Cost Calculator Builder Pro < 3.1.68 - Unauthenticated Cross-Site Scripting via SVG Upload

Description The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG upload feature in all versions up to, and including, 3.1.67 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

CVE-2024-33101

CVE-2024-33101 concerns a stored XSS in ThinkSAAS v3.7.0, specifically in the /action/anti.php component, where a crafted payload injected into the word parameter can cause arbitrary web script/HTML execution. The issue is confirmed across multiple sources (Red Hat, NVD, OSV, CVE lists) with a co...

CVE-2024-33102

CVE-2024-33102 affects ThinkSAAS v3.7.0, specifically the /pubs/counter.php component. The vulnerability is a stored XSS that allows an attacker to execute arbitrary web scripts or HTML by injecting a crafted payload into the code parameter. The CVSS v3.1 base score is 5.4 (Medium) with network a...

CVE-2024-33102

A stored cross-site scripting XSS vulnerability in the component /pubs/counter.php of ThinkSAAS v3.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the code parameter...

CVE-2024-33102

A stored cross-site scripting XSS vulnerability in the component /pubs/counter.php of ThinkSAAS v3.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the code parameter...

Slash Admin < 3.8.2 - Cross-Site Request Forgery

Description The Slash Admin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a...

AA Cash Calculator <= 1.0 - Reflected Cross-Site Scripting via invoice

Description The AA Cash Calculator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘invoice’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2024-2838

The WPC Composite Products for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'woococomponents0name' parameter in all versions up to, and including, 7.2.7 due to insufficient input sanitization and output escaping and missing authorization on the...

CVE-2024-2258

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. Th...

CVE-2024-3890 Happy Addons for Elementor <= 3.10.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Calendly Widget

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Calendly widget in all versions up to, and including, 3.10.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-4035

CVE-2024-4035 is a Stored XSS in the Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery WordPress plugin, affecting all versions up to 2.7.7.21. The root cause is insufficient input sanitization and output escaping in image alt text, enabling authenticated attackers with author-level acc...

CVE-2024-3988

The Sina Extension for Elementor Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sina Fancy Text Widget in all versions up to, and including, 3.5.2 due to...

CVE-2024-3988

The Sina Extension for Elementor (WordPress plugin) is vulnerable under CVE-2024-3988 to Stored Cross-Site Scripting via the Sina Fancy Text Widget in versions up to 3.5.2. Exploitation requires authenticated access at contributor level+, and scripts can execute when users load injected pages. Th...

eCommerce Product Catalog Plugin for WordPress < 3.3.33 - Reflected Cross-Site Scripting

Description The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.3.32 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inje...

LH Add Media From Url < 1.23 - Reflected Cross-Site Scripting

Description The LH Add Media From Url plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.22 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

GuCherry Blog <= 1.1.8 - Reflected Cross-Site Scripting

Description The GuCherry Blog theme for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages...

Easy CountDowner <= 1.0.8 - Cross-Site Request Forgery

Description The Easy CountDowner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform unauthorized actions a...

Netgsm < 2.9.1 - Reflected Cross-Site Scripting

Description The Netgsm plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

Cornerstone < 0.8.1 - Reflected Cross-Site Scripting

Description The Cornerstone plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages th...

Import Content in WordPress & WooCommerce with Excel < 4.3 - Reflected Cross-Site Scripting

Description The Import Content in WordPress & WooCommerce with Excel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...