CVE-2024-4061 Survey Maker < 4.2.9 - Admin+ Stored XSS via Plugin Settings

The Survey Maker WordPress plugin before 4.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-4290 Sailthru Triggermail <= 1.1 - Admin+ Stored XSS

The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-4061 Survey Maker < 4.2.9 - Admin+ Stored XSS via Plugin Settings

The Survey Maker WordPress plugin before 4.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-2189 Social Icons Widget & Block < 4.2.18 - Admin+ Stored XSS

The Social Icons Widget & Block by WPZOOM WordPress plugin before 4.2.18 does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example ...

PT-2024-28942 · WordPress · Survey Maker

Name of the Vulnerable Software and Affected Versions: The Survey Maker WordPress plugin versions prior to 4.2.9 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example,...

CVE-2024-3580

The Popup4Phone WordPress plugin through 1.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-3580 Popup4Phone <= 1.3.2 - Editor+ Stored XSS

The Popup4Phone WordPress plugin through 1.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-3580

Popup4Phone WordPress plugin versions

ArForms < 6.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Add or edit an existing form an...

CVE-2024-3644

The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-3644 Newsletter Popup <= 1.2 - Admin+ Stored XSS

The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-3634

The month name translation benaceur WordPress plugin before 2.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-3634

CVE-2024-3634 affects the WordPress plugin month name translation benaceur, prior to version 2.3.8. The issue arises from insufficient sanitization/escaping of certain settings, enabling Stored XSS by high-privilege users (e.g., Administrators), even when unfiltered_html is disallowed (e.g., mult...

CVE-2024-3634 month name translation benaceur < 2.3.8 - Admin+ Stored XSS

The month name translation benaceur WordPress plugin before 2.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-3630 HL Twitter <= 2014.1.18 - Admin+ Stored XSS via Widget

The HL Twitter WordPress plugin through 2014.1.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-4445

The WP Compress – Image Optimizer All-In-One plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with subscriber-level...

CVE-2024-4445

The WP Compress – Image Optimizer All-In-One plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with subscriber-level...

CVE-2024-3068

The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cfsfieldsname' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2023-5971

The Save as PDF Plugin by Pdfcrowd WordPress plugin before 3.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite se...

CVE-2024-4445 WP Compress – Image Optimizer [All-In-One] <= 6.20.01 - Missing Authorization

The WP Compress – Image Optimizer All-In-One plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with subscriber-level...