CVE-2022-34561

A cross-site scripting XSS vulnerability in PHPFox v4.8.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the video description parameter...

CVE-2022-34562

A cross-site scripting XSS vulnerability in PHPFox v4.8.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the status box...

CVE-2022-34560

A cross-site scripting XSS vulnerability in PHPFox v4.8.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the History parameter...

GeoDirectory – WordPress Business Directory Plugin, or Classified Directory < 2.3.49 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'gd_single_tabs' Shortcode

Description The GeoDirectory – WordPress Business Directory Plugin, or Classified Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gdsingletabs' shortcode in all versions up to, and including, 2.3.48 due to insufficient input sanitization and output...

CVE-2024-1730

The Prime Slider – Addons For Elementor Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via urls in link fields, images from URLs, and html tags used in widgets in...

CVE-2024-1730

CVE-2024-1730 is a Stored Cross-Site Scripting vulnerability in the Prime Slider – Addons For Elementor WordPress plugin. The issue affects all versions up to 3.14.0 and stems from insufficient input sanitization and output escaping in links, images from URLs, and HTML in widgets. Exploitation re...

CVE-2024-32206

A stored cross-site scripting XSS vulnerability in the component \affiche\admin\index.php of WUZHICMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $formdata parameter...

CVE-2024-3615

The Media Library Folders plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 8.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2024-3731

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 5.47.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2024-3600

CVE-2024-3600 affects the Poll Maker – Best WordPress Poll Plugin for WordPress. According to Red Hat and corroborated by Wordfence sources, it enables Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start AJAX action and insufficient escaping/sanitizatio...

CVE-2024-3731

CVE-2024-3731 affects the Customer Reviews for WooCommerce plugin for WordPress. It is a Reflected XSS via the 's' parameter in all versions up to and including 5.47.0, due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject web scripts into pag...

CVE-2024-3818

CVE-2024-3818 affects the Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates WordPress plugin. The issue is a DOM-based stored XSS in the Social Icons block, arising from insufficient input sanitization/output escaping on user-supplied attributes. Affected versions include all...

CVE-2024-3818 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.5.9 - Authenticated (Contributor+) DOM-Based Cross-Site Scripting via "Social Icons" Block

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's "Social Icons" block in all versions up to, and including, 4.5.9 due to insufficient input sanitization and output escaping on user supplie...

CVE-2024-3615

The Media Library Folders plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 8.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2024-3615

CVE-2024-3615 : The WordPress plugin Media Library Folders (Media Library Folders) is vulnerable to Reflected XSS via the s parameter in all versions up to 8.2.0 due to insufficient input sanitization and output escaping. Exploitation requires an action by a user (e.g., clicking a crafted link) a...

CVE-2024-3598 ElementsKit Pro <= 3.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ekit_btn_id'

The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Creative Button widget in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

CVE-2024-3560 LearnPress – WordPress LMS Plugin <= 4.2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the id value in all versions up to, and including, 4.2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-32206

CVE-2024-32206 describes a stored XSS in WUZHICMS v4.1.0, specifically the \affiche\admin\index.php component, where a crafted payload in the $formdata parameter can cause arbitrary web script/HTML execution. The vulnerability is documented across multiple sources (NVD/Red HatOSV/CVE lists) with ...

CVE-2024-32206

A stored cross-site scripting XSS vulnerability in the component \affiche\admin\index.php of WUZHICMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $formdata parameter...

CVE-2023-6892

The EAN for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'algwceanproductmeta' shortcode in all versions up to, and including, 4.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...