CVE-2024-13850

The Simple add pages or posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject...

PT-2025-6018 · WordPress · Simple Add Pages/Posts

Name of the Vulnerable Software and Affected Versions: Simple Add Pages or Posts plugin for WordPress versions up to, and including, 2.0.0 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attacke...

CVE-2024-7492

The MainWP Child Reports plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the networkoptionsaction function. This makes it possible for unauthenticated attackers to update arbitrary...

CVE-2024-12152

The MIPL WC Multisite Sync plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.5 via the 'miplwcsyncdownloadlog' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain...

CVE-2024-38673

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Obtain Infotech Multisite Content Copier/Updater allows Reflected XSS.This issue affects Multisite Content Copier/Updater: from n/a through 1.5.0...

CVE-2024-12872 Zalomení <= 1.5 - Admin+ Stored XSS

The Zalomení WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-12807

The Social Share Buttons for WordPress plugin through 2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2025-2013 · Unknown · Crelly Slider

Name of the Vulnerable Software and Affected Versions: Crelly Slider versions prior to 1.4.7 Description: The issue arises from the plugin not sanitizing and escaping some of its settings, potentially allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting...

CVE-2024-13505

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ayssections5questions8title’ parameter in all versions up to, and including, 5.1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2025-2195 · WordPress · Survey Maker

Name of the Vulnerable Software and Affected Versions: Survey Maker plugin for WordPress versions up to, and including, 5.1.3.3 Description: The issue is related to Stored Cross-Site Scripting via the ays sections5questions8title parameter due to insufficient input sanitization and output escapin...

CVE-2024-13450

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.17.4 via the Webhooks integration. This makes it possible for...

CVE-2024-13450

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.17.4 via the Webhooks integration. This makes it possible for...

CVE-2024-13450 Contact Form by Bit Form <= 2.17.4 - Authenticated (Administrator+) Server-Side Request Forgery

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.17.4 via the Webhooks integration. This makes it possible for...

CVE-2024-13450

CVE-2024-13450 refers to the WordPress plugin “Contact Form by Bit Form” (versions ≤ 2.17.4). The issue is an authenticated SSRF via the Webhooks integration, allowing an attacker with Administrator-level access (and in multisite) to trigger web requests from the application to arbitrary internal...

CVE-2024-13517

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-12567

The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-12566

The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-12568

The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Workflow settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example...

CVE-2024-12568

The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Workflow settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example...

CVE-2024-12717

The Aklamator INfeed WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...