CVE-2024-0626

CVE-2024-0626 affects the WooCommerce Clover Payment Gateway plugin for WordPress. The root cause is a missing capability check in the callback_handler, leading to broken access control that allows unauthenticated users to mark orders as paid. Affected versions are

CVE-2024-2112

The CVE-2024-2112 entry concerns the WordPress plugin Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder, affected up to version 1.15.22. The vulnerability, described across sources (NVD/NVD-related, Red Hat, PatchStack), is Sensitive Information Exposure via the plugin’s sign...

CVE-2024-2436

The CVE-2024-2436 entry concerns the Lightweight Accordion WordPress plugin. It describes a stored XSS in the plugin’s shortcodes caused by insufficient input sanitization and output escaping on user-supplied attributes, affecting all versions up to and including 1.5.16. The vulnerability require...

CVE-2024-2165

CVE-2024-2165 affects the SEOPress – On-site SEO plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting via the image alt parameter in all versions up to and including 7.5.2.1, caused by insufficient input sanitization and output escaping. Exploitation requires authentication, w...

CVE-2024-0826

CVE-2024-0826 affects Qi Addons For Elementor for WordPress. The vulnerability is a Stored Cross‑Site Scripting (XSS) in widget attributes caused by insufficient input sanitization and output escaping, allowing authenticated users with contributor-level or higher permissions to inject scripts tha...

CVE-2024-2261

CVE-2024-2261 affects the Event Tickets and Registration plugin for WordPress (all versions up to 5.8.2). The exposure is via RSVP functionality, enabling authenticated users with contributor access or higher to retrieve sensitive data (emails, street addresses). Remediation noted in connected so...

CVE-2024-2200

The CVE CVE-2024-2200 concerns WordPress plugin Contact Form by BestWebSoft. Affected versions: all up to and including 4.2.8. Root cause: insufficient input sanitization and output escaping leads to Reflected Cross-Site Scripting via the cntctfrm_contact_subject parameter. Impact: unauthenticate...

CVE-2024-1904

CVE-2024-1904 affects the MasterStudy LMS WordPress plugin (up to and including 3.2.13). The issue is a missing capability check in the search_posts function, allowing authenticated users with subscriber-level access or higher to view draft post titles and excerpts. Impact is unauthorized data ex...

CVE-2024-2226

CVE-2024-2226 affects the Otter Blocks – Gutenberg Blocks plugin for WordPress. The vulnerability is stored XSS in the google-map block via the id parameter, present in all versions up to 2.6.4, due to insufficient input sanitization and output escaping. Exploitation requires an authenticated att...

CVE-2024-1637

The CVE-2024-1637 entry concerns the 360 Javascript Viewer WordPress plugin. Affected versions are all versions up to and including 1.7.12, where an unauthorized modification of data is possible due to a missing capability check and nonce exposure on multiple AJAX actions. The vulnerability can b...

CVE-2024-2033

CVE-2024-2033 affects the Video Conferencing with Zoom plugin for WordPress (versions

CVE-2024-2187

CVE-2024-2187 : The Beaver Builder Addons by WPZOOM for WordPress is exposed to Stored Cross-Site Scripting via the Testimonials widget in all versions up to and including 1.3.4. The root cause is insufficient input sanitization and output escaping, enabling authenticated attackers with contribut...

CVE-2024-1664

CVE-2024-1664 affects the WordPress plugin Responsive Gallery Grid (versions prior to 2.3.11). The vulnerability arises from insufficient sanitisation/escaping of several settings, which could allow high-privilege users (e.g., administrators) to perform Stored XSS, including in multisite configur...

CVE-2024-0082

CVE-2024-0082 (NVIDIA ChatRTX for Windows) affects NVIDIA ChatRTX for Windows, describing a vulnerability in the UI that allows an attacker to cause improper privilege management by sending open file requests to the application, potentially enabling local privilege escalation, information disclos...

CVE-2024-1752

The CVE-2024-1752 entry concerns Font Farsi WordPress plugin versions ≤ 1.6.6. The issue is stored XSS caused by insufficient sanitization/escaping of certain settings, enabling high-privilege users (e.g., admins) to inject scripts even when unfiltered_html is disallowed (including multisite setu...

CVE-2024-1292

CVE-2024-1292 affects the WPB Show Core WordPress plugin prior to 2.7. The issue is a Reflected Cross-Site Scripting caused by insufficient sanitisation/escaping of parameters before they are output in the page, potentially exploitable against high-privilege users (e.g., admins). Public sources i...

CVE-2024-1589

The CVE-2024-1589 issue affects the WordPress SendPress Newsletters plugin up to version 1.23.11.6. The root cause is that certain settings are not properly sanitised/escaped, enabling Stored Cross-Site Scripting (stored XSS) by high-privilege users (e.g., admins), even when unfiltered_html is di...

CVE-2024-2132

CVE-2024-2132 affects the Ultimate Bootstrap Elements for Elementor WordPress plugin. Root cause: Stored XSS via the Image Widget due to insufficient input sanitization and output escaping of user-supplied attributes. Impact (as described in connected RH entry): authenticated attackers with contr...

CVE-2024-2444

CVE-2024-2444 affects the Inline Related Posts WordPress plugin (before 3.5.0). The issue is stored XSS due to insufficient sanitisation/escaping of certain settings, enabling high-privilege users (e.g., Administrators) to perform Cross-Site Scripting attacks. The vulnerability is exploitable via...

CVE-2024-2509

The CVE-2024-2509 issue affects the WordPress plugin Gutenberg Blocks by Kadence Blocks (versions