WordPress Plugin Shariff Wrapper 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...

CVE-2024-2460

The GamiPress – Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gamipressbutton' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-1799

The GamiPress – The 1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to SQL Injection via the 'achievementtypes' attribute of the gamipressearnings shortcode in all versions up to, and including, 6.8.6 due to insufficient escapin...

Sitekit < 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Sitekit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

Popup Maker – Popup for opt-ins, lead gen, & more < 1.18.3 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

PT-2024-20471 · WordPress · Ux Flat

Name of the Vulnerable Software and Affected Versions: UX Flat plugin for WordPress versions up to, and including, 4.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'button' shortcode due to insufficient input sanitization and output escaping on user-supplied...

PT-2024-19643 · WordPress · Animated Headline

Name of the Vulnerable Software and Affected Versions: Animated Headline plugin for WordPress versions up to, and including, 4.0 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the 'animated-headline' shortcode. This allows...

Builder for WooCommerce reviews shortcodes – ReviewShort < 1.01.4 - Cross-Site Request Forgery

Description The Builder for WooCommerce reviews shortcodes – ReviewShort plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.01.3. This is due to missing or incorrect nonce validation on the wprshrtcdredirect function. This makes it possible for...

CVE-2024-1401

The Profile Box Shortcode And Widget WordPress plugin before 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-1401

CVE-2024-1401 affects Profile Box Shortcode And Widget for WordPress, prior to version 1.2.1. Root cause: settings are not sanitized/escaped, enabling Stored XSS for admin-level users (and higher) even when unfiltered_html is disallowed (e.g., multisite). Impact: Stored XSS could compromise site ...

WordPress Plugin Profile Box Shortcode And Widget Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

PT-2024-18317 · Gamipress · Gamipress

Name of the Vulnerable Software and Affected Versions: GamiPress versions up to, and including, 6.8.6 Description: The issue concerns a SQL Injection vulnerability via the achievement types attribute of the gamipress earnings shortcode. This vulnerability is due to insufficient escaping on the...

PT-2024-20525 · WordPress · Standout Color Boxes/Buttons

Name of the Vulnerable Software and Affected Versions: The Standout Color Boxes and Buttons plugin for WordPress versions up to, and including, 0.7.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'color-button' shortcode due to insufficient input sanitization a...

WordPress Advanced Social Feeds Widget & Shortcode Plugin <= 1.7 is vulnerable to Cross Site Scripting (XSS)

Software Advanced Social Feeds Widget & Shortcode Type Plugin Vulnerable versions = 1.7 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-0951 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 185d76acedb2 Credits...

CVE-2024-0719

The Tabs Shortcode and Widget WordPress plugin through 1.17 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2024-0711

The Buttons Shortcode and Widget WordPress plugin through 1.16 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2024-0711

The Buttons Shortcode and Widget WordPress plugin through 1.16 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2024-0951

CVE-2024-0951 affects the WordPress plugin Advanced Social Feeds Widget & Shortcode (versions

CVE-2024-0711 Buttons Shortcode and Widget <= 1.16 - Stored XSS via shortcode

The Buttons Shortcode and Widget WordPress plugin through 1.16 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2024-0719 Tabs Shortcode and Widget <= 1.17 - Contributor+ Stored Cross-Site Scripting

The Tabs Shortcode and Widget WordPress plugin through 1.17 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...