CVE-2024-10709

The YaDisk Files WordPress plugin through 1.2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-10709 YaDisk Files <= 1.2.5 - Contributor+ Stored XSS via Shortcode

The YaDisk Files WordPress plugin through 1.2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-10709

CVE-2024-10709 affects the YaDisk Files WordPress plugin up to version 1.2.5. Red Hat and multiple sources confirm a stored cross-site scripting (XSS) vulnerability where shortcode attributes are not properly validated/escaped before being output in posts/pages, enabling users with the contributo...

PT-2024-16482

Name of the Vulnerable Software and Affected Versions YaDisk Files WordPress plugin versions 1.2.5 and earlier Description The issue arises from the plugin's failure to validate and escape some of its shortcode attributes before outputting them back in a page or post where the shortcode is...

WordPress Custom Shortcode Sidebars plugin <= 1.2 - CSRF to Stored XSS vulnerability

CSRF to Stored XSS vulnerability discovered by SOPROBRO Patchstack Alliance in WordPress Plugin Custom Shortcode Sidebars versions = 1.2...

CVE-2024-11034

The The Request a Quote for WooCommerce and Elementor – Get a Quote Button – Product Enquiry Form Popup – Product Quotation plugin for WordPress is vulnerable to arbitrary shortcode execution via firecontactform AJAX action in all versions up to, and including, 1.4. This is due to the software...

CVE-2024-11228

CVE-2024-11228 affects the WordPress plugin pgall-for-woocommerce (워드프레스 결제 심플페이 – 우커머스 결제 플러그인)

CVE-2024-11231 우커머스 네이버페이 <= 3.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via mnp_purchase Shortcode

The 우커머스 네이버페이 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mnppurchase shortcode in all versions up to, and including, 3.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-11034 Request a Quote for WooCommerce and Elementor – Get a Quote Button – Product Enquiry Form Popup – Product Quotation <= 1.4 - Unauthenticated Arbitrary Shortcode Execution via fire_contact_form

The The Request a Quote for WooCommerce and Elementor – Get a Quote Button – Product Enquiry Form Popup – Product Quotation plugin for WordPress is vulnerable to arbitrary shortcode execution via firecontactform AJAX action in all versions up to, and including, 1.4. This is due to the software...

CVE-2024-11034

The CVE-2024-11034 entry concerns the WordPress plugin “Request a Quote for WooCommerce and Elementor – Get a Quote Button – Product Enquiry Form Popup – Product Quotation.” Connected sources confirm that all versions up to and including 1.4 are vulnerable to arbitrary shortcode execution via the...

CVE-2024-11034 Request a Quote for WooCommerce and Elementor – Get a Quote Button – Product Enquiry Form Popup – Product Quotation <= 1.4 - Unauthenticated Arbitrary Shortcode Execution via fire_contact_form

The The Request a Quote for WooCommerce and Elementor – Get a Quote Button – Product Enquiry Form Popup – Product Quotation plugin for WordPress is vulnerable to arbitrary shortcode execution via firecontactform AJAX action in all versions up to, and including, 1.4. This is due to the software...

WordPress 워드프레스 결제 심플페이 plugin <= 5.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting pafw_instant_payment Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting pafwinstantpayment Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin 워드프레스 결제 심플페이 versions = 5.1.4...

WordPress Request a Quote for WooCommerce and Elementor plugin <= 1.4 - Unauthenticated Arbitrary Shortcode Execution via fire_contact_form vulnerability

Unauthenticated Arbitrary Shortcode Execution via firecontactform vulnerability discovered by Arkadiusz Hydzik in WordPress Plugin Request a Quote for WooCommerce and Elementor versions = 1.4...

CVE-2024-10886 Tribute Testimonials – WordPress Testimonial Grid/Slider <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Tribute Testimonials – WordPress Testimonial Grid/Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tributetestimonialsslider' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user...

PT-2024-16846 · WordPress · 우커머스 네이버페이

Name of the Vulnerable Software and Affected Versions: 우커머스 네이버페이 plugin for WordPress versions up to, and including, 3.3.7 Description: The issue is related to Stored Cross-Site Scripting via the plugin's mnp purchase shortcode due to insufficient input sanitization and output escaping on...

PT-2024-16719 · WordPress · Request A Quote For Woocommerce/Elementor – Get A Quote Button – Product Enquiry Form Popup – Product Quotation

Name of the Vulnerable Software and Affected Versions: The Request a Quote for WooCommerce and Elementor – Get a Quote Button – Product Enquiry Form Popup – Product Quotation plugin for WordPress versions up to, and including, 1.4 Description: The issue allows arbitrary shortcode execution via th...

PT-2024-16841 · WordPress · Memberlite Shortcodes

Name of the Vulnerable Software and Affected Versions: Memberlite Shortcodes plugin for WordPress versions up to, and including, 1.3.9 Description: The issue is related to Stored Cross-Site Scripting via the memberlite accordion shortcode due to insufficient input sanitization and output escaping...

PT-2024-16816 · WordPress · Rescue Shortcodes

Name of the Vulnerable Software and Affected Versions: Rescue Shortcodes plugin for WordPress versions up to, and including, 2.9 Description: The issue is related to Stored Cross-Site Scripting via the rescue progressbar shortcode due to insufficient input sanitization and output escaping on...

PT-2024-16951 · WordPress · Easy Liveblogs

Name of the Vulnerable Software and Affected Versions: Easy Liveblogs plugin for WordPress versions up to, and including, 2.3.5 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'elb liveblog' shortcode due to insufficient input sanitization and output escaping on...

PT-2024-16965 · WordPress · Slotti Ajanvaraus

Name of the Vulnerable Software and Affected Versions: Slotti Ajanvaraus plugin for WordPress versions up to, and including, 1.3.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'slotti' shortcode due to insufficient input sanitization and output escaping on...