Simple Long Form <= 2.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Simple Long Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-leve...

CVE-2023-48881

A stored cross-site scripting XSS vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Field Title field at /login.php?m=admin&c=Field&a=arctypeadd&ajax=1&lang=cn...

CVE-2023-48880

A stored cross-site scripting XSS vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Menu Name field at /login.php?m=admin&c=Index&a=changeTableVal&ajax=1&lang=cn...

Salient Core < 2.0.3 - Reflected Cross-Site Scripting

Description The salient-core plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitra...

Footer Putter <= 6.1.3 - Reflected Cross-Site Scripting

Description The Footer Putter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 6.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

Grab & Save <= 1.0.4 - Reflected Cross-Site Scripting

Description The Grab & Save plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

Maspik – Spam blacklist < 0.9.3 - Unauthenticated Stored Cross-Site Scripting via efas_add_to_log

Description The Maspik – Spam Blacklist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the efasaddtolog function in all versions up to, and including, 0.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

CVE-2023-48880

A stored cross-site scripting XSS vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Menu Name field at /login.php?m=admin&c=Index&a=changeTableVal&ajax=1&lang=cn...

Simply Exclude <= 2.0.6.6 - Reflected Cross-Site Scripting

Description The Simply Exclude plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 2.0.6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

Community by PeepSo < 6.2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via user avatars in all versions up to, and including, 6.2.2.0 due to insufficient input sanitization and output escaping on user supplie...

CVE-2023-48880

A stored cross-site scripting XSS vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Menu Name field at /login.php?m=admin&c=Index&a=changeTableVal&ajax=1&lang=cn...

CVE-2023-48882

A stored cross-site scripting XSS vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Document Properties field at /login.php m=admin&c=Index&a=changeTableVal&ajax=1&lang=cn...

PageLayer < 1.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The PageLayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ pagelayerheadercode’, 'pagelayerbodycode', and 'pagelayerfootercode' parameters in versions up to, and including, 1.7.6 due to insufficient input sanitization and output escaping. This makes it...

FV Flowplayer Video Player < 7.5.39.7212 - Insufficient Input Validation to Unauthenticated Stored Cross-Site Scripting and Arbitrary Usermeta Update

Description The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fvplayeruservideo’ parameter saved via the 'save' function hooked via init, and the plugin is also vulnerable to Arbitrary Usermeta Update via the 'save' function in versions up t...

Super Testimonials < 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tpsscode' shortcode in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

Sponsors <= 3.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Sponsors plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sponsors' shortcode in all versions up to, and including, 3.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

Charitable < 1.7.0.14 - Authenticated(Contributor+) Stored Cross-Site Scripting

Description The Charitable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 1.7.0.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

Permalinks Customizer <= 2.8.2 - Reflected Cross-Site Scripting

Description The Permalinks Customizer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

WDContactFormBuilder <= 1.0.72 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The WDContactFormBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ContactFormBuilder' shortcode in versions up to, and including, 1.0.72 due to insufficient input sanitization and output escaping on 'id' user supplied attribute. This makes it possible...

Slider Revolution < 6.6.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to...