CVE-2024-2907

The AGCA WordPress plugin before 7.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-2907

CVE-2024-2907 affects the AGCA – Custom Dashboard & Login Page WordPress plugin before version 7.2.2. The flaw stems from insufficient sanitisation/escaping of certain settings, enabling Stored XSS by high-privilege users (e.g., administrators) even when unfiltered_html is disallowed (such as in ...

PT-2024-24743 · WordPress · Advanced Search

Name of the Vulnerable Software and Affected Versions: Advanced Search WordPress plugin versions 1.1.6 and earlier Description: The issue allows users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configuration due to improper escaping of...

CVE-2024-2972

The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attac...

CVE-2023-7253

The Import WP WordPress plugin before 2.13.1 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations...

CVE-2023-7253

The Import WP WordPress plugin before 2.13.1 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations...

CVE-2024-2402 Better Comments < 1.5.6 - Admin+ Stored XSS

The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-7253 Import WP < 2.13.1 - Admin+ Server-side Request Forgery

The Import WP WordPress plugin before 2.13.1 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations...

CVE-2023-7253 Import WP < 2.13.1 - Admin+ Server-side Request Forgery

The Import WP WordPress plugin before 2.13.1 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations...

CVE-2023-7253

The CVE-2023-7253 entry concerns the Import WP WordPress plugin prior to version 2.13.1, where users with the Administrator role can trigger server-side requests (SSRF), with potential impact in multisite deployments. Root cause described across connected records is inadequate prevention of ping-...

HL Twitter <= 2014.1.18 - Admin+ Stored XSS via Widget

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. In the widget area, add the...

PT-2024-20238 · WordPress · Better Comments

Name of the Vulnerable Software and Affected Versions: Better Comments WordPress plugin versions prior to 1.5.6 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, ...

PT-2024-15253 · WordPress · Import Wp

Name of the Vulnerable Software and Affected Versions: Import WP WordPress plugin versions prior to 2.13.1 Description: The issue allows users with the administrator role to conduct SSRF attacks, which may be a problem in multisite configurations. This is due to the lack of prevention of pinging ...

Save as PDF < 3.2.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. On the "Settings Save as PDF...

CVE-2024-2118

The Social Media Share Buttons & Social Sharing Icons WordPress plugin before 2.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2024-2118

The Social Media Share Buttons & Social Sharing Icons WordPress plugin before 2.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2024-2309

Summary of CVE-2024-2309 : The WP STAGING WordPress Backup Plugin (versions prior to 3.4.0) and the wp-staging-pro WordPress plugin (prior to 5.4.0) fail to sanitize and escape certain settings. This can allow high-privilege users (e.g., administrators) to perform Stored Cross-Site Scripting even...

CVE-2024-2118 Social Media Share Buttons < 2.8.9 - Admin+ Stored XSS via settings

The Social Media Share Buttons & Social Sharing Icons WordPress plugin before 2.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2024-1754

The NPS computy WordPress plugin through 2.7.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-1754

The NPS computy WordPress plugin through 2.7.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...