CVE-2023-7233 GigPress <= 2.3.29 - Admin+ Stored Cross Site Scripting

The GigPress WordPress plugin through 2.3.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2024-15239 · WordPress · Gigpress

Name of the Vulnerable Software and Affected Versions: GigPress WordPress plugin versions 2.3.29 and earlier Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in...

PT-2024-14878 · WordPress · Chartjs

Name of the Vulnerable Software and Affected Versions: chartjs WordPress plugin versions through 2023.2 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a...

WordPress Plugin Popup Builder Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

Insert PHP Code Snippet < 1.3.5 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-0657

The Internal Link Juicer: SEO Auto Linker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings such as 'iljsettingsfieldlinksperpage' in all versions up to, and including, 2.23.4 due to insufficient input sanitization and output escaping. This makes i...

PT-2024-15724 · WordPress · The Internal Link Juicer: Seo Auto Linker

Name of the Vulnerable Software and Affected Versions: The Internal Link Juicer: SEO Auto Linker for WordPress plugin for WordPress versions up to, and including, 2.23.4 Description: The issue is related to Stored Cross-Site Scripting via admin settings, such as ilj settings field links per page,...

CVE-2024-0630

The WP RSS Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the RSS feed source in all versions up to, and including, 4.23.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

CVE-2024-0612

The Content Views – Post Grid, Slider, Accordion Gutenberg Blocks and Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping. This makes it possible for...

Shariff Wrapper < 4.6.10 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the...

Mang Board WP < 1.7.8 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

SEO Plugin by Squirrly SEO < 12.3.16 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2024-14927 · WordPress · Popup Builder

Name of the Vulnerable Software and Affected Versions: Popup Builder WordPress plugin versions prior to 4.2.6 Description: The issue concerns a lack of validation for a parameter, which could allow users with the administrator role to perform a Server-Side Request Forgery SSRF attack in Multisite...

Persian Fonts <= 1.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Navigate to:...

WordPress < 6.4.3 - Admin+ PHP File Upload

Description WordPress allows high privileged users Admin / Super Admin on Mulsitite to upload PHP files directly via the plugin/theme upload feature. Note: Such issue is only a concern on hardened blogs where such users are not allowed to install plugins/themes...

CVE-2023-5956

The Wp-Adv-Quiz WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Cross site scripting

The Wp-Adv-Quiz WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-5956 Wp-Adv-Quiz <= 1.0.2 - Admin+ Stored XSS in Quiz Overview

The Wp-Adv-Quiz WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Chart Builder < 1.9.7 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-0664

The Meks Smart Social Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Meks Smart Social Widget in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...