Birthdays Widget <= 1.7.18 - Admin+ Stored Cross Site Scripting

The plugin does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed PoC As admin, create/edit a Birthday and add the following payload in the Name field:...

CVE-2021-24351 The Plus Addons for Elementor < 4.1.12 - Reflected Cross-Site Scripting (XSS)

The theplusmorepost AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting exploitable on both unauthenticated and authenticated users...