Contact Form and Calls To Action by vcita <= 2.7.1 - Settings Update Via CSRF

The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin's settings, and on older versions =a”alert2;...

Contact Form Builder by vcita <= 4.10.2 - Settings Update Via CSRF

The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin's settings, and on older versions...

Multiple plugins by vcita - Contributor+ Stored Cross-Site Scripting

The plugin does not sanitize and the email field in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts in the plugin settings page, which could target high privilege users such as administrators. PoC...

Multiple plugins by vcita - CSRF to Stored XSS in settings page

The plugin does not protect the live-site-parse-vcita-callback settings page against CSRF attacks, allowing an unauthenticated attacker to inject arbitrary web scripts by tricking a logged in user with contributor role or higher to click a link. PoC...

Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery (CSRF) to Stored XSS

The plugin does not protect the ajax actions azhsave against CSRF attacks, allowing an unauthenticated attacker to modify posts by tricking a logged in user with rights to edit the post to submit a crafted request. Furthermore if the targeted user has a role of editor or above, arbitrary web...

Bookly < 21.8 - Admin+ Stored Cross-Site Scripting via service titles

The plugin does not sanitize and escape service titles in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup...

Dcat-Admin vulnerable to Stored Cross-site Scripting

A stored cross-site scripting XSS vulnerability in Dcat-Admin v2.1.3-beta allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter...

GHSA-P74V-MWVG-8GHP Dcat-Admin vulnerable to Stored Cross-site Scripting

A stored cross-site scripting XSS vulnerability in Dcat-Admin v2.1.3-beta allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter...

CVE-2023-31548

A stored Cross-site scripting XSS vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

Cross site scripting

A stored Cross-site scripting XSS vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

CVE-2023-33736

A stored cross-site scripting XSS vulnerability in Dcat-Admin v2.1.3-beta allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter...

CVE-2023-33736

A stored cross-site scripting XSS vulnerability in Dcat-Admin v2.1.3-beta allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter...

Cross site scripting

A stored cross-site scripting XSS vulnerability in Dcat-Admin v2.1.3-beta allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter...

Cross site scripting

The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userfavorites' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-2304 Favorites <= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userfavorites' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

Cross site scripting

The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

CVE-2023-31548

A stored Cross-site scripting XSS vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

CRM Perks Forms < 1.1.2 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitize and escape the formid field in the plugin settings page, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup. PoC...

Cross site scripting

A stored cross-site scripting XSS vulnerability in TFDi Design smartCARS 3 v0.7.0 and below allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the body of news article...

CVE-2023-33751

A stored cross-site scripting XSS vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at /app/tag/controller/ApiAdminTagCategory.php...