CVE-2024-6487

The Inline Related Posts WordPress plugin before 3.8.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6487 Inline Related Posts < 3.8.0 - Admin+ Stored XSS

The Inline Related Posts WordPress plugin before 3.8.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2024-37661 · WordPress · Inline Related Posts

Name of the Vulnerable Software and Affected Versions: Inline Related Posts WordPress plugin versions prior to 3.8.0 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is...

CVE-2024-5614

CVE-2024-5614 affects Piotnet Addons For Elementor for WordPress up to version 2.4.29. The vulnerability allows unauthenticated attackers to perform Sensitive Information Exposure via the pafe_posts_list function, exposing titles and excerpts of future, draft, and pending posts. CVSS 3.1/3.1 base...

PT-2024-36722 · WordPress · Piotnet Addons For Elementor

Name of the Vulnerable Software and Affected Versions: Piotnet Addons For Elementor plugin for WordPress versions up to, and including, 2.4.29 Description: The issue allows unauthenticated attackers to extract sensitive data, including titles and excerpts of future, draft, and pending blog posts,...

CVE-2024-6755

The CVE-2024-6755 entry concerns the WordPress Social Auto Poster plugin (versions up to and including 5.3.14) suffering from a missing capability check in wpw_auto_poster_quick_delete_multiple, enabling unauthenticated actors to delete arbitrary posts. The connected data corroborates the root ca...

WordPress Social Auto Poster plugin <= 5.3.14 - Missing Authorization to Unauthenticated Arbitrary Post Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Post Deletion vulnerability discovered by István Márton in WordPress Plugin Social Auto Poster versions = 5.3.14...

CVE-2024-37951

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Noor alam Magical Posts Display – Elementor & Gutenberg Posts Blocks allows Stored XSS.This issue affects Magical Posts Display – Elementor & Gutenberg Posts Blocks: from n/a through 1.2.38...

CVE-2024-37951

CVE-2024-37951 is a stored Cross‑Site Scripting vulnerability in the WordPress plugin ** Magical Posts Display – Elementor & Gutenberg Posts Blocks**. It affects the product as listed: Magical Posts Display – Elementor & Gutenberg Posts Blocks: from n/a through 1.2.38. The issue arises from impro...

CVE-2024-5977

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.13.0 via the 'handleRequest' function due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2024-5977

CVE-2024-5977 affects GiveWP – Donation Plugin and Fundraising Platform for WordPress. The vulnerability is an Insecure Direct Object Reference (IDOR) in the handleRequest path, with missing validation on a user-controlled key, enabling authenticated users with GiveWP Worker-level access and abov...

PT-2024-37288 · WordPress · Givewp

Name of the Vulnerable Software and Affected Versions: GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress versions up to, and including, 3.13.0 Description: The issue is related to Insecure Direct Object Reference, which occurs due to missing validation on a user-controlled ke...

PT-2024-37302

Name of the Vulnerable Software and Affected Versions: The Duplica – Duplicate Posts, Pages, Custom Posts or Users plugin for WordPress versions up to, and including, 0.6 Description: The issue allows authenticated attackers with Subscriber-level access and above to create duplicates of users and...

CVE-2024-1937

The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updateitem' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to...

CVE-2024-1937 Brizy – Page Builder <= 2.4.44 - Missing Authorization to Authenticated (Contributor+) Post Modification

The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updateitem' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to...

WordPress User Submitted Posts plugin < 20240516 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Guido Iván García Duva in WordPress Plugin User Submitted Posts versions 20240516...

WordPress User Submitted Posts Plugin < 20240516 is vulnerable to Cross Site Scripting (XSS)

Software User Submitted Posts Type Plugin Vulnerable versions 20240516 Fixed in 20240516 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-5002 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID b741c5e1dcda Credits Guido Iván Garc...

CVE-2024-5002

The User Submitted Posts WordPress plugin before 20240516 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5002 User Submitted Posts < 20240516 - Admin+ Stored XSS

The User Submitted Posts WordPress plugin before 20240516 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5002 User Submitted Posts < 20240516 - Admin+ Stored XSS

The User Submitted Posts WordPress plugin before 20240516 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...