149 matches found
CVE-2024-11901
CVE-2024-11901 affects the WordPress PowerBI Embed Reports plugin (up to version 1.1.7). The vulnerability is Stored XSS via the MO_API_POWER_BI shortcode, caused by insufficient input sanitization and output escaping for user-supplied shortcode attributes. Authenticated attackers with contributo...
CVE-2024-50969
A Reflected cross-site scripting XSS vulnerability in browse.php of Code-projects Jonnys Liquor 1.0 allows remote attackers to inject arbitrary web scripts or HTML via the search parameter...
CVE-2024-10266 Premium Addons for Elementor <= 4.10.60 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Video Box Widget
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video Box widget in all versions up to, and including, 4.10.60 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2024-6346 Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks <= 2.2.85 - Authenticated (Contributor+) Stored Cross-Site Scripting via redirectURL Parameter of Date Countdown Widget
The Gutenberg Blocks, Page Builder – ComboBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the redirectURL parameter of the Date Countdown widget, in all versions up to, and including, 2.2.85 due to insufficient input sanitization and output escaping on user supplied...
CVE-2024-6405
The Floating Social Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the floatingsocialbuttonsoption function. This makes it possible for unauthenticated attackers to update...
CVE-2024-5945
CVE-2024-5945 affects the WP SVG Images WordPress plugin, with stored XSS via the type parameter in all versions up to 4.2 due to insufficient input sanitization. Exploitation requires authentication (Author-level access or higher) and permissions to upload sanitized files. Successful abuse could...
CVE-2024-36212
Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...
CVE-2024-2784
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Hover Card widget in all versions up to, and including, 5.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...
CVE-2024-0609
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apikey' parameter in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. Th...
CVE-2024-26030
Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...
CVE-2024-26096 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)
Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...
Cross site scripting
The Simple Share Buttons Adder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.4.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
CVE-2023-6923
The Matomo Analytics – Ethical Stats. Powerful Insights. plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the idsite parameter in all versions up to, and including, 4.15.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticate...
CVE-2023-43377
A cross-site scripting XSS vulnerability in /hoteldruid/visualizzacontratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the destinatarioemail1 parameter...
CVE-2023-39712
Multiple cross-site scripting XSS vulnerabilities in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name, Address, and Company parameters under the Add New Put section...
PT-2023-19243 · Steven Henty · Drop Shadow Boxes
Name of the Vulnerable Software and Affected Versions: Steven Henty Drop Shadow Boxes plugin versions 1.7.10 and earlier Description: The issue is related to an Authenticated Cross-Site Scripting XSS vulnerability. This means that an attacker with contributor or higher privileges can inject...
CVE-2020-36711 Avada <= 6.2.2 - Authenticated (Contributor+) Cross-Site Scripting
The Avada theme for WordPress is vulnerable to Stored Cross-Site Scripting via the updatelayout function in versions up to, and including, 6.2.3 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers, and above, to inject arbitrary web...
Contact Form Builder by vcita <= 4.10.2 - Settings Update Via CSRF
The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin's settings, and on older versions...
Contact Form Builder by vcita < 4.10.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the email parameter in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts targeting higher privileged users, such as administrators, into the plugin settings. PoC...
CVE-2022-35509
CVE-2022-35509 is a Storage XSS in EyouCMS 1.5.8. The issue allows an attacker to inject a payload via the title parameter in the foreground contribution, enabling execution of arbitrary web scripts/HTML and potential exposure of sensitive information. Documents do not provide exploit code, affec...