Lucene search

K

Unknown Security Vulnerabilities

cve
cve

CVE-2024-1295

The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts,...

6.4AI Score

0.0004EPSS

2024-06-14 06:15 AM
26
cve
cve

CVE-2024-2762

The FooGallery WordPress plugin before 2.4.15, foogallery-premium WordPress plugin before 2.4.15 does not validate and escape some of its Gallery settings before outputting them back in the page, which could allow users with a role as low as Author to perform Stored Cross-Site Scripting attacks...

5.7AI Score

0.0004EPSS

2024-06-13 06:15 AM
22
cve
cve

CVE-2024-2309

The WP STAGING WordPress Backup Plugin WordPress plugin before 3.4.0, wp-staging-pro WordPress plugin before 5.4.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html...

7.6AI Score

0.0004EPSS

2024-04-17 05:15 AM
39
cve
cve

CVE-2024-4565

The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct...

6.4AI Score

0.0004EPSS

2024-06-20 06:15 AM
27
cve
cve

CVE-2024-3276

The Lightbox & Modal Popup WordPress Plugin WordPress plugin before 2.7.28, foobox-image-lightbox-premium WordPress plugin before 2.7.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when.....

5.4AI Score

0.0004EPSS

2024-06-18 06:15 AM
39
cve
cve

CVE-2024-5573

The Easy Table of Contents WordPress plugin before 2.0.66 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is...

5.7AI Score

EPSS

2024-06-26 06:15 AM
4
cve
cve

CVE-2024-4377

The DOP Shortcodes WordPress plugin through 1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

5.6AI Score

0.0004EPSS

2024-06-21 06:15 AM
19
cve
cve

CVE-2024-5455

The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level.....

8.8CVSS

8.9AI Score

0.0004EPSS

2024-06-21 04:15 AM
22
cve
cve

CVE-2024-4381

The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

0.0004EPSS

2024-06-21 06:15 AM
17
cve
cve

CVE-2024-4382

The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF...

6.5AI Score

0.0004EPSS

2024-06-21 06:15 AM
17
cve
cve

CVE-2024-4384

The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

0.0004EPSS

2024-06-21 06:15 AM
19
cve
cve

CVE-2024-5475

The Responsive video embed WordPress plugin before 0.5.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

5.6AI Score

0.0004EPSS

2024-06-20 06:15 AM
25
cve
cve

CVE-2024-5522

The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection...

7.3AI Score

0.0004EPSS

2024-06-20 06:15 AM
26
cve
cve

CVE-2024-5172

The Expert Invoice WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

0.0004EPSS

2024-06-18 06:15 AM
27
cve
cve

CVE-2024-1849

The WP Customer Reviews WordPress plugin before 3.7.1 does not validate a parameter allowing contributor and above users to redirect a page to a malicious...

9.2AI Score

0.0004EPSS

2024-04-15 05:15 AM
35
cve
cve

CVE-2024-4271

The SVGator WordPress plugin through 1.2.6 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS...

5.5AI Score

0.0004EPSS

2024-06-14 06:15 AM
23
cve
cve

CVE-2024-4270

The SVGMagic WordPress plugin through 1.1 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS...

5.5AI Score

0.0004EPSS

2024-06-14 06:15 AM
23
cve
cve

CVE-2024-3966

The Pray For Me WordPress plugin through 1.0.4 does not sanitise and escape some parameters, which could unauthenticated visitors to perform Cross-Site Scripting attacks that trigger when an admin visits the Prayer Requests in the WP...

5.9AI Score

0.0004EPSS

2024-06-14 06:15 AM
22
cve
cve

CVE-2024-4305

The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress plugin before 4.1.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored...

5.6AI Score

0.0004EPSS

2024-06-17 06:15 AM
24
cve
cve

CVE-2024-3992

The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

0.0004EPSS

2024-06-14 06:15 AM
24
cve
cve

CVE-2024-3978

The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

5.6AI Score

0.0004EPSS

2024-06-14 06:15 AM
23
cve
cve

CVE-2024-2218

The LuckyWP Table of Contents WordPress plugin through 2.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

0.0004EPSS

2024-06-14 06:15 AM
27
cve
cve

CVE-2024-4532

The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting cards via CSRF...

6.7AI Score

0.0004EPSS

2024-05-27 06:15 AM
28
cve
cve

CVE-2024-4149

The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting...

