CVE-2024-2222

CVE-2024-2222 (Advanced Classifieds & Directory Pro for WordPress) : Vulnerability due to a missing capability check in ajax_callback_delete_attachment across all versions up to 3.0.0. This allows authenticated users with subscriber+ access to delete arbitrary media uploads, i.e., unauthorized da...

CVE-2024-1587

CVE-2024-1587 affects the WordPress Newsmatic theme up to version 1.3.0. It enables Sensitive Information Exposure via the newsmatic_filter_posts_load_tab_content, allowing unauthenticated users to view draft posts and post content. The CVSS v3.1 base score is 5.3 (Medium) with network attack vec...

CVE-2024-2325

CVE-2024-2325 concerns the WordPress Link Library plugin. Affected versions up to and including 7.6.6 are vulnerable to a Reflected Cross‑Site Scripting (XSS) flaw via the searchll parameter, caused by insufficient input sanitization and output escaping. This can enable unauthenticated attackers ...

CVE-2024-1999

The WordPress plugin Gutenberg Blocks by Kadence Blocks – Page Builder Features is affected by CVE-2024-1999: Stored XSS via the Testimonial Widget anchor style parameter in versions up to 3.2.25. Exploitation requires at least Contributor‑level access and can lead to stored scripts executing on ...

CVE-2024-2287

CVE-2024-2287 — Knight Lab Timeline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in versions up to 3.9.3.3 due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level permissions (or higher) can inject sc...

CVE-2024-2348

Gum Elementor Addon for WordPress ≤ 1.3.2 is vulnerable to Stored Cross-Site Scripting via the Post Meta widget due to insufficient input sanitization/output escaping. Exploitation requires authenticated access (subscriber or higher). A fixed version, 1.3.3, is available; updating to >1.3.2 is...

CVE-2024-1893

CVE-2024-1893 affects the Easy Property Listings WordPress plugin. Time-based SQL Injection is possible in all versions up to 3.5.2 due to insufficient escaping of the property_status shortcode parameter and inadequate query preparation. Authenticated attackers with Contributor+ privileges can in...

CVE-2024-2289

PowerPack Lite for Beaver Builder (WordPress plugin) is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes. The issue affects all versions up to 1.3.0 and can allow authenticated attackers with contributor-level and abo...

CVE-2024-2335

CVE-2024-2335 concerns the Elements Plus! WordPress plugin. Affected: Elements Plus! up to version 2.16.2. Issue: Stored Cross-Site Scripting via multiple widget link URLs caused by insufficient input sanitization and output escaping on user-supplied attributes. Impact: authenticated attackers wi...

CVE-2024-2871

CVE-2024-2871 affects the Media Library Assistant plugin for WordPress. It enables SQL Injection via shortcode parameters in all versions up to 3.13 due to insufficient escaping and lack of proper query preparation, allowing authenticated attackers with contributor access or higher to append addi...

CVE-2024-1465

The CVE-2024-1465 entry concerns the Elementor Addons by Livemesh plugin for WordPress (versions up to and including 8.3.4). It describes a Stored Cross-Site Scripting vulnerability in the Posts Carousel widget via the carousel_skin attribute, arising from insufficient input sanitization and outp...

CVE-2024-2340

CVE-2024-2340 affects the WordPress Avada theme up to version 7.11.6. The vulnerability enables unauthenticated attackers to access sensitive files uploaded through Avada forms via the /wp-content/uploads/fusion-forms/ directory, causing sensitive information exposure. Root cause: directory listi...

CVE-2024-1790

The CVE CVE-2024-1790 affects WordPress Infinite Scroll – Ajax Load More plugin for WordPress (up to version 7.0.1). It enables Path Traversal via the type parameter, allowing authenticated attackers with administrator-level access and above to read arbitrary server files (Windows instances only)...

CVE-2024-2343

The CVE-2024-2343 entry concerns the Avada WordPress theme (Avada | Website Builder For WordPress & WooCommerce). It describes a Server-Side Request Forgery (SSRF) vulnerability in all versions up to 7.11.6, exploitable via the form_to_url_action function. The issue can be triggered by authentica...

CVE-2024-0899

CVE-2024-0899 affects s2Member – Best Membership Plugin for WordPress. It enables Information Exposure via the API in all versions up to 230815, allowing unauthenticated access to post/page contents. Patch/update to 240315 or later to remediate. This entry is corroborated by multiple sources in t...

CVE-2024-2536

CVE-2024-2536 affects the Rank Math SEO with AI Tools plugin for WordPress. The vulnerability is Stored Cross-Site Scripting via HowTo block attributes due to insufficient input sanitization and output escaping. It impacts all versions up through 1.0.214 and requires contributor-level or higher a...

CVE-2024-1464

Elementor Addons by Livemesh (WordPress) has CVE-2024-1464: Stored XSS via the style attribute in the Posts Slider widget, affecting all versions up to 8.3.4 due to insufficient input sanitization/output escaping. Impact: authenticated users with contributor+ privileges can inject scripts that ru...

CVE-2024-2183

The issue is a stored XSS in Beaver Builder Addons by WPZOOM for WordPress, affecting all versions up to 1.3.4. The vulnerability arises from insufficient input sanitization and output escaping in the Heading widget, allowing authenticated attackers with contributor-level access+ to inject script...

CVE-2024-2543

The CVE-2024-2543 entry concerns the Permalink Manager Lite WordPress plugin. A missing capability check in get_uri_editor affects all versions up to 2.4.3.1, enabling unauthenticated attackers to view permalinks for all posts. Remediation: upgrade to 2.4.3.2 or later (patched in that version).

CVE-2024-2186

CVE-2024-2186: Beaver Builder Addons by WPZOOM for WordPress is susceptible to Stored XSS via the Team Members widget in all versions