CVE-2024-3637 Responsive Contact Form Builder & Lead Generation Plugin <= 1.8.9 - Admin+ Stored XSS

The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin through 1.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

CVE-2024-2958

The SVS Pricing Tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via pricing table settings in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

Button contact VR <= 4.7 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Click on the "Button contact" and...

PT-2024-29106 · WordPress · Tabellen Von Faustball.Com

Name of the Vulnerable Software and Affected Versions: The Tabellen von faustball.com plugin for WordPress versions up to, and including, 2.0.4 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allo...

PT-2024-22957 · WordPress · Wp Front User Submit / Front Editor

Name of the Vulnerable Software and Affected Versions: WP Front User Submit / Front Editor plugin for WordPress versions up to, and including, 4.4.1 Description: The issue is related to Stored Cross-Site Scripting via form settings due to insufficient input sanitization and output escaping. This...

PT-2024-20231 · WordPress · Admin Page Spider

Name of the Vulnerable Software and Affected Versions: Admin Page Spider plugin for WordPress versions up to, and including, 3.20 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticat...

IDonate <= 1.9.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Navigate to...

Sailthru Triggermail <= 1.1 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...

CVE-2024-1905

CVE-2024-1905 concerns the Smart Forms WordPress plugin, prior to version 2.6.96. It allows stored XSS via unsanitised/未 escaped plugin settings, potentially affecting high-privilege users (e.g., admins), even when unfiltered_html is disallowed (including multisite). The issue is mitigated by upg...

CVE-2024-2603

The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin or editor depending on Salon booking system WordPress plugin through 9.6.5 configuration to perform Stored Cross-Site Scripting attacks...

CVE-2024-2908

The Call Now Button WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-2439

The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-2439

The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-2908 Call Now Button < 1.4.7 - Admin+ Stored XSS

The Call Now Button WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-2603 Salon booking system <= 9.6.5 - Editor+ Stored XSS via Email Settings

The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin or editor depending on Salon booking system WordPress plugin through 9.6.5 configuration to perform Stored Cross-Site Scripting attacks...

CVE-2024-2603

CVE-2024-2603 affects the Salon booking system WordPress plugin (versions ≤ 9.6.5). The issue is due to incomplete sanitization/escaping of certain settings, enabling Stored XSS by high-privilege users (admin or editor, depending on configuration) even when unfiltered_html is disallowed (e.g., mu...

CVE-2024-2439 Salon booking system <= 9.6.5 - Editor+ Stored XSS

The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-2439

CVE-2024-2439 affects the Salon booking system WordPress plugin up to version 9.6.5. The vulnerability is a Stored XSS arising from insufficient sanitization/escaping of plugin settings, enabling high-privilege users (e.g., Editor) to inject script even if unfiltered_html is disabled (e.g., multi...

CVE-2024-2439 Salon booking system <= 9.6.5 - Editor+ Stored XSS

The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-2310 WP Google Review Slider < 13.6 - Admin+ Stored XSS

The WP Google Review Slider WordPress plugin before 13.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...