CVE-2024-11357

The goodlayers-core WordPress plugin before 2.0.10 does not sanitise and escape some of its settings, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-11184

The wp-enable-svg WordPress plugin through 0.7 does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts...

CVE-2024-12526

The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4.1. This is due to missing or incorrect nonce validation on the 'albfreuseraction' AJAX action. This makes it possible for unauthenticated...

CVE-2024-10681

The The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.0.51. This is due to the software allowing users to execute an action that does not...

CVE-2024-10175

The Pricing Tables For WPBakery Page Builder formerly Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wdopricingtables shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-52554

Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override...

CVE-2023-4507

The Admission AppManager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'q' parameter in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2023-36384

Unauth. Reflected Cross-Site Scripting XSS vulnerability in CodePeople Booking Calendar Contact Form plugin = 1.2.40 versions...

CVE-2023-27624

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Marcelotorres Redirect After Login plugin = 0.1.9 versions...

CVE-2023-6504

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wppbtoolboxusermetahandler function in all versions up to, and including, 3.10.7. This makes it...

CVE-2023-46072

Unauth. Reflected Cross-Site Scripting XSS vulnerability in Michael Simpson Add Shortcodes Actions And Filters plugin = 2.0.9 versions...

CVE-2023-28785

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Yoast Yoast SEO: Local plugin = 14.9 versions...

CVE-2023-31233

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Haoqisir Baidu Tongji generator plugin = 1.0.2 versions...

CVE-2023-35043

Unauth. Stored Cross-Site Scripting XSS vulnerability in Neha Goel Recent Posts Slider plugin = 1.1 versions...

CVE-2023-5886

The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading t...

CVE-2023-5295

The Comments by Startbit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'vivafbcomment' shortcode in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

CVE-2023-44230

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Gopi Ramasamy Popup contact form plugin = 7.1 versions...

CVE-2023-3122

The GD Mail Queue plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 3.9.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages...

CVE-2023-30521

A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository...

CVE-2023-0255

The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites...