CVE-2024-10681 ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup <= 4.0.51 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

The The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.0.51. This is due to the software allowing users to execute an action that does not...

CVE-2024-10681 ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup <= 4.0.51 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

The The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.0.51. This is due to the software allowing users to execute an action that does not...

CVE-2024-10909 Pojo Forms <= 1.4.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via form_preview_shortcode

The The Pojo Forms plugin for WordPress is vulnerable to arbitrary shortcode execution via formpreviewshortcode AJAX action in all versions up to, and including, 1.4.7. This is due to the software allowing users to execute an action that does not properly validate a value before running...

CVE-2024-10909 Pojo Forms <= 1.4.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via form_preview_shortcode

The The Pojo Forms plugin for WordPress is vulnerable to arbitrary shortcode execution via formpreviewshortcode AJAX action in all versions up to, and including, 1.4.7. This is due to the software allowing users to execute an action that does not properly validate a value before running...

CVE-2024-10909

The Pojo Forms WordPress plugin (pojo-forms) contains a vulnerability affecting versions up to 1.4.7 where an authenticated user with Subscriber+ can trigger arbitrary shortcode execution via the form_preview_shortcode AJAX action. The issue stems from insufficient validation before running do_sh...

CVE-2024-10689

CVE-2024-10689 pertains to XLTab – Accordions and Tabs for Elementor Page Builder (WordPress) versions up to 1.4, where an Information Exposure vulnerability allows authenticated attackers with Contributor-level access or higher to extract data from private or draft posts via the XLTAB_INSERT_TPL...

WordPress plugin The Pojo Forms 代码注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A code injection vulnerability exists ...

PT-2024-17276 · WordPress · Folder Gallery

Name of the Vulnerable Software and Affected Versions: Folder Gallery plugin for WordPress versions up to, and including, 1.7.4 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'foldergallery' shortcode due to insufficient input sanitization and output escaping on...

PT-2024-17002 · WordPress · Onlyoffice Docs

Name of the Vulnerable Software and Affected Versions: ONLYOFFICE Docs plugin for WordPress versions up to, and including, 2.0.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'onlyoffice' shortcode due to insufficient input sanitization and output escaping on...

PT-2024-16921 · WordPress · Smart Popup Blaster

Name of the Vulnerable Software and Affected Versions: Smart PopUp Blaster plugin for WordPress versions up to, and including, 1.4.3 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'spb-button' shortcode due to insufficient input sanitization and output escaping ...

PT-2024-16819 · WordPress · Mycred

Name of the Vulnerable Software and Affected Versions: myCred – Loyalty Points and Rewards plugin versions up to, and including, 2.7.5.2 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes in the...

WordPress Pojo Forms plugin <= 1.4.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via form_preview_shortcode vulnerability

Authenticated Subscriber+ Arbitrary Shortcode Execution via formpreviewshortcode vulnerability discovered by Arkadiusz Hydzik in WordPress Plugin Pojo Forms versions = 1.4.7...

WordPress Cookielay plugin <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via cookielay Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via cookielay Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Cookielay versions = 1.2.0...

WordPress myCred plugin <= 2.7.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_send Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via mycredsend Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin myCred versions = 2.7.5.2...

CVE-2024-11779

The WIP WooCarousel Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wipwoocarouselproductscarousel' shortcode in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-10056 Contact Form Builder <= 4.10.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via livesite-pay Shortcode

The Contact Form Builder by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's livesite-pay shortcode in all versions up to, and including, 4.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...

WordPress Luna Web Radio Player plugin <= 6.24.11.07 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by István Márton in WordPress Plugin Luna Web Radio Player versions = 6.24.11.07...

CVE-2024-10881 LUNA RADIO PLAYER <= 6.24.11.07 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The LUNA RADIO PLAYER plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'lunaradio' shortcode in versions up to, and including, 6.24.11.07 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-10881

The CVE: CVE-2024-10881 affects the LUNA RADIO PLAYER WordPress plugin. The vulnerability is a Stored Cross-Site Scripting via the lunaradio shortcode in versions up to and including 6.24.11.07, caused by insufficient input sanitization and output escaping on user-supplied attributes. Impact: aut...

PT-2024-16615 · WordPress · Luna Radio Player

Name of the Vulnerable Software and Affected Versions: LUNA RADIO PLAYER plugin for WordPress versions up to, and including, 6.24.11.07 Description: The issue is related to Stored Cross-Site Scripting via the 'lunaradio' shortcode due to insufficient input sanitization and output escaping on...