CVE-2024-35498

A cross-site scripting XSS vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

CVE-2024-46209

REDAXO CMS v5.17.1 is affected by a stored cross-site scripting (XSS) vulnerability in the /media/test.html component, caused by improper input validation that allows injection via the password parameter. Exploitation details are not provided in the sources, and in-the-wild status is not specifie...

CVE-2024-35498

A cross-site scripting XSS vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

CVE-2024-35498

CVE-2024-35498 targets Grav CMS v1.7.45 with a cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary web scripts or HTML via a crafted payload. Affected component: Grav CMS ( Grav v1.7.45 ); vulnerability type: XSS. Impact is limited to web scripting/HTML execution...

CVE-2024-12475

CVE-2024-12475 describes a Stored Cross-Site Scripting flaw in the WP Multistore Locator plugin for WordPress, affecting versions up to 2.4.1. The root cause is insufficient input sanitization and output escaping, enabling an authenticated attacker with Contributor+ privileges to inject scripts t...

CVE-2024-11974

The CVE-2024-11974 vulnerability affects the Media Library Assistant WordPress plugin. It enables Reflected Cross-Site Scripting via the smc_settings_tab, unattachfixit-action, and woofixit-action parameters in all versions up to and including 3.23, due to insufficient input sanitization and outp...

CVE-2024-12100

The Bitcoin Lightning Publisher for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.4.1. This makes it possible for unauthenticated attackers to inject...

CVE-2024-12100 Bitcoin Lightning Publisher for WordPress <= 1.4.1 - Reflected Cross-Site Scripting

The Bitcoin Lightning Publisher for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.4.1. This makes it possible for unauthenticated attackers to inject...

CVE-2024-56314

A stored cross-site scripting XSS vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the...

CVE-2024-56314

A stored cross-site scripting XSS vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the...

CVE-2024-11975 Reactflow Visitor Recording and Heatmaps <= 1.0.10 - Reflected Cross-Site Scripting

The Reactflow Visitor Recording and Heatmaps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpnonce' parameter in all versions up to, and including, 1.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke...

CVE-2024-11287 Ebook Store <= 5.8001 - Reflected Cross-Site Scripting

The Ebook Store plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 5.8001. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages th...

CVE-2024-11331 isee-products-extractor <= 2.1.3 - Reflected Cross-Site Scripting

The استخراج محصولات ووکامرس برای آیسی plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg & removequeryarg without appropriate escaping on the URL in all versions up to, and including, 2.1.3. This makes it possible for unauthenticated attackers to...

CVE-2024-11812 Wtyczka SeoPilot dla WP <= 3.3.091 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Wtyczka SeoPilot dla WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.091. This is due to missing or incorrect nonce validation on the SeoPilotAdminOptions function. This makes it possible for unauthenticated attackers to update...

3D Avatar User Profile <= 1.0.0 - Reflected Cross-Site Scripting

Description The 3D Avatar User Profile plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

CVE-2024-11254

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the disqusname parameter in all versions up to, and including, 1.1.1 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary we...

CVE-2024-12220

The SMS for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forg...

CVE-2024-12219 Stop Registration Spam <= 1.23 - Cross-Site Request Forgery to Cross-Site Scripting

The Stop Registration Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request...

CVE-2024-12239 PowerPack Lite for Beaver Builder <= 1.3.0.5 - Reflected Cross-Site Scripting via Navigate Parameter

The PowerPack Lite for Beaver Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the navigate parameter in all versions up to, and including, 1.3.0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

CVE-2024-11906

The TPG Get Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tpggetposts' shortcode in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...