WordPress The GDPR Framework By Data443 plugin < 2.2.0 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Bob Matyas in WordPress Plugin GDPR Framework By Data443 versions 2.2.0...

CVE-2024-12733

The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-12812

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 is affected by an IDOR issue where employees can manipulate parameters to access the data of terminated employees...

CVE-2024-6667

The KBucket: Your Curated Content in WordPress plugin before 4.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin...

CVE-2025-31641 WordPress UberSlider plugin <= 2.3 - SQL Injection Vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in LambertGroup UberSlider uber-classic allows SQL Injection.This issue affects UberSlider: from n/a through 2.6...

WordPress WPCHURCH plugin <= 2.7.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Thái An in WordPress Plugin WPCHURCH versions = 2.7.0...

WordPress plugin Eventer SQL注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A SQL injection...

CVE-2024-11718

The tarteaucitron-wp WordPress plugin before 0.3.0 allows author level and above users to add HTML into a post/page, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-11843

The Panorama WordPress plugin through 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-5934

The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.13 does not have CSRF check in place when importing settings from the v1, which could allow attackers to make a logged in admin update some settings via a CSRF attack...

CVE-2025-1303

CVE-2025-1303 concerns the Plugin Oficial WordPress plugin (Getnet para WooCommerce) up to version 1.7.3. The issue is a reflected cross-site scripting (XSS) vulnerability caused by a parameter not being sanitised/escaped before being echoed in the page. Exploitation is described against unauthen...

CVE-2024-8759 Nested Pages <= 3.2.8 - Editor+ Stored XSS

The Nested Pages WordPress plugin before 3.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-8700 Event Calendar <= 1.0.4 - Unauthenticated Arbitrary Calendar Deletion

The Event Calendar WordPress plugin through 1.0.4 does not check for authorization on delete actions, allowing unauthenticated users to delete arbitrary calendars...

CVE-2024-8619 Ajax Search Lite <= 4.12.2 - Admin+ Stored XSS

The Ajax Search Lite WordPress plugin before 4.12.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6690 WP Content Copy Protection & No Right Click (premium) < 15.3 - Open Redirect

The wccp-pro WordPress plugin before 15.3 contains an open-redirect flaw via the referrer parameter, allowing redirection of users to external sites...

CVE-2024-13828

The Badgearoo WordPress plugin (

CVE-2024-13053 Form Maker by 10Web < 1.15.33 - Admin+ Stored XSS via Theme Title

The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-12679

The CVE-2024-12679 affects the Prisna GWT WordPress plugin and is due to inadequate sanitisation/escaping of certain settings in versions before 1.4.14. This can enable admin-level Stored XSS even when unfiltered_html is disallowed (e.g., multisite). The impact is stored XSS with potential privil...

CVE-2024-10076 Jetpack < 13.8, Boost < 3.4.8 - Contributor+ Stored XSS

The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and abo...

CVE-2024-10054 Happyforms < 1.26.3 - Admin+ Stored XSS

The Happyforms WordPress plugin before 1.26.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...