Total
28647 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-9073 | 1 Gutengeek | 1 Free Gutenberg Blocks | 2024-10-02 | N/A | 5.4 MEDIUM |
| The GutenGeek Free Gutenberg Blocks for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2024-8515 | 1 Themesflat | 1 Themesflat Addons For Elementor | 2024-10-02 | N/A | 5.4 MEDIUM |
| The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets like 'TF E Slider Widget', 'TF Video Widget', 'TF Team Widget' and more in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on URL attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-47303 | 1 Livemeshelementor | 1 Addons For Elementor | 2024-10-02 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Livemesh Livemesh Addons for Elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through 8.5. | |||||
| CVE-2024-8546 | 1 Wpmet | 1 Elementskit Elementor Addons | 2024-10-02 | N/A | 5.4 MEDIUM |
| The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video widget in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-8858 | 1 Livemeshelementor | 1 Addons For Elementor | 2024-10-02 | N/A | 5.4 MEDIUM |
| The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘piechart_settings’ parameter in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-3866 | 1 Ninjaforms | 1 Ninja Forms | 2024-10-02 | N/A | 6.1 MEDIUM |
| The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions up to, and including, 3.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Successful exploitation of this vulnerability requires "maintenance mode" for a targeted form to be enabled. However, there is no setting available to the attacker or even an administrator-level user to enable this mode. The mode is only enabled during a required update, which is a very short window of time. Additionally, because of the self-based nature of this vulnerability, attackers would have to rely on additional techniques to execute a supplied payload in the context of targeted user. | |||||
| CVE-2024-9024 | 1 Braginteractive | 1 Material Design Icons | 2024-10-02 | N/A | 5.4 MEDIUM |
| The Material Design Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mdi-icon shortcode in all versions up to, and including, 0.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-6094 | 1 Technowich | 1 Wp Ulike | 2024-10-02 | N/A | 4.8 MEDIUM |
| The WP ULike WordPress plugin before 4.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-45640 | 1 Technowich | 1 Wp Ulike | 2024-10-02 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in TechnoWich WP ULike – Most Advanced WordPress Marketing Toolkit plugin <= 4.6.8 versions. | |||||
| CVE-2024-7878 | 1 Technowich | 1 Wp Ulike | 2024-10-02 | N/A | 4.8 MEDIUM |
| The WP ULike WordPress plugin before 4.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-6517 | 1 Dotsquares | 1 Contact Form 7 Math Captcha | 2024-10-02 | N/A | 6.1 MEDIUM |
| The Contact Form 7 Math Captcha WordPress plugin through 2.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users. | |||||
| CVE-2024-8803 | 1 Madfishdigital | 1 Bulk Noindex \& Nofollow Toolkit | 2024-10-02 | N/A | 6.1 MEDIUM |
| The Bulk NoIndex & NoFollow Toolkit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.15. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-8723 | 1 Wangbin | 1 012 Ps Multi Languages | 2024-10-02 | N/A | 5.4 MEDIUM |
| The 012 Ps Multi Languages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via translated titles in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-51157 | 1 Zkteco | 1 Wdms | 2024-10-02 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in ZKTeco WDMS v.5.1.3 Pro allows a remote attacker to execute arbitrary code and obtain sensitive information via a crafted script to the Emp Name parameter. | |||||
| CVE-2024-8741 | 1 Outtheboxthemes | 1 Beam Me Up Scotty | 2024-10-02 | N/A | 6.1 MEDIUM |
| The Beam me up Scotty – Back to Top Button plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-8713 | 1 Pierros | 1 Kodex Posts Likes | 2024-10-02 | N/A | 6.1 MEDIUM |
| The Kodex Posts likes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-8549 | 1 Xtendify | 1 Simple Calendar | 2024-10-02 | N/A | 6.1 MEDIUM |
| The Simple Calendar – Google Calendar Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-7617 | 1 Itpathsolutions | 1 Contact Form To Any Api | 2024-10-02 | N/A | 6.1 MEDIUM |
| The Contact Form to Any API plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 form fields in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-46655 | 1 Ellevo | 1 Ellevo | 2024-10-02 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in Ellevo 6.2.0.38160 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload or URL. | |||||
| CVE-2024-9198 | 1 Clibomanager | 1 Clibo Manager | 2024-10-02 | N/A | 5.4 MEDIUM |
| Vulnerability in Clibo Manager v1.1.9.1 that could allow an attacker to execute an stored Cross-Site Scripting (stored XSS ) by uploading a malicious .svg image in the section: Profile > Profile picture. | |||||