CVE-2024-10683

CVE-2024-10683 affects the WordPress plugin Contact Form 7 – PayPal & Stripe Add-on, due to unsafe use of add_query_arg/remove_query_arg without proper escaping. The issue is Reflected XSS, exploitable by unauthenticated actors who can trick a user into clicking a manipulated link, with exploitat...

CVE-2024-10187 myCred <= 2.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_link Shortcode

The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycredlink shortcode in all version...

CVE-2024-10621 Simple Shortcode for Google Maps <= 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Simple Shortcode for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's pwmap shortcode in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-10922

CVE-2024-51647 describes a CSRF to Stored XSS vulnerability in the WordPress plugin Chaser324 Featured Posts Scroll, affecting versions up to 1.25. The issue enables stored XSS via CSRF in the plugin’s Featured Posts Scroll component. Public-facing details in connected documents confirm the affec...

CVE-2024-10922

...

CVE-2024-8323

CVE-2024-8323 affects the Pricing Tables WordPress Plugin – Easy Pricing Tables (WordPress). The vulnerability is a Stored Cross-Site Scripting via the fontFamily attribute in all versions up to and including 3.2.6, exploitable by authenticated users with Contributor-level access or higher to inj...

CVE-2024-9307

The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute...

CVE-2024-10647 WS Form LITE – Drag & Drop Contact Form Builder for WordPress <= 1.9.244 - Reflected Cross-Site Scripting via URL

The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of removequeryarg without appropriate escaping on the URL in all versions up to, and including, 1.9.244. This makes it possible for unauthenticated...

CVE-2024-10647

CVE-2024-10647 affects the WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin. It is a Reflected Cross-Site Scripting vulnerability caused by remove_query_arg not being properly escaped in the URL, affecting all versions up to and including 1.9.244. Exploitation is possible by a...

CVE-2024-10647 WS Form LITE – Drag & Drop Contact Form Builder for WordPress <= 1.9.244 - Reflected Cross-Site Scripting via URL

The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of removequeryarg without appropriate escaping on the URL in all versions up to, and including, 1.9.244. This makes it possible for unauthenticated...

CVE-2024-9667

The Seriously Simple Podcasting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 3.5.0. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2024-9667

CVE-2024-9667 affects Seriously Simple Podcasting for WordPress (all versions up to and including 3.5.0). The vulnerability is a Reflected Cross-Site Scripting flaw caused by insufficient escaping of add_query_arg in the URL, enabling unauthenticated attackers to inject web scripts into pages exe...

CVE-2024-10340

CVE-2024-10340 is a Stored Cross‑Site Scripting vulnerability in the WordPress plugin Shortcodes Blocks Creator Ultimate (WordPress). Affected versions up to and including 2.1.3 fail to sanitize user‑supplied attributes in the scu shortcode, allowing authenticated attackers with contributor level...

CVE-2024-10340 Shortcodes Blocks Creator Ultimate <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Shortcodes Blocks Creator Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'scu' shortcode in versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-9896

The BBP Core – Expand bbPress powered forums with useful features plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated...

CVE-2024-9896

CVE-2024-9896 affects BBP Core – Expand bbPress powered forums with useful features (WordPress) up to version 1.2.5. It is a Reflected XSS caused by insufficient escaping of add_query_arg in the URL. Exploitation requires a user to click a crafted link; unauthenticated attackers can inject script...

CVE-2024-8739

The ReCaptcha Integration for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary...

CVE-2024-8739

CVE-2024-8739 concerns the ReCaptcha Integration for WordPress plugin vulnerable to Reflected Cross-Site Scripting (XSS) due to improper escaping in add_query_arg on the URL for all versions up to and including 1.2.5. The issue allows unauthenticated attackers to inject arbitrary scripts on pages...

CVE-2024-8739 ReCaptcha Integration for WordPress <= 1.2.5 - Reflected Cross-Site Scripting

The ReCaptcha Integration for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary...

CVE-2024-10232 AtomChat <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via atomchat Shortcode

The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's atomchat shortcode in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...