Tutor LMS < 2.3.0 - Subscriber+ Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Register a student account and go to the...

Simple Posts Ticker < 1.1.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Settings Simple Posts...

CVE-2023-2995

The Leyka WordPress plugin before 3.30.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-4376

The Serial Codes Generator and Validator with WooCommerce Support WordPress plugin before 2.4.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

CVE-2023-2995

The Leyka WordPress plugin before 3.30.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-4376

The Serial Codes Generator and Validator with WooCommerce Support WordPress plugin before 2.4.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

Cross site scripting

The Serial Codes Generator and Validator with WooCommerce Support WordPress plugin before 2.4.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

CVE-2023-2995 Leyka < 3.30.4 - Admin+ Stored XSS

The Leyka WordPress plugin before 3.30.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

File Manager Pro < 1.8.1 - Admin+ Remote Code Execution

Description The plugin allows admin users to upload arbitrary files, even in environments where such a user should not be able to gain full control of the server, such as a multisite installation. This leads to remote code execution. PoC As an admin, use the File Manager UI to upload a file...

wp tell a friend popup form <= 7.1 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Easy Admin Menu <= 1.3 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Reservation.Studio widget < 1.0.12 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Client Portal : SuiteDash Direct Login <= 1.7.6 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

wpShopGermany – Protected Shops < 2.1 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

wSecure Lite <= 2.5 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

ShopConstruct <= 1.1.2 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

breadcrumb simple <= 1.3 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

nuajik CDN <= 0.1.0 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

WP Default Feature Image <= 1.0.1.1 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-41043

Discourse is an open-source discussion platform. Prior to version 3.1.1 of the stable branch and version 3.2.0.beta1 of the beta and tests-passed branches, a malicious admin could create extremely large icons sprites, which would then be cached in each server process. This may cause server...