Testimonial Carousel For Elementor < 10.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'showlinetext ' and 'slidebuttonhoveranimation' parameters in versions up to, and including, 10.1.1 due to insufficient input sanitization and output escaping. This makes i...

CVE-2024-4288

The CVE-2024-4288 entry concerns the Appointment Booking Calendar — Simply Schedule Appointments Plugin for WordPress. Vulnerable through version 1.6.7.14 due to insufficient input sanitization and inadequate output escaping of the link parameter, enabling stored XSS. Exploitation requires authen...

CVE-2024-4617

CVE-2024-4617 affects Rank Math SEO – AI SEO Tools for WordPress, with Stored XSS via the id parameter in versions up to 1.0.218. Authenticated attackers with contributor-level permissions and above can inject scripts executed by users on injected pages. Connected sources corroborate the vulnerab...

CVE-2024-3887

CVE-2024-3887 affects the Royal Elementor Addons and Templates plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) in the Form Builder widget caused by insufficient input sanitization and output escaping on user-supplied attributes. Impact: authenticated attackers with ...

CVE-2024-4546 Custom Post Type Attachment <= 3.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via pdf_attachment Shortcode

The Custom Post Type Attachment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pdfattachment' shortcode in all versions up to, and including, 3.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...

CVE-2024-4635

The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘addmimetype’ function in versions up to, and including, 0.13.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level...

Himalayas < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Himalayas theme for WordPress is vulnerable to Stored Cross-Site Scripting via author display names in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

Content Blocks (Custom Post Widget) < 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Content Blocks Custom Post Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

CVE-2024-27593

A stored cross-site scripting XSS vulnerability in the Filter function of Eramba Version 3.22.3 Community Edition allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the filter name field. This vulnerability has been fixed in version 3.23.0...

CVE-2024-4636

CVE-2024-4636 affects the WordPress plugin Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF . Connected sources confirm a Stored Cross-Site Scripting (XSS) vulnerability via the function allow_meme_types in versions up to and including 3.12.10, caused by insufficient input san...

CVE-2024-4193

The Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'testimonialcategory' shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-4150

The Simple Basic Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘scfemail’ parameter in versions up to, and including, 20221201 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2024-4041

The Yoast SEO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 22.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

CVE-2024-3974

The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘username’ parameter in versions up to, and including, 12.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions...

CVE-2024-3680

The Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Animation Title widget's img tag in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-3547

The Unlimited Elements For Elementor Free Widgets, Addons, Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'googleconnecterror' parameter in all versions up to, and including, 1.5.102 due to insufficient input sanitization and output escaping. This makes it...

CVE-2024-34231

A cross-site scripting XSS vulnerability in Sourcecodester Laboratory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the System Short Name parameter...

CVE-2024-34230

A cross-site scripting XSS vulnerability in Sourcecodester Laboratory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the System Information parameter...

CVE-2024-1166

The Image Hover Effects – Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Hover Effects Widget in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

BIT-WORDPRESS-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...