CVE-2024-3666 Opal Estate Pro – Property Management and Submission <= 1.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Opal Estate Pro – Property Management and Submission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the agent latitude and longitude parameters in all versions up to, and including, 1.7.6 due to insufficient input sanitization and output escaping. This makes it possible...

CVE-2024-2953 LuckyWP Table of Contents <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor permissio...

CVE-2024-4400 Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.26.4 - Authenticated (Contributer+) Stored Cross-Site Scripting

The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plguin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 1.26.4 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-4487 Blocksy Companion <= 2.0.45 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Uploads

The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG uploads in versions up to, and including, 2.0.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and...

CVE-2024-4567 Themify Shortcodes <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via themify_button Shortcode

The Themify Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's themifybutton shortcode in all versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-2925

The CVE CVE-2024-2925 affects Beaver Builder – WordPress Page Builder (WordPress plugin) up to version 2.8.0.5. Root cause: insufficient input sanitization and output escaping on Button Widget attributes, enabling Stored Cross-Site Scripting. Impact: authenticated attackers with contributor-level...

CVE-2024-1049 Page Builder Gutenberg Blocks – CoBlocks <= 3.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Icon Widget's in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping on the link value. This makes it possible for...

CVE-2023-3372 Lana Shortcodes < 1.2.0 - Contributor+ Stored XSS

The Lana Shortcodes WordPress plugin before 1.2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2021-24559 Qyrr < 0.7 - Authenticated (contributor+) Stored XSS

The Qyrr WordPress plugin before 0.7 does not escape the data-uri of the QR Code when outputting it in a src attribute, allowing for Cross-Site Scripting attacks. Furthermore, the datauritometa AJAX action, available to all authenticated users, only had a CSRF check in place, with the nonce...

CVE-2023-4925 Easy Forms for Mailchimp <= 6.8.10 - Admin+ Stored Cross-Site Scripting

The Easy Forms for Mailchimp WordPress plugin through 6.8.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

CVE-2023-25462 WordPress WP htaccess Control Plugin <= 3.5.1 is vulnerable to Cross Site Scripting (XSS)

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in WP htaccess Control plugin = 3.5.1 versions...

CVE-2023-25024 WordPress Icegram Collect plugin <= 1.3.8 is vulnerable to Cross Site Scripting (XSS)

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Icegram Icegram Collect plugin = 1.3.8 versions...

CVE-2023-23971

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in CodePeople WP Time Slots Booking Form plugin = 1.1.81 versions...

CVE-2022-47602 WordPress WP Table Manager Plugin <= 3.5.2 is vulnerable to Cross Site Scripting (XSS)

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in JoomUnited WP Table Manager plugin = 3.5.2 versions...

CVE-2022-47603 WordPress Responsive Image Gallery, Gallery Album Plugin <= 2.0.1 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting XSS vulnerability in wpdevart Gallery – Image and Video Gallery with Thumbnails plugin = 2.0.1 versions...

CVE-2023-0538 Campaign URL Builder < 1.8.2 - Contributor+ Stored XSS

The Campaign URL Builder WordPress plugin before 1.8.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2022-4562 Meks Flexible Shortcodes < 1.3.5 - Contributor+ Stored XSS

The Meks Flexible Shortcodes WordPress plugin before 1.3.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against hi...

CVE-2022-4580 Twenty20 Image Before-After <= 1.5.9 - Contributor+ Stored XSS

The Twenty20 Image Before-After WordPress plugin through 1.5.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2022-4471 YARPP - Yet Another Related Posts Plugin < 5.30.3 - Contributor+ Stored XSS

The YARPP WordPress plugin before 5.30.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-0034 JetWidgets For Elementor < 1.0.14 - Contributor+ Stored XSS via Shortcode

The JetWidgets For Elementor WordPress plugin before 1.0.14 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...