The WP Social Chat WordPress plugin before 6.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks.
4.8CVSS
4.7AI Score
0.001EPSS
The WP Sticky Button WordPress plugin before 1.4.1 does not have authorisation and CSRF checks when saving its settings, allowing unauthenticated users to update them. Furthermore, due to the lack of escaping in some of them, it could lead to Stored Cross-Site Scripting issues
5.4CVSS
5.4AI Score
0.001EPSS
The Click to Chat WordPress plugin before 3.18.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege...
5.4CVSS
5.3AI Score
0.001EPSS
The Click to Chat – HoliThemes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.35. This makes it possible for authenticated attackers, with contributor access or above, to include and execute arbitrary files on the server, allowing the execution of...
8.8CVSS
7.5AI Score
0.001EPSS