3475 matches found
Gianism <= 5.1.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...
Playlist for Youtube <= 1.32 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...
CVE-2024-3755
The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-3755
The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-0904
The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-3752 Crelly Slider <= 1.4.5 - Admin+ Stored XSS
The Crelly Slider WordPress plugin through 1.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-3752 Crelly Slider <= 1.4.5 - Admin+ Stored XSS
The Crelly Slider WordPress plugin through 1.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-3755
CVE-2024-3755 affects MF Gig Calendar for WordPress up to version 1.2.1. The root cause is that the plugin does not sanitize/escape certain settings, enabling a stored XSS when a high-privilege user (e.g., Editor) interacts with the plugin, even if unfiltered_html is disallowed (such as in multis...
CVE-2024-3755 MF Gig Calendar <= 1.2.1 - Editor+ Stored XSS
The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-0904
CVE-2024-0904 affects Fancy Product Designer (WordPress plugin) versions prior to 6.1.81. The issue is due to incomplete sanitization/escaping of certain settings, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (e.g., multisite). Reported impact...
CVE-2024-0904 Fancy Product Designer < 6.1.81 - Admin+ Cross Site Scripting
The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-3755 MF Gig Calendar <= 1.2.1 - Editor+ Stored XSS
The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-3637
The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin through 1.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...
CVE-2024-3637 Responsive Contact Form Builder & Lead Generation Plugin <= 1.8.9 - Admin+ Stored XSS
The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin through 1.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...
CVE-2024-2958
The SVS Pricing Tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via pricing table settings in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
Button contact VR <= 4.7 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Click on the "Button contact" and...
PT-2024-22957 · WordPress · Wp Front User Submit / Front Editor
Name of the Vulnerable Software and Affected Versions: WP Front User Submit / Front Editor plugin for WordPress versions up to, and including, 4.4.1 Description: The issue is related to Stored Cross-Site Scripting via form settings due to insufficient input sanitization and output escaping. This...
PT-2024-20231 · WordPress · Admin Page Spider
Name of the Vulnerable Software and Affected Versions: Admin Page Spider plugin for WordPress versions up to, and including, 3.20 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticat...
PT-2024-29106 · WordPress · Tabellen Von Faustball.Com
Name of the Vulnerable Software and Affected Versions: The Tabellen von faustball.com plugin for WordPress versions up to, and including, 2.0.4 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allo...
IDonate <= 1.9.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Navigate to...