CVE-2024-12283

The WP Pipes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘x1’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

CVE-2024-12323 turboSMTP <= 4.6 - Reflected Cross-Site Scripting via 'page'

The turboSMTP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 4.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

CVE-2024-11945 Email Reminders <= 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

The Email Reminders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access an...

CVE-2024-12128 Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal <= 3.1.2 - Reflected Cross-Site Scripting via monthly_sales_current_year Parameter

The Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘monthlysalescurrentyear’ parameter in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This mak...

CVE-2024-11374 TWChat – Send or receive messages from users <= 4.0.4 - Reflected Cross-Site Scripting

The TWChat – Send or receive messages from users plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of removequeryarg without appropriate escaping on the URL in all versions up to, and including, 4.0.4. This makes it possible for unauthenticated attackers to injec...

CVE-2024-10046

The افزونه پیامک ووکامرس Persian WooCommerce SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of removequeryarg without appropriate escaping on the URL in all versions up to, and including, 7.0.5. This makes it possible for unauthenticated attackers to injec...

CVE-2024-11329

The Comfino Payment Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg & removequeryarg without appropriate escaping on the URL in all versions up to, and including, 4.1.1. This makes it possible for unauthenticated attackers to inject...

CVE-2024-12257 CardGate Payments for WooCommerce <= 3.2.1 - Reflected Cross-Site Scripting

The CardGate Payments for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

CVE-2024-12166

CVE-2024-12166 refers to a vulnerability in the WordPress plugin Shortcodes Blocks Creator Ultimate (versions up to 2.2.0). The issue is a reflected cross-site scripting (XSS) via the page parameter caused by insufficient input sanitization and output escaping. This allows an unauthenticated atta...

CVE-2024-11943

CVE-2024-11943 concerns the WordPress plugin “PGAll for WooCommerce” (워드프레스 결제 심플페이 – 우커머스 결제 플러그인) with a Reflected Cross‑Site Scripting vulnerability in versions up to 5.2.2. The issue arises from using add_query_arg without proper escaping on the URL, enabling unauthenticated attackers to inje...

CVE-2024-50677

A cross-site scripting XSS vulnerability in OroPlatform CMS v5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Search parameter...

CVE-2024-9872

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcitasaveuserdatacallback function in all versions up to, and including, 4.5.1. This makes it possible for authenticated...

CVE-2024-12060

The WP Media Optimizer .webp plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpmowebp-css-resources’ and 'wpmowebp-js-resources' parameters in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible...

CVE-2024-11336

The Clickbank WordPress Plugin Storefront plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing or incorrect nonce validation via the csmenu page. This makes it possible for unauthenticated attackers to update settings a...

CVE-2024-11368

The Splash Sync plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 2.0.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...

CVE-2024-11687

CVE-2024-11687 concerns the WordPress plugin “Next-Cart Store to WooCommerce Migration” (versions up to and including 3.9.2). The connected sources confirm a Reflected Cross-Site Scripting (XSS) vulnerability triggered via the page parameter, caused by insufficient input sanitization and output e...

CVE-2024-11276 PDF Builder for WooCommerce. Create invoices,packing slips and more <= 1.2.136 - Reflected Cross-Site Scripting

The PDF Builder for WooCommerce. Create invoices,packing slips and more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.2.136 due to insufficient input sanitization and output escaping. This makes it possible fo...

CVE-2024-12060 WP Media Optimizer (.webp) <= 1.4.0 - Reflected Cross-Site Scripting via wpmowebp-css-resources and wpmowebp-js-resources Parameters

The WP Media Optimizer .webp plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpmowebp-css-resources’ and 'wpmowebp-js-resources' parameters in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible...

CVE-2024-9769

CVE-2024-9769 corresponds to the WordPress Video Gallery – YouTube Gallery plugin vulnerability: stored cross-site scripting via admin settings in all versions up to 2.4.1. Exploitation requires authenticated access with administrator-level permissions (and above) and is restricted to multisite i...

CVE-2024-10836 Flixita <= 1.0.82 - Reflected Cross-Site Scripting via id Parameter

The Flixita theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.0.82 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...