CVE-2024-37160

Formwork CVE-2024-37160 concerns the Formwork flat-file CMS. The vulnerability is an XSS flaw exploitable when an administrator modifies site options via /panel/options/site, allowing injection of scripts that can affect visitors across most pages (dashboard excluded). Affected component is descr...

CVE-2024-4703

The One Page Express Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's onepageexpresscontactform shortcode in all versions up to, and including, 1.6.37 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-4488

CVE-2024-4488 affects the Royal Elementor Addons and Templates for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) in the inline_list parameter affecting versions up to 1.3.976, caused by insufficient input sanitization/output escaping. Attack requires authenticated access at ...

CVE-2024-5640 Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) <= 3.14.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pacific Widget

The Prime Slider – Addons For Elementor Revolution of a slider, Hero Slider, Ecommerce Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ attribute within the Pacific widget in all versions up to, and including, 3.14.7 due to insufficient input sanitization and...

CVE-2024-1988

The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' attribute in blocks in all versions up to, and including, 2.2.80 due to insufficient input sanitization and output...

CVE-2024-1988

CVE-2024-1988 affects the WordPress plugins Post Grid / Combo Blocks (and related blocks) up to version 2.2.80, with stored XSS via the tag attribute in blocks due to insufficient input sanitization and output escaping. Exploitation requires authenticated access (Contributor+), enabling injection...

CVE-2024-3987

The WP Mobile Menu – The Mobile-Friendly Responsive Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alt text in all versions up to, and including, 2.8.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacker...

CVE-2024-5607

The GDPR CCPA Compliance & Cookie Consent Banner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions named ajaxUpdateSettings in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers,...

CVE-2024-5607

The CVE-2024-5607 entry concerns the GDPR CCPA Compliance & Cookie Consent Banner WordPress plugin. It states a missing capability check on multiple ajaxUpdateSettings() functions in all versions up to and including 2.7.0, allowing authenticated attackers with Subscriber-level access and higher t...

CVE-2024-3987

CVE-2024-3987 : The WP Mobile Menu – The Mobile-Friendly Responsive Menu plugin for WordPress is vulnerable to Stored XSS via image alt text in all versions up to 2.8.4.2, caused by insufficient input sanitization and output escaping. The vulnerability could be triggered by an authenticated attac...

Formula < 0.5.2 - Reflected Cross-Site Scripting via ti_customizer_notify_dismiss_recommended_plugins

Description The Formula theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in the 'ticustomizernotifydismissrecommendedplugins' AJAX action in all versions up to, and including, 0.5.1 due to insufficient input sanitization and output escaping. This makes it...

CVE-2024-36775

A cross-site scripting XSS vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the About Me parameter in the Edit Profile page...

CVE-2024-36775

Monstra CMS 3.0.4 is affected by an XSS vulnerability in the Edit Profile page, where crafted payloads placed into the About Me field can execute arbitrary web scripts/HTML. The issue stems from reflecting or injecting content via the About Me parameter, enabling potential code execution in the c...

CVE-2024-5221

The CVE-2024-5221 entry concerns the Qi Blocks WordPress plugin. Public records here show a Stored XSS vulnerability in the plugin’s file uploader affecting all versions up to and including 1.2.9, caused by insufficient input sanitization and output escaping. Exploitation requires authentication ...

CVE-2024-5162

The WordPress prettyPhoto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...

CVE-2024-5141

The Rotating Tweets Twitter widget and shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's' 'rotatingtweets' in all versions up to, and including, 1.9.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-4212 Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets

The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's TF Group Image, TF Nav Menu, TF Posts, TF Woo Product Grid, TF Accordion, and TF Image Box widgets in all versions up to, and including, 2.1.1 due to insufficient input...

CVE-2024-2922

The CVE refers to Themesflat Addons For Elementor (WordPress) with a Stored XSS in widget tags due to insufficient input sanitization/output escaping. Exploitation requires authenticated access (Contributor+), enabling injection that executes on page view. Affected versions up to 2.1.1 (NVD descr...

CVE-2024-2922 Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Tags

The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget tags in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-5342

The Simple Image Popup Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sipspopup' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...