CVE-2024-2334 Template Kit – Import <= 1.0.14 - Authenticated(Author+) Stored Cross-Site Scripting via template upload

The Template Kit – Import plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template upload functionality in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with autho...

CVE-2024-2198 Contact Form by BestWebSoft <= 4.2.8 - Reflected Cross-Site Scripting via cntctfrm_contact_address

The Contact Form by BestWebSoft plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cntctfrmcontactaddress’ parameter in all versions up to, and including, 4.2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2024-0662

The FancyBox for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions 3.0.2 to 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above...

CVE-2024-2165 SEOPress – On-site SEO <= 7.5.2.1 - Authenticated (Author+) Stored Cross-Site Scripting

The SEOPress – On-site SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt parameter in all versions up to, and including, 7.5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access...

CVE-2024-2786

CVE-2024-2786 concerns the WordPress plugin Happy Addons for Elementor. It describes a DOM-based stored Cross-Site Scripting vulnerability in the plugin’s title_tag usage across versions up to and including 3.10.4. The issue arises from insufficient input sanitization and output escaping, enablin...

CVE-2024-2423 UsersWP <= 1.2.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output...

CVE-2023-6993 Custom post types, Custom Fields & more <= 5.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Custom post types, Custom Fields & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and custom post meta in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping on user supplied post meta values...

CVE-2023-6993

The Custom post types, Custom Fields & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and custom post meta in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping on user supplied post meta values...

CVE-2024-1794

CVE-2024-1794 is a stored XSS flaw in WordPress Forminator up to version 1.29.0 via file uploads (e.g., 3gpp). Public docs confirm unauthenticated exploitation leading to script execution when served pages load injected content. Connected sources indicate the issue was addressed in later patches ...

CVE-2024-1794 Forminator <= 1.29.0 - Unauthenticated Stored Cross-Site Scripting via File Upload

The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file e.g. 3gpp file in all versions up to, and including, 1.29.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we...

CVE-2024-3512

CVE-2024-3512 is a duplicate of CVE-2024-2583. The underlying issue affects WordPress Shortcodes Plugin Shortcodes Ultimate prior to version 7.0.5, where shortcodes attributes were not properly escaped, enabling Stored XSS by users with the Contributor role. Remediation is to upgrade to version 7...

CVE-2024-3064 Elementor Addons, Widgets and Enhancements – Stax <= 1.4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heading' widgets in all versions up to, and including, 1.4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This mak...

CVE-2024-0376

CVE-2024-0376 affects the Premium Addons for Elementor plugin on WordPress. It enables Stored Cross-Site Scripting via the Wrapper Link Widget in all versions up to 4.10.16 due to insufficient input sanitization and output escaping of user‑provided URLs. Exploitation requires at least Contributor...

CVE-2024-1774 Customily Product Personalizer <= 1.23.3 - Unauthenticated Stored Cross-Site Scripting

The Customily Product Personalizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via user cookies in all versions up to, and including, 1.23.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

CVE-2024-1774

CVE-2024-1774 affects the Customily Product Personalizer WordPress plugin. It is an unauthenticated Stored Cross-Site Scripting via user cookies in all versions up to 1.23.3 due to insufficient input sanitization and output escaping, enabling arbitrary scripts to run when users visit injected pag...

CVE-2024-1852 WP-Members Membership Plugin <= 3.4.9.2 - Unauthenticated Stored Cross-Site Scripting

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.4.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

BizCalendar Web <= 1.1.0.19 - Reflected Cross-Site Scripting via 'tab'

Description The BizCalendar Web plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 1.1.0.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

Element Pack Elementor Addons < 5.5.4 - Contributor+ Stored XSS via Trailer Box Widget

Description The plugin is vulnerable to Stored Cross-Site Scripting via the ‘elementpackwrapperlink’ attribute of the Trailer Box widget due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inje...

CVE-2024-2458

The Powerkit – Supercharge your WordPress Site plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...

CVE-2024-2458

CVE-2024-2458 affects the Powerkit – Supercharge your WordPress Site plugin for WordPress. It is a Stored XSS via shortcode attributes, present in all versions up to and including 2.9.1 due to insufficient input sanitization and output escaping. Exploitation requires authentication at contributor...