254 matches found
CVE-2022-4677 Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) < 3.12.7 - Contributor+ Stored XSS via Shortcode
The Leaflet Maps Marker WordPress plugin before 3.12.7 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack...
CVE-2022-4667 RSS Aggregator by Feedzy < 4.1.1 - Contributor+ Stored XSS
The RSS Aggregator by Feedzy WordPress plugin before 4.1.1 does not validate and escape some of its block options before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...
CVE-2022-4460 Sidebar Widgets by CodeLights <= 1.4 - Contributor+ Stored XSS
The Sidebar Widgets by CodeLights WordPress plugin through 1.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used...
CVE-2022-2655 Classified Listing Pro < 2.0.20 - Reflected Cross-Site Scripting
The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting...
CVE-2022-2565 Best Payments Plugin for WP < 4.2.1 - Unauthenticated Stored Cross-Site Scripting
The Simple Payment Donations & Subscriptions WordPress plugin before 4.2.1 does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins...
CVE-2022-1322 Coming Soon - Under Construction <= 1.1.9 - Admin+ Stored Cross-Site Scripting
The Coming Soon - Under Construction WordPress plugin through 1.1.9 does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...
PT-2022-16549 · WordPress · Dw Promobar
Name of the Vulnerable Software and Affected Versions: DW Promobar WordPress plugin versions 1.0.0 through 1.0.4 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks when the unfiltered html capability is disallowed, for example in a...
Multiple Plugins from Puvox.software - Reflected Cross-Site Scripting
The plugins do not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=wp-phpmyadmin-extension&tab=errors-logreset&a"alert/XSS/...
NextScripts: Social Networks Auto-Poster < 4.3.26 - Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=nxssnap&a"alert/XSS/...
CVE-2022-1896 underConstruction < 1.21 - Admin+ Stored Cross-Site Scripting
The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletredhtml capability is disallowed...
CVE-2022-1710 Appointment Hour Booking < 1.3.56 - Admin+ Stored Cross-Site Scripting
The Appointment Hour Booking WordPress plugin before 1.3.56 does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...
CVE-2022-1394 Photo Gallery < 1.6.4 - Admin+ Stored Cross-Site Scripting
The Photo Gallery by 10Web WordPress plugin before 1.6.4 does not properly validate and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed...
CVE-2022-1303 Slide Anything < 2.3.44 - Editor+ Stored Cross-Site Scripting
The Slide Anything WordPress plugin before 2.3.44 does not sanitize and escape sliders' description, which could allow high privilege users such as editor and above to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...
CVE-2022-1170 JobMonster < 4.5.2.9 - Unauthenticated Reflected Cross-Site Scripting
In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests...
CVE-2021-24810 WP Event Manager < 3.1.23 - Admin+ Stored Cross-Site Scripting
The WP Event Manager WordPress plugin before 3.1.23 does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...
Advanced Database Cleaner < 3.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape $GET keys and values before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=advanceddbcleaner&aDBctab=options&aDBccat=all&'alert/XSS-key/=alert/XSS-value/...
CVE-2021-24888
The ImageBoss WordPress plugin before 3.0.6 does not sanitise and escape its Source Name setting, which could allow high privilege users to perform Cross-Site Scripting attacks...
CVE-2021-24516 PlanSo Forms <= 2.6.3 - Authenticated Stored Cross-Site Scripting
The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfilteredhtml is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue...
CVE-2021-24413 Easy Twitter Feed < 1.2 - Contributor+ Stored Cross-Site Scripting
The Easy Twitter Feed WordPress plugin before 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode...
SEOPress Plugin for WordPress 5.x < 5.0.4 Cross-Site Scripting
The WordPress SEOPress Plugin installed on the remote host is affected by a Cross-Site Scripting XSS vulnerability via REST-API. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number. No source data...