CVE-2024-12152

CVE-2024-12152 concerns the MIPL WC Multisite Sync WordPress plugin. The Wordfence entry confirms a directory traversal vulnerability that affects all versions up to 1.1.5 via the mipl_wc_sync_download_log action, enabling unauthenticated reading of arbitrary server files containing potentially s...

CVE-2024-9638

The Category Posts Widget WordPress plugin before 4.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-10562 Form Maker by 10Web < 1.15.31 - Admin+ Stored XSS

The Form Maker by 10Web WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2025-3730 · WordPress · Category Posts Widget

Name of the Vulnerable Software and Affected Versions: Category Posts Widget WordPress plugin versions prior to 4.9.18 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is...

PT-2025-1780 · WordPress · Toggles Shortcode/Widget

Name of the Vulnerable Software and Affected Versions: Toggles Shortcode and Widget plugin for WordPress versions up to, and including, 1.14 Description: The issue is related to stored cross-site scripting due to insufficient input sanitization and output escaping through the content parameter...

WordPress plugin MIPL WC Multisite Sync 路径遍历漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A path traversal...

CVE-2024-11849 Pods – Custom Content Types and Fields < 3.2.8.1 - Admin+ Stored XSS

The Pods WordPress plugin before 3.2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-11645

The float block WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-11605

The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-10903

The Broken Link Checker WordPress plugin before 2.4.2 does not validate a the link URLs before making a request to them, which could allow admin users to perform SSRF attack, for example on a multisite installation...

CVE-2024-10903

The Broken Link Checker WordPress plugin before 2.4.2 does not validate a the link URLs before making a request to them, which could allow admin users to perform SSRF attack, for example on a multisite installation...

PT-2024-16634 · WordPress · Broken Link Checker

Name of the Vulnerable Software and Affected Versions: Broken Link Checker WordPress plugin versions prior to 2.4.2 Description: The issue arises from the plugin's failure to validate link URLs before making requests to them. This could allow admin users to perform Server-Side Request Forgery SSR...

CVE-2024-8968

The WordPress Button Plugin MaxButtons WordPress plugin before 9.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisit...

CVE-2024-10706

The Download Manager WordPress plugin before 3.3.03 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2024-16364 · WordPress · Maxbuttons

Name of the Vulnerable Software and Affected Versions: MaxButtons WordPress plugin versions prior to 9.8.1 Description: The issue is related to the MaxButtons WordPress plugin, which does not properly sanitise and escape some of its settings. This could allow high-privilege users, such as...

CVE-2024-12581

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.53 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-10939

The Image Widget WordPress plugin before 4.4.11 does not sanitise and escape some of its Image Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-10939

CVE-2024-10939 affects the Image Widget WordPress plugin prior to 4.4.11. The flaw is improper sanitization/escaping of certain Image Widget settings, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as in multisite setups). Red Hat, NVD/NIS...

CVE-2024-9428

The Popup Builder WordPress plugin before 4.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-10517

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Drag & Drop Builder fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripti...