Total
28953 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-5889 | 1 Pixelite | 1 Events Manager | 2024-08-01 | N/A | 6.1 MEDIUM |
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘country’ parameter in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
CVE-2024-2455 | 2024-08-01 | N/A | 6.4 MEDIUM | ||
The Element Pack - Addon for Elementor Page Builder WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget wrapper link URL in all versions up to, and including, 7.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
CVE-2024-6408 | 2024-08-01 | N/A | 5.4 MEDIUM | ||
The Slider by 10Web WordPress plugin before 1.2.57 does not sanitise and escape its Slider Title, which could allow high privilege users such as editors and above to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
CVE-2024-6243 | 1 Ibericode | 1 Html Forms | 2024-08-01 | N/A | 4.8 MEDIUM |
The HTML Forms WordPress plugin before 1.3.33 does not sanitize and escape the form message inputs, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disabled. | |||||
CVE-2024-6076 | 1 Tipsandtricks-hq | 1 Wp Estore | 2024-08-01 | N/A | 6.1 MEDIUM |
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
CVE-2024-6074 | 1 Tipsandtricks-hq | 1 Wp Estore | 2024-08-01 | N/A | 6.1 MEDIUM |
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
CVE-2024-6073 | 1 Tipsandtricks-hq | 1 Wp Estore | 2024-08-01 | N/A | 6.1 MEDIUM |
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
CVE-2024-6072 | 1 Tipsandtricks-hq | 1 Wp Estore | 2024-08-01 | N/A | 6.1 MEDIUM |
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | |||||
CVE-2024-5811 | 1 Quantumcloud | 1 Simple Video Directory | 2024-08-01 | N/A | 5.4 MEDIUM |
The Simple Video Directory WordPress plugin before 1.4.4 does not sanitise and escape some of its settings, which could allow contributors and higher to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
CVE-2024-5626 | 1 Data443 | 1 Inline Related Posts | 2024-08-01 | N/A | 6.1 MEDIUM |
The Inline Related Posts WordPress plugin before 3.7.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
CVE-2024-5004 | 1 Cminds | 1 Cm Popup | 2024-08-01 | N/A | 4.8 MEDIUM |
The CM Popup Plugin for WordPress WordPress plugin before 1.6.6 does not sanitise and escape some of the campaign settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks | |||||
CVE-2024-4753 | 1 Wpexperts | 1 Wp Secure Maintenance | 2024-08-01 | N/A | 4.8 MEDIUM |
The WP Secure Maintenance WordPress plugin before 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
CVE-2024-4664 | 1 Ninjateam | 1 Wp Chat App | 2024-08-01 | N/A | 4.8 MEDIUM |
The WP Chat App WordPress plugin before 3.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
CVE-2024-4655 | 1 Dotcamp | 1 Ultimate Blocks | 2024-08-01 | N/A | 5.4 MEDIUM |
The Ultimate Blocks WordPress plugin before 3.1.9 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
CVE-2024-4224 | 2024-08-01 | N/A | 5.4 MEDIUM | ||
An authenticated stored cross-site scripting (XSS) exists in the TP-Link TL-SG1016DE affecting version TL-SG1016DE(UN) V7.6_1.0.0 Build 20230616, which could allow an adversary to run JavaScript in an administrator's browser. This issue was fixed in TL-SG1016DE(UN) V7_1.0.1 Build 20240628. | |||||
CVE-2024-41914 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-08-01 | N/A | 9.0 CRITICAL |
A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. | |||||
CVE-2024-41706 | 1 Archerirm | 1 Archer | 2024-08-01 | N/A | 5.4 MEDIUM |
A stored XSS issue was discovered in Archer Platform 6 before version 2024.06. A remote authenticated malicious Archer user could potentially exploit this to store malicious HTML or JavaScript code in a trusted application data store. When victim users access the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. 6.14 P4 (6.14.0.4) is also a fixed release. | |||||
CVE-2024-41705 | 1 Archerirm | 1 Archer | 2024-08-01 | N/A | 5.4 MEDIUM |
A stored XSS issue was discovered in Archer Platform 6.8 before 2024.06. A remote authenticated malicious Archer user could potentially exploit this to store malicious HTML or JavaScript code in a trusted application data store. When victim users access the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. 6.14.P4 (6.14.0.4) and 6.13 P4 (6.13.0.4) are also fixed releases. This vulnerability is similar to, but not identical to, CVE-2023-30639. | |||||
CVE-2024-41640 | 2024-08-01 | N/A | 6.1 MEDIUM | ||
Cross Site Scripting (XSS) vulnerability in AML Surety Eco up to 3.5 allows an attacker to run arbitrary code via crafted GET request using the id parameter. | |||||
CVE-2024-41375 | 2024-08-01 | N/A | 6.1 MEDIUM | ||
ICEcoder 8.1 is vulnerable to Cross Site Scripting (XSS) via lib/terminal-xhr.php |