Total
28666 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-9198 | 1 Clibomanager | 1 Clibo Manager | 2024-10-02 | N/A | 5.4 MEDIUM |
| Vulnerability in Clibo Manager v1.1.9.1 that could allow an attacker to execute an stored Cross-Site Scripting (stored XSS ) by uploading a malicious .svg image in the section: Profile > Profile picture. | |||||
| CVE-2024-3635 | 1 Radiustheme | 1 The Post Grid | 2024-10-02 | N/A | 4.8 MEDIUM |
| The Post Grid WordPress plugin before 7.5.0 does not sanitise and escape some of its Grid settings, which could allow high privilege users such as Editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-38380 | 1 Millbeckcommunications | 2 Proroute H685t-w, Proroute H685t-w Firmware | 2024-10-02 | N/A | 5.4 MEDIUM |
| This vulnerability occurs when user-supplied input is improperly sanitized and then reflected back to the user's browser, allowing an attacker to execute arbitrary JavaScript in the context of the victim's browser session. | |||||
| CVE-2024-2010 | 1 Tebilisim | 1 V5 | 2024-10-02 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in TE Informatics V5 allows Reflected XSS.This issue affects V5: before 6.2. | |||||
| CVE-2024-45613 | 1 Ckeditor | 1 Ckeditor5 | 2024-10-01 | N/A | 6.1 MEDIUM |
| CKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 and prior to version 43.1.1, a Cross-Site Scripting (XSS) vulnerability is present in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability only affects installations where the Block Toolbar plugin is enabled and either the General HTML Support (with a configuration that permits unsafe markup) or the HTML Embed plugin is also enabled. A fix for the problem is available in version 43.1.1. As a workaround, one may disable the block toolbar plugin. | |||||
| CVE-2023-5951 | 1 Collne | 1 Welcart | 2024-10-01 | N/A | 6.1 MEDIUM |
| The Welcart e-Commerce WordPress plugin before 2.9.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-4460 | 1 Uploading Svg\, Webp And Ico Files Project | 1 Uploading Svg\, Webp And Ico Files | 2024-10-01 | N/A | 5.4 MEDIUM |
| The Uploading SVG, WEBP and ICO files WordPress plugin through 1.2.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | |||||
| CVE-2022-4830 | 1 Strangerstudios | 1 Paid Memberships Pro | 2024-10-01 | N/A | 5.4 MEDIUM |
| The Paid Memberships Pro WordPress plugin before 2.9.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | |||||
| CVE-2022-4453 | 1 3dflipbook | 1 3d Flipbook | 2024-10-01 | N/A | 5.4 MEDIUM |
| The 3D FlipBook WordPress plugin through 1.13.2 does not validate or escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks against high privilege users like administrators. | |||||
| CVE-2023-5955 | 1 Codepeople | 1 Contact Form Email | 2024-10-01 | N/A | 4.8 MEDIUM |
| The Contact Form Email WordPress plugin before 1.3.44 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-9023 | 1 Axton | 1 Wp-webauthn | 2024-10-01 | N/A | 5.4 MEDIUM |
| The WP-WebAuthn plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wwa_login_form shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-8715 | 1 Objectiv | 1 Simple Ldap Login | 2024-10-01 | N/A | 6.1 MEDIUM |
| The Simple LDAP Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-8547 | 1 Garrettgrimm | 1 Simple Popup Plugin | 2024-10-01 | N/A | 5.4 MEDIUM |
| The Simple Popup Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [popup] shortcode in all versions up to, and including, 4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-8633 | 1 10web | 1 Form Maker | 2024-10-01 | N/A | 4.8 MEDIUM |
| The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-9173 | 1 Alefypimentel | 1 Gf Custom Style | 2024-10-01 | N/A | 5.4 MEDIUM |
| The GF Custom Style plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2024-9127 | 1 Codecabin | 1 Super Testimonials | 2024-10-01 | N/A | 5.4 MEDIUM |
| The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alignment’ parameter in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-9125 | 1 Kingblack | 1 King Ie | 2024-10-01 | N/A | 5.4 MEDIUM |
| The king_IE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2024-9117 | 1 Mapplic | 1 Mapplic | 2024-10-01 | N/A | 5.4 MEDIUM |
| The Mapplic Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2024-9115 | 1 Chetanvaghela | 1 Common Tools For Site | 2024-10-01 | N/A | 5.4 MEDIUM |
| The Common Tools for Site plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2022-4541 | 1 Nitinmaurya | 1 Wordpress Visitors | 2024-10-01 | N/A | 6.1 MEDIUM |
| The WordPress Visitors plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a spoofed HTTP Header value in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the nm_vistior page. | |||||