CVE-2024-10510 adBuddy+ (AdBlocker Detection) by NetfunkDesign <= 1.1.3 - Admin+ Stored XSS

The adBuddy+ AdBlocker Detection by NetfunkDesign WordPress plugin through 1.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example...

CVE-2024-10471 Everest Forms < 3.0.4.2 - Admin+ Stored XSS

The Everest Forms WordPress plugin before 3.0.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-7056

The WPForms WordPress plugin before 1.9.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6393

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.5 does not sanitise and escape some of its Images settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example i...

CVE-2024-6393

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.5 does not sanitise and escape some of its Images settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example i...

CVE-2024-10710

The YaDisk Files WordPress plugin through 1.2.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-10710

The YaDisk Files WordPress plugin through 1.2.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-7056 WPForms < 1.9.1.6 - Admin+ Stored XSS

The WPForms WordPress plugin before 1.9.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-7056

CVE-2024-7056 affects WPForms for WordPress (pre-1.9.1.6). The issue is caused by insufficient sanitization/escaping of certain settings, enablingStored XSS by high-privilege users (e.g., Administrator) even when unfiltered_html is disabled (such as in multisite setups). The Red Hat and CVE lists...

CVE-2024-6393 NextGEN Gallery < 3.59.5 - Admin+ Stored XSS

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.5 does not sanitise and escape some of its Images settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example i...

CVE-2024-6393 NextGEN Gallery < 3.59.5 - Admin+ Stored XSS

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.5 does not sanitise and escape some of its Images settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example i...

CVE-2024-6393

CVE-2024-6393 affects the WordPress plugin NextGEN Gallery (Photo Gallery, Sliders, Proofing and Themes). The issue is a lack of sanitization/escaping in the plugin’s Images settings, enabling stored XSS by high-privilege users (e.g., Administrators) even if unfiltered_html is disallowed. Affecte...

CVE-2024-10710 YaDisk Files <= 1.2.5 - Admin+ Stored XSS

The YaDisk Files WordPress plugin through 1.2.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-10710

CVE-2024-10710 (YaDisk Files WordPress plugin) affects YaDisk Files up to version 1.2.5. The Red Hat and other sources confirm the issue: the plugin does not sanitise/escape certain settings, enabling Stored XSS by high-privilege users (admin) even when unfiltered_html is disallowed. Technical de...

PT-2024-38048

Name of the Vulnerable Software and Affected Versions WPForms versions prior to 1.9.1.6 Description The issue allows high privilege users, such as Admin, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups. This i...

CVE-2024-9768

The Formidable Forms WordPress plugin before 6.14.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-9768

Formidable Forms WordPress plugin prior to version 6.14.1 is affected: it does not sanitize/escape certain settings, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as in multisite). Impact is a stored XSS vector within plugin settings; rem...

CVE-2024-9768 Formidable Forms < 6.14.1 - Admin+ Stored XSS

The Formidable Forms WordPress plugin before 6.14.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

WordPress Really Simple Security Pro multisite Plugin 9.0.0-9.1.1.1 - Account Takeover vulnerability

Account Takeover vulnerability discovered by István Márton in WordPress Plugin Really Simple Security Pro multisite versions 9.0.0-9.1.1.1...

CVE-2024-10038

The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...