CVE-2024-0662

The FancyBox for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions 3.0.2 to 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above...

CVE-2024-0598

The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form message settings in all versions up to and including 3.2.17 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-1664

The Responsive Gallery Grid WordPress plugin before 2.3.11 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-1664 Responsive Gallery Grid < 2.3.11 - Admin+ Stored XSS

The Responsive Gallery Grid WordPress plugin before 2.3.11 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2024-15728 · WordPress · Fancybox

Name of the Vulnerable Software and Affected Versions: FancyBox for WordPress versions 3.0.2 through 3.3.3 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with...

CVE-2024-1588

The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-1588

The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-1589 SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Form Settings

The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-1588 SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Settings

The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-1589 SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Form Settings

The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Remote Code Execution

WordPress is vulnerable to Remote Code Execution RCE. The vulnerability is due to a defect in the Plugins - Add New - Upload plugin functionality where uploaded file other than a zip file remains temporary available in the Media Library despite being not allowed during FTP upload when that file i...

PT-2024-18243 · WordPress · Carousel Slider

Name of the Vulnerable Software and Affected Versions: Carousel Slider WordPress plugin versions prior to 2.2.7 Description: The Carousel Slider WordPress plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site...

BIT-WORDPRESS-2024-31210 PHP file upload bypass via Plugin installer

WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins - Add New - Upload Plugin screen in WordPress. If FTP credentials are requested for installation in order to move...

CVE-2024-2296

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.8.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

PT-2024-19630 · 10Web · The Photo Gallery

Name of the Vulnerable Software and Affected Versions: The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress versions up to, and including, 1.8.21 Description: The issue is related to Stored Cross-Site Scripting via SVG file uploads due to insufficient input sanitization...

WP Google Review Slider < 13.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "WP Google Reviews...

PT-2024-21423 · Icegram Express · Email Subscribers

Name of the Vulnerable Software and Affected Versions: Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress versions up to, and including, 5.7.14 Description: The issue is related to Stored Cross-Site Scripting via a CSV...

DEBIAN-CVE-2024-31210

WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins - Add New - Upload Plugin screen in WordPress. If FTP credentials are requested for installation in order to move...

CVE-2024-31210

WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins - Add New - Upload Plugin screen in WordPress. If FTP credentials are requested for installation in order to move...

CVE-2024-31210 PHP file upload bypass via Plugin installer

WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins - Add New - Upload Plugin screen in WordPress. If FTP credentials are requested for installation in order to move...