CVE-2024-4445 WP Compress – Image Optimizer [All-In-One] <= 6.20.01 - Missing Authorization

The WP Compress – Image Optimizer All-In-One plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with subscriber-level...

CVE-2024-4445

The CVE-2024-4445 entry concerns WP Compress – Image Optimizer (All-In-One) for WordPress. A missing capability check on several functions in versions up to 6.20.01 allows authenticated attackers with subscriber-level permissions and above to modify data, including plugin settings, and store cros...

PT-2024-31156 · WordPress · Wp Compress – Image Optimizer [All-In-One]

Name of the Vulnerable Software and Affected Versions: WP Compress – Image Optimizer All-In-One versions up to, and including, 6.20.01 Description: The issue allows authenticated attackers with subscriber-level permissions and above to modify data, including editing plugin settings and storing...

WP Compress – Image Optimizer [All-In-One] < 6.20.02 - Missing Authorization

Description The WP Compress – Image Optimizer All-In-One plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with...

Migration Backup Restore < 3.5.0 - Admin+ SSRF

Description The plugin does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations. PoC 1. Click on "Upload Backup" and add http://127.0.0.1:XXX/123.wpstg - "Upload". If the port is open it will return an error "Not...

PT-2024-22444 · WordPress · Visual Footer Credit Remover

Name of the Vulnerable Software and Affected Versions: Visual Footer Credit Remover plugin for WordPress versions up to, and including, 2 Description: The issue allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages via the selector parameter due t...

PT-2024-23562 · WordPress · Custom Field Suite

Name of the Vulnerable Software and Affected Versions: Custom Field Suite plugin for WordPress versions up to, and including, 2.6.5 Description: The issue is related to Stored Cross-Site Scripting via the cfsfieldsname parameter due to insufficient input sanitization and output escaping. This...

Gianism <= 5.1.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...

Playlist for Youtube <= 1.32 - Editor+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...

CVE-2024-3755

The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-3755

The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-0904

The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-3755

CVE-2024-3755 affects MF Gig Calendar for WordPress up to version 1.2.1. The root cause is that the plugin does not sanitize/escape certain settings, enabling a stored XSS when a high-privilege user (e.g., Editor) interacts with the plugin, even if unfiltered_html is disallowed (such as in multis...

CVE-2024-0904 Fancy Product Designer < 6.1.81 - Admin+ Cross Site Scripting

The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-3755 MF Gig Calendar <= 1.2.1 - Editor+ Stored XSS

The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-3752 Crelly Slider <= 1.4.5 - Admin+ Stored XSS

The Crelly Slider WordPress plugin through 1.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-3752 Crelly Slider <= 1.4.5 - Admin+ Stored XSS

The Crelly Slider WordPress plugin through 1.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-0904

CVE-2024-0904 affects Fancy Product Designer (WordPress plugin) versions prior to 6.1.81. The issue is due to incomplete sanitization/escaping of certain settings, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (e.g., multisite). Reported impact...

CVE-2024-3755 MF Gig Calendar <= 1.2.1 - Editor+ Stored XSS

The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-3637

The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin through 1.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...