CVE-2024-1893

CVE-2024-1893 affects the Easy Property Listings WordPress plugin. Time-based SQL Injection is possible in all versions up to 3.5.2 due to insufficient escaping of the property_status shortcode parameter and inadequate query preparation. Authenticated attackers with Contributor+ privileges can in...

CVE-2024-2289

PowerPack Lite for Beaver Builder (WordPress plugin) is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes. The issue affects all versions up to 1.3.0 and can allow authenticated attackers with contributor-level and abo...

CVE-2024-2335

CVE-2024-2335 concerns the Elements Plus! WordPress plugin. Affected: Elements Plus! up to version 2.16.2. Issue: Stored Cross-Site Scripting via multiple widget link URLs caused by insufficient input sanitization and output escaping on user-supplied attributes. Impact: authenticated attackers wi...

CVE-2024-2871

CVE-2024-2871 affects the Media Library Assistant plugin for WordPress. It enables SQL Injection via shortcode parameters in all versions up to 3.13 due to insufficient escaping and lack of proper query preparation, allowing authenticated attackers with contributor access or higher to append addi...

CVE-2024-1465

The CVE-2024-1465 entry concerns the Elementor Addons by Livemesh plugin for WordPress (versions up to and including 8.3.4). It describes a Stored Cross-Site Scripting vulnerability in the Posts Carousel widget via the carousel_skin attribute, arising from insufficient input sanitization and outp...

CVE-2024-2340

CVE-2024-2340 affects the WordPress Avada theme up to version 7.11.6. The vulnerability enables unauthenticated attackers to access sensitive files uploaded through Avada forms via the /wp-content/uploads/fusion-forms/ directory, causing sensitive information exposure. Root cause: directory listi...

CVE-2024-1790

The CVE CVE-2024-1790 affects WordPress Infinite Scroll – Ajax Load More plugin for WordPress (up to version 7.0.1). It enables Path Traversal via the type parameter, allowing authenticated attackers with administrator-level access and above to read arbitrary server files (Windows instances only)...

CVE-2024-2343

The CVE-2024-2343 entry concerns the Avada WordPress theme (Avada | Website Builder For WordPress & WooCommerce). It describes a Server-Side Request Forgery (SSRF) vulnerability in all versions up to 7.11.6, exploitable via the form_to_url_action function. The issue can be triggered by authentica...

CVE-2024-0899

CVE-2024-0899 affects s2Member – Best Membership Plugin for WordPress. It enables Information Exposure via the API in all versions up to 230815, allowing unauthenticated access to post/page contents. Patch/update to 240315 or later to remediate. This entry is corroborated by multiple sources in t...

CVE-2024-2536

CVE-2024-2536 affects the Rank Math SEO with AI Tools plugin for WordPress. The vulnerability is Stored Cross-Site Scripting via HowTo block attributes due to insufficient input sanitization and output escaping. It impacts all versions up through 1.0.214 and requires contributor-level or higher a...

CVE-2024-1464

Elementor Addons by Livemesh (WordPress) has CVE-2024-1464: Stored XSS via the style attribute in the Posts Slider widget, affecting all versions up to 8.3.4 due to insufficient input sanitization/output escaping. Impact: authenticated users with contributor+ privileges can inject scripts that ru...

CVE-2024-2183

The issue is a stored XSS in Beaver Builder Addons by WPZOOM for WordPress, affecting all versions up to 1.3.4. The vulnerability arises from insufficient input sanitization and output escaping in the Heading widget, allowing authenticated attackers with contributor-level access+ to inject script...

CVE-2024-2543

The CVE-2024-2543 entry concerns the Permalink Manager Lite WordPress plugin. A missing capability check in get_uri_editor affects all versions up to 2.4.3.1, enabling unauthenticated attackers to view permalinks for all posts. Remediation: upgrade to 2.4.3.2 or later (patched in that version).

CVE-2024-2457

CVE-2024-2457 describes a Stored Cross-Site Scripting vulnerability in the WordPress plugin Modal Window – create popup modal window affecting all versions up to and including 5.3.8 . The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, enab...

CVE-2024-2186

CVE-2024-2186: Beaver Builder Addons by WPZOOM for WordPress is susceptible to Stored XSS via the Team Members widget in all versions

CVE-2024-2738

CVE-2024-2738 affects Permalink Manager Lite and Permalink Manager Pro for WordPress. The vulnerability is a Reflected Cross-Site Scripting flaw via the URL parameter ‘s’ in multiple locations present up to version 2.4.3.1, caused by insufficient input sanitization and output escaping. Attackers ...

CVE-2024-1948

CVE-2024-1948 affects Getwid – Gutenberg Blocks (WordPress) up to version 2.0.5. Root cause: insufficient input sanitization and output escaping in block content, enabling stored XSS. Exploitation requires Contributor+ privileges and user interaction on injected pages. Fix: upgrade to version 2.0...

CVE-2024-1571

CVE-2024-1571 : WP Recipe Maker for WordPress is vulnerable to Stored Cross-Site Scripting via the Video Embed parameter in all versions up to 9.2.1 due to insufficient input sanitization and output escaping. Authenticated users with access to the recipe dashboard (admin by default, but roles can...

CVE-2023-6799

CVE-2023-6799 affects the WP Reset plugin for WordPress (versions up to 2.0). The root cause is insufficiently random snapshot names, enabling unauthenticated attackers to brute-force and extract sensitive data such as backups. The risk is tied to Information Exposure (C), with no vendor hardenin...

CVE-2024-1990

CVE-2024-1990 concerns the RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress. The connected sources confirm a blind SQL Injection via the id parameter in the RM_Form shortcode, exploitable in all versions up to 5.3.1.0 due to insufficie...