5210 matches found
CVE-2024-7301
CVE-2024-7301 : WordPress File Upload plugin for WordPress suffers Stored Cross-Site Scripting via SVG uploads in all versions up to 4.24.8 due to insufficient input sanitization and output escaping. Unauthenticated attackers could inject scripts that execute when users view the SVG. Risk details...
CVE-2024-25837
A stored cross-site scripting XSS vulnerability in October CMS Bloghub Plugin v1.3.8 and lower allows attackers to execute arbitrary web scripts or HTML via a crafted payload into the Comments section...
CVE-2024-25837
A stored cross-site scripting XSS vulnerability in October CMS Bloghub Plugin v1.3.8 and lower allows attackers to execute arbitrary web scripts or HTML via a crafted payload into the Comments section...
CVE-2024-25837
CVE-2024-25837 — Summary (concrete details from connected docs): The vulnerability is a stored XSS in the October CMS Bloghub Plugin, affecting versions 1.3.8 and earlier. The XSS occurs via a crafted payload in the Comments section, enabling execution of arbitrary web scripts or HTML in the vict...
CVE-2024-7649
The Opal Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via checkout form fields in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...
CVE-2024-7574
The Christmasify! plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.5. This is due to missing nonce validation on the 'options' function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious...
CVE-2024-6691
The Easy Digital Downloads – Sell Digital Files & Subscriptions eCommerce Store + Payments Made Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. Thi...
CVE-2024-7574
CVE-2024-7574 affects the Christmasify! WordPress plugin (versions
CVE-2024-7574 Christmasify! <= 1.5.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The Christmasify! plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.5. This is due to missing nonce validation on the 'options' function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious...
CVE-2024-7574 Christmasify! <= 1.5.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The Christmasify! plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.5. This is due to missing nonce validation on the 'options' function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious...
CVE-2024-7649 Opal Membership <= 1.2.4 - Unauthenticated Stored Cross-Site Scripting
The Opal Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via checkout form fields in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...
CVE-2024-7649 Opal Membership <= 1.2.4 - Unauthenticated Stored Cross-Site Scripting
The Opal Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via checkout form fields in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...
CVE-2024-7317
CVE-2024-7317 affects the WordPress plugin Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager (vulnerable up to 3.0.3). It permits stored cross-site scripting via SVG uploads due to insufficient input sanitization and output escaping. Exploitation requires an...
CVE-2024-5708 WPBakery <= 7.7 - Authenticated (Author+) Stored Cross-Site Scripting
The WPBakery Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 7.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level acces...
CVE-2024-5708
CVE-2024-5708 affects WPBakery Visual Composer (WordPress) up to version 7.7. Root cause: insufficient input sanitization and output escaping in the link parameter, enabling stored XSS by authenticated users with Author-level access. Impact: arbitrary script execution when pages with injected con...
CVE-2024-2455
The Element Pack - Addon for Elementor Page Builder WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget wrapper link URL in all versions up to, and including, 7.9.0 due to insufficient input sanitization and output escaping on user supplied attributes...
CVE-2024-6346 Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks <= 2.2.85 - Authenticated (Contributor+) Stored Cross-Site Scripting via redirectURL Parameter of Date Countdown Widget
The Gutenberg Blocks, Page Builder – ComboBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the redirectURL parameter of the Date Countdown widget, in all versions up to, and including, 2.2.85 due to insufficient input sanitization and output escaping on user supplied...
CVE-2024-6725
Formidable Forms (WordPress)
CVE-2024-41819
Note Mark is a web-based Markdown notes app. A stored cross-site scripting XSS vulnerability in Note Mark allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content. This vulnerability is fixed in 0.13.1...
CVE-2024-6753 Social Auto Poster <= 5.3.14 - Unauthenticated Stored Cross-Site Scripting
The Social Auto Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mapTypes’ parameter in the 'wpwautopostermapwordpressposttype' AJAX function in all versions up to, and including, 5.3.14 due to insufficient input sanitization and output escaping. This makes it...