CVE-2024-2963

The Pocket News Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings such as "Consumer Key" and "Access Token" in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

Breeze < 2.1.4 - Admin+ Stored XSS

Description The plugin does not sanitise and escape its breezeapitoken settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2024-22943 · WordPress · Pocket News Generator

Name of the Vulnerable Software and Affected Versions: The Pocket News Generator plugin for WordPress versions up to, and including, 0.2.0 Description: The issue is related to Stored Cross-Site Scripting via admin settings, specifically Consumer Key and Access Token, due to insufficient input...

PT-2024-22960 · WordPress · Wp-Eggdrop

Name of the Vulnerable Software and Affected Versions: WP-Eggdrop plugin for WordPress versions up to, and including, 0.1 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated...

CVE-2024-29910

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Alordiel Dropdown Multisite selector allows Stored XSS.This issue affects Dropdown Multisite selector: from n/a through 0.9.2...

CVE-2024-29910 WordPress Dropdown Multisite selector plugin <= 0.9.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Alordiel Dropdown Multisite selector allows Stored XSS.This issue affects Dropdown Multisite selector: from n/a through 0.9.2...

CVE-2024-29910

CVE-2024-29910 refers to a Stored Cross-Site Scripting (XSS) flaw in the WordPress plugin “Dropdown Multisite selector.” The connected data indicate this affects versions up to 0.9.2 (listed as &lt;= 0.9.2) with the issue described as Stored XSS via shortcode. The vulnerability is categorized as ...

WordPress Plugin Dropdown multisite selector 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

Social Media Share Buttons < 2.8.9 - Admin+ Stored XSS via settings

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Ultimate Social Media...

WP Staging (Free < 3.4.0, Pro < 5.4.0) - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "WP Staging Backup &...

PT-2024-22937 · WordPress · The Simple Ajax Chat

Name of the Vulnerable Software and Affected Versions: The Simple Ajax Chat – Add a Fast, Secure Chat Box plugin for WordPress versions up to, and including, 20231101 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and...

Carousel Slider < 2.2.7 - Editor+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Add a new slider at "Carousel...

Everest Backup < 2.2.5 - Admin+ Arbitrary File Upload

Description The plugin does not properly validate backup files to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to for example in multisite setup PoC 1. Go to the plugin setting and in the "Restore" section...

WordPress Dropdown Multisite selector Plugin <= 0.9.2 is vulnerable to Cross Site Scripting (XSS)

Software Dropdown Multisite selector Type Plugin Vulnerable versions = 0.9.2 Fixed in 0.9.2.1 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-29910 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 070110679b87 Credits LVT-tholv2k Required...

Ultimate Noindex Nofollow Tool II < 1.3.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Settings Ultimate...

NPS computy < 2.7.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Settings NPS Monitoring"...

Tracking Code Manager < 2.1.0 -Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Advanced Access Manager < 6.9.21 - Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-7246

The System Dashboard WordPress plugin before 2.8.10 does not sanitize and escape some parameters, which could allow administrators in multisite WordPress configurations to perform Cross-Site Scripting attacks...

CVE-2023-7246 System Dashboard < 2.8.10 - XSS via Header Injection

The System Dashboard WordPress plugin before 2.8.10 does not sanitize and escape some parameters, which could allow administrators in multisite WordPress configurations to perform Cross-Site Scripting attacks...