CVE-2024-13581 Simple Charts <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Simple Charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'simplechart' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-13522 magayo Lottery Results <= 2.0.12 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The magayo Lottery Results plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.12. This is due to missing or incorrect nonce validation on the 'magayo-lottery-results' page. This makes it possible for unauthenticated attackers to update...

what3words Address Field < 4.0.16 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Description The what3words Address Field plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.15. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and...

CVE-2024-27593

A stored cross-site scripting XSS vulnerability in the Filter function of Eramba Version 3.22.3 Community Edition allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the filter name field. This vulnerability has been fixed in version 3.23.0...

CVE-2024-35583

A cross-site scripting XSS vulnerability in Sourcecodester Laboratory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Remarks input field...

CVE-2024-13867

The Listivo - Classified Ads WordPress Theme theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 2.3.67 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

CVE-2024-12599

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

CVE-2025-0837

The Puzzles theme for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and...

CVE-2025-0511

The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2024-57409

CVE-2024-57409 affects the Cool-Admin-Java project (v1.0) with a vulnerability in the Parameter List module . The issue is a stored XSS that allows an attacker to execute arbitrary web scripts or HTML by injecting a crafted payload into the internet pictures field . Reported details indicate impa...

CVE-2022-25307

The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the platform parameter found in the /includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when sit...

CVE-2022-25306

The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the browser parameter found in the /includes/class-wp-statistics-visitor.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when...

CVE-2022-38339

Safe Software FME Server v2021.2.5, v2022.0.0.2 and below contains a cross-site scripting XSS vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the login page...

CVE-2022-2443

The FreeMind WP Browser plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.2. This is due to missing nonce protection on the FreemindOptions function found in the /freemind-wp-browser.php file. This makes it possible for unauthenticated attackers t...

CVE-2022-2541

The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the /app/sites/ajax/actions/keywordsave.php file that is called via the doAjax function. This makes i...

CVE-2022-2039

The Free Live Chat Support plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.0.11. This is due to missing nonce protection on the livesupportisettings function found in the /livesupporti.php file. This makes it possible for unauthenticated attacke...

CVE-2020-36840

The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wpajaxrouteurl function called via a nopriv AJAX action in versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers t...

CVE-2024-7869

The 123.chat - Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that wi...

CVE-2024-6447

The FULL – Cliente plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the license plan parameter in all versions up to, and including, 3.1.12 due to insufficient input sanitization and output escaping as well as missing authorization and capability checks on the related...

CVE-2024-4097

The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG upload feature in all versions up to, and including, 3.1.67 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...