BIT-WORDPRESS-MULTISITE-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

Sydney Toolbox < 1.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via aThemes: Portfolio Widget

Description The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "aThemes: Portfolio" widget in all versions up to, and including, 1.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-34231

CVE-2024-34231 affects Sourcecodester Laboratory Management System v1.0 with a cross-site scripting (XSS) flaw exploitable via a crafted payload in the System Short Name parameter. The issue enables attackers to execute arbitrary web scripts or HTML, with CVSSv3.1 base score 7.1 (HIGH) and user i...

CVE-2024-34231

A cross-site scripting XSS vulnerability in Sourcecodester Laboratory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the System Short Name parameter...

CVE-2024-34230

A cross-site scripting XSS vulnerability in Sourcecodester Laboratory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the System Information parameter...

CVE-2024-34230

Sourcecodester Laboratory Management System v1.0 is affected by a cross-site scripting (XSS) vulnerability in the System Information parameter. The root cause is improper handling/sanitization of user-supplied input, allowing attackers to inject arbitrary web scripts or HTML. Impact disclosed in ...

CVE-2024-4490

The CVE-2024-4490 entry concerns the Elegant Themes Divi product family (Divi theme, Divi Extra, Divi Page Builder) with DOM-Based Stored XSS via the title parameter in versions up to and including 4.25.0. The vulnerability arises from insufficient input sanitization and output escaping, enabling...

CVE-2024-4277

CVE-2024-4277 affects LearnPress – WordPress LMS Plugin. Affected: all WordPress versions up to and including 4.2.6.5. Root cause: insufficient input sanitization and output escaping in the layout_html parameter. Impact: authenticated attackers with contributor-level access can store scripts that...

CVE-2024-3547 Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.102 - Reflected Cross-Site Scripting

The Unlimited Elements For Elementor Free Widgets, Addons, Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'googleconnecterror' parameter in all versions up to, and including, 1.5.102 due to insufficient input sanitization and output escaping. This makes it...

CVE-2024-3547

CVE-2024-3547 affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates) on WordPress. The vulnerability is a Reflected Cross-Site Scripting via the google_connect_error parameter in all versions up to 1.5.102, caused by insufficient input sanitization and output escaping. This al...

CVE-2024-4481 Gutenberg Blocks with AI by Kadence WP <= 3.2.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Link

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the plugin's blocks in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied attributes. This...

WordPress Popup Maker Plugin < 1.18.3 XSS Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:code-atlantic:popupmaker"; ifdescription...

WordPress Forminator Plugin < 1.29.3 XSS Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:incsub:forminator"; ifdescription...

CVE-2024-4104

CVE-2024-4104 : ADFO – Custom data in admin dashboard (WordPress plugin) is vulnerable to a reflected XSS via the dbp_id parameter in versions ≤ 1.9.0 due to insufficient input sanitization and output escaping. This enables unauthenticated attackers to inject scripts on pages that execute when a ...

CVE-2024-4104 ADFO – Custom data in admin dashboard <= 1.9.0 - Reflected Cross-Site Scripting

The ADFO – Custom data in admin dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dbpid' parameter in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

CVE-2024-2785

CVE-2024-2785 affects The Plus Addons for Elementor (WordPress). The issue is a Stored Cross-Site Scripting (XSS) in the Age Gate widget due to insufficient input sanitization and output escaping of user-supplied attributes. Affected versions are ≤ 5.4.2. Exploitation requires contributor-level a...

CVE-2024-2846

The CVE is for the Visual Footer Credit Remover WordPress plugin. It describes a Stored XSS via the selector parameter in all versions up to 2, caused by insufficient input sanitization and output escaping. The vulnerability requires authenticated, administrator-level access and affects multisite...

CVE-2024-0445 The Plus Addons for Elementor <= 5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's element attributes in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with...

CVE-2024-3923 Beaver Builder – WordPress Page Builder <= 2.8.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the linktarget parameter in all versions up to, and including, 2.8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2024-4542

CVE-2024-4542 is rejected and not used; please refer to CVE-2024-3548 instead.