CVE-2024-3603 OSM – OpenStreetMap <= 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'osmmap' shortcode in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping on user supplied attributes such as 'theme'. This makes it possible...

CVE-2024-3603

CVE-2024-3603 affects the OSM – OpenStreetMap WordPress plugin. All versions up to 6.0.2 are vulnerable to a Stored XSS via the plugin’s osm_map shortcode due to insufficient input sanitization and output escaping for attributes (e.g., theme). Exploitation requires contributor-level access or hig...

WordPress Webico Slider Flatsome Addons plugin <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wbc_image Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wbcimage Shortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin Webico Slider Flatsome Addons versions = 2.0.1...

WordPress Advanced File Manager Shortcode plugin <= 2.5.3 - Authenticated (Contributor+) Arbitrary File Upload vulnerability

Authenticated Contributor+ Arbitrary File Upload vulnerability discovered by Colin Xu in WordPress Plugin File Manager Advanced Shortcode versions = 2.5.3...

PT-2024-26854 · WordPress · Osm – Openstreetmap

Name of the Vulnerable Software and Affected Versions: OSM – OpenStreetMap plugin for WordPress versions up to, and including, 6.0.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'osm map' shortcode due to insufficient input sanitization and output escaping on...

WordPress File Manager Advanced Shortcode Plugin <= 2.4 is vulnerable to Directory Traversal

Software File Manager Advanced Shortcode Type Plugin Vulnerable versions = 2.4 Fixed in 2.4.1 OWASP Top 10 A3: Injection Classification Directory Traversal CVE CVE-2023-7062 Patch priority Low CVSS severity Low 7.7 Developer Claim ownership PSID a83d051bcbb6 Credits Colin Xu Required privilege...

PT-2024-37218 · WordPress · Webico Slider Flatsome Addons

Name of the Vulnerable Software and Affected Versions: Webico Slider Flatsome Addons plugin for WordPress versions up to, and including, 2.0.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's wbc image shortcode due to insufficient input sanitization and output...

PT-2024-37252 · WordPress · Simple Alert Boxes

Name of the Vulnerable Software and Affected Versions: The Simple Alert Boxes plugin for WordPress versions up to, and including, 1.4.0 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's Alert shortcode, allowing...

CVE-2024-37554

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in CodeAstrology Team UltraAddons Elementor Lite Header & Footer Builder, Menu Builder, Cart Icon, Shortcode.This issue affects UltraAddons Elementor Lite Header & Footer Builder, Menu Builder,...

WordPress Ninja Forms plugin <= 3.8.4 - Subscriber+ Arbitrary Shortcode Execution vulnerability

Subscriber+ Arbitrary Shortcode Execution vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin Ninja Forms versions = 3.8.4...

WordPress Amelia Shortcode Extended plugin <= 1.6 - Malicious Polyfill.io Embed vulnerability

Malicious Polyfill.io Embed vulnerability discovered by Sansec.io in WordPress Plugin Amelia Shortcode Extended versions = 1.6...

WordPress Amelia Shortcode Extended Plugin <= 1.6 is vulnerable to Backdoor

Software Amelia Shortcode Extended Type Plugin Vulnerable versions = 1.6 Fixed in N/A OWASP Top 10 A3: Injection Classification Backdoor CVE N/A Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 6bcf0ef7322f Credits Sansec.io Required privilege Unauthenticated Published 3...

CVE-2024-5938

The Boot Store theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme's Button shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2024-5938 Boot Store <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode

The Boot Store theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme's Button shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

WordPress Boot Store theme <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Button Shortcode vulnerability discovered by Francesco Carlucci in WordPress Theme Boot Store versions = 1.6.4...

PT-2024-18037 · Unknown · The Post Grid – Shortcode

Name of the Vulnerable Software and Affected Versions: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin versions up to, and including, 7.7.1 Description: The issue is related to Stored Cross-Site Scripting via the section title tag attribute due to insufficient...

PT-2024-37253 · WordPress · Boot Store

Name of the Vulnerable Software and Affected Versions: The Boot Store theme for WordPress versions up to, and including, 1.6.4 Description: The issue is related to Stored Cross-Site Scripting via the link parameter within the theme's Button shortcode due to insufficient input sanitization and...

WordPress Stock Ticker plugin <= 3.24.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via stock_ticker Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via stockticker Shortcode vulnerability discovered by Dale Mavers in WordPress Plugin Stock Ticker versions = 3.24.4...

CVE-2024-6363

The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stockticker shortcode in all versions up to, and including, 3.24.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

PT-2024-37568 · WordPress · Stock Ticker

Name of the Vulnerable Software and Affected Versions: Stock Ticker plugin for WordPress versions up to, and including, 3.24.4 Description: The issue is related to Stored Cross-Site Scripting via the stock ticker shortcode due to insufficient input sanitization and output escaping on user-supplie...