79 matches found
PT-2025-5968 · Unknown · Inlocation
Name of the Vulnerable Software and Affected Versions: InLocation versions n/a through 1.8 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web application, and also...
WordPress RSS News Scroller plugin <= 2.0.0 - CSRF to Stored XSS vulnerability
CSRF to Stored XSS vulnerability discovered by SOPROBRO in WordPress Plugin RSS News Scroller versions = 2.0.0...
PT-2025-5029 · Unknown · Shabbos/Yom Tov
Name of the Vulnerable Software and Affected Versions: Shabbos and Yom Tov versions 1.9 and earlier Description: The issue is related to a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web...
PT-2025-5003 · Mfplugin · Mfplugin
Name of the Vulnerable Software and Affected Versions: MFPlugin versions n/a through 1.3 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web application, and also stor...
CVE-2024-6155
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Authenticated Subscriber+ Server-Side Request Forgery and Stored Cross Site Scripting in all versions up to, and including, 9.0.0 due to a missing capability check in the greenshiftdownloadfilelocaly function...
CVE-2024-8236 Elementor Website Builder – More than Just a Page Builder <= 3.25.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter of the Icon widget in all versions up to, and including, 3.25.7 due to insufficient input sanitization and output escaping. This makes it possibl...
PT-2024-34803 · Geekrmx · Geekrmx Twitter @Anywhere Plus
Name of the Vulnerable Software and Affected Versions: GeekRMX Twitter @Anywhere Plus versions n/a through 2.0 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that can lead to Stored XSS. This problem affects GeekRMX Twitter @Anywhere Plus, allowing for potential malicio...
PT-2024-32702 · Copyscape · Copyscape Premium
Name of the Vulnerable Software and Affected Versions: Copyscape Premium versions through 1.3.6 Description: A Cross-Site Request Forgery CSRF vulnerability is present in Copyscape Premium, allowing Stored XSS. Recommendations: For versions through 1.3.6, update to a version that fixes the CSRF...
PT-2024-37470 · WordPress · Request A Quote
Name of the Vulnerable Software and Affected Versions: Request a Quote WordPress plugin versions prior to 2.4.1 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, ...
PT-2024-28126 · Unknown · Post Layouts For Gutenberg
Name of the Vulnerable Software and Affected Versions: Post Layouts for Gutenberg versions 1.2.7 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting XSS. This allows for Stored XSS attacks. Recommendation...
CVE-2024-4957
The Frontend Checklist WordPress plugin through 2.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-5447
The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowe...
CVE-2024-36163
Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...
CVE-2024-2220
The Button contact VR WordPress plugin through 4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-3075
The MM-email2image WordPress plugin through 0.2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
PT-2024-24718 · Unknown · Dsgvo Youtube
Name of the Vulnerable Software and Affected Versions: DSGVO Youtube versions 1.4.5 and earlier Description: The issue is related to improper neutralization of input during web page generation, also known as Cross-site Scripting. This allows for Stored XSS attacks. Recommendations: For versions...
CVE-2024-2102
The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field and 'smsprefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the...
CVE-2023-5809
The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2023-4725
The Simple Posts Ticker WordPress plugin before 1.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2023-3169
The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform...