered_html is disallowed (e.g...

CVE-2024-8758 Quiz and Survey Master (QSM) < 9.1.3 - Author+ Stored XSS

The Quiz and Survey Master QSM WordPress plugin before 9.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5170 Logo Manager For Enamad <= 0.7.1 - Admin+ Stored XSS via Widget

The Logo Manager For Enamad WordPress plugin through 0.7.1 does not sanitise and escape in its widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5170 Logo Manager For Enamad <= 0.7.1 - Admin+ Stored XSS via Widget

The Logo Manager For Enamad WordPress plugin through 0.7.1 does not sanitise and escape in its widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6617 NinjaTeam Header Footer Custom Code <= 1.2 - Admin+ Stored XSS via CSS Styles

The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-6887 Giveaways and Contests by RafflePress < 1.12.16 - Editor+ Stored XSS

The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallow...

CVE-2024-7716

The Logo Slider WordPress plugin before 3.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-7716

The Logo Slider WordPress plugin before 3.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-7918

The Pocket Widget WordPress plugin through 0.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5561 Popup Maker < 1.19.1 - Admin+ Stored XSS

The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6722

The Chatbot Support AI: Free ChatGPT Chatbot, Woocommerce Chatbot WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...