5.4AI Score

0.0004EPSS

2024-06-13 06:15 AM
29
cve
cve

CVE-2024-5169

The Video Widget WordPress plugin through 1.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

EPSS

2024-06-26 06:15 AM
4
cve
cve

CVE-2024-4959

The Frontend Checklist WordPress plugin through 2.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

EPSS

2024-06-26 06:15 AM
1
cve
cve

CVE-2024-4758

The Muslim Prayer Time BD WordPress plugin through 2.4 does not have CSRF check in place when reseting its settings, which could allow attackers to make a logged in admin reset them via a CSRF...

6.4AI Score

EPSS

2024-06-26 06:15 AM
1
cve
cve

CVE-2024-5199

The Spotify Play Button WordPress plugin through 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

5.6AI Score

EPSS

2024-06-26 06:15 AM
3
cve
cve

CVE-2024-1752

The Font Farsi WordPress plugin through 1.6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.6AI Score

0.0004EPSS

2024-04-08 05:15 AM
28
cve
cve

CVE-2024-4899

The SEOPress WordPress plugin before 7.8 does not sanitise and escape some of its Post settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting...

5.5AI Score

0.0004EPSS

2024-06-24 06:15 AM
7
cve
cve

CVE-2024-4475

The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF...

6.4AI Score

0.0004EPSS

2024-06-21 06:15 AM
20
cve
cve

CVE-2024-5344

The The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘forgoturl’ attribute within the plugin's WP Login & Register widget in all versions up to, and including, 5.5.6 due to insufficient input sanitization and output escaping....

6.1CVSS

6AI Score

0.0005EPSS

2024-06-21 02:15 AM
19
cve
cve

CVE-2024-5473

The Simple Photoswipe WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

EPSS

2024-06-26 06:15 AM
3
cve
cve

CVE-2024-4957

The Frontend Checklist WordPress plugin through 2.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

EPSS

2024-06-26 06:15 AM
3
cve
cve

CVE-2024-3633

The WebP & SVG Support WordPress plugin through 1.4.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS...

5.8AI Score

EPSS

2024-06-26 06:15 AM
1
cve
cve

CVE-2024-4480

The WP Prayer II WordPress plugin through 2.4.7 does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF...

6.4AI Score

0.0004EPSS

2024-06-14 06:15 AM
23
cve
cve

CVE-2024-3965

The Pray For Me WordPress plugin through 1.0.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF...

6.4AI Score

0.0004EPSS

2024-06-14 06:15 AM
23
cve
cve

CVE-2024-0672

The Pz-LinkCard WordPress plugin through 2.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

6AI Score

0.0004EPSS

2024-03-28 05:15 AM
34
cve
cve

CVE-2024-4474

The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF...

6.4AI Score

0.0004EPSS

2024-06-21 06:15 AM
17
cve
cve

CVE-2024-4094

The Simple Share Buttons Adder WordPress plugin before 8.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is...

5.7AI Score

0.0004EPSS

2024-06-18 06:15 AM
23
cve
cve

CVE-2024-2836

The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.64 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is...

8.3AI Score

0.0004EPSS

2024-04-15 05:15 AM
52
cve
cve

CVE-2024-3236

The Popup Builder WordPress plugin before 1.1.33 does not sanitise and escape some of its Notification fields, which could allow users such as contributor and above to perform Stored Cross-Site Scripting...

5.6AI Score

0.0004EPSS

2024-06-17 06:15 AM
30
cve
cve

CVE-2024-3972

The Similarity WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF...

5.6AI Score

0.0004EPSS

2024-06-14 06:15 AM
23
cve
cve

CVE-2024-3977

The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

0.0004EPSS

2024-06-14 06:15 AM
26
cve
cve

CVE-2024-3993

The AZAN Plugin WordPress plugin through 0.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF...

5.6AI Score

0.0004EPSS

2024-06-14 06:15 AM
22
cve
cve

CVE-2024-5071

The Bookster WordPress plugin through 1.1.0 allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment (the request body) to change its status from pending to...

6.3AI Score

EPSS

2024-06-26 06:15 AM
2
cve
cve

CVE-2024-4757

The Logo Manager For Enamad WordPress plugin through 0.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF...

5.6AI Score

0.0004EPSS

2024-06-25 06:15 AM
7
cve
cve

CVE-2024-4759

The Mime Types Extended WordPress plugin through 0.11 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS...

5.7AI Score

0.0004EPSS

2024-06-25 06:15 AM
7
cve
cve

CVE-2024-1290

The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any...

9.4AI Score

0.0004EPSS

2024-03-11 06:15 PM
32
cve
cve

CVE-2024-4900

The SEOPress WordPress plugin before 7.8 does not validate and escape one of its Post settings, which could allow contributor and above role to perform Open redirect attacks against any user viewing a malicious...

6.4AI Score

0.0004EPSS

2024-06-24 06:15 AM
9
Total number of security vulnerabilities3376