Total
36875 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13441 | 1 Ylefebvre | 1 Bilingual Linker | 2025-02-04 | N/A | 6.4 MEDIUM |
| The Bilingual Linker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bl_otherlang_link_1 parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-13458 | 1 Notice | 1 Notice Faq | 2025-02-04 | N/A | 6.4 MEDIUM |
| The WordPress SEO Friendly Accordion FAQ with AI assisted content generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'noticefaq' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-13467 | 1 Mr-kalathiya | 1 Wp Contect Form7 Email Spam Blocker | 2025-02-04 | N/A | 6.1 MEDIUM |
| The WP Contact Form7 Email Spam Blocker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-12334 | 1 Codexpert | 1 Wc Affiliate | 2025-02-04 | N/A | 6.1 MEDIUM |
| The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-13548 | 1 Wppug | 1 Power Ups For Elementor | 2025-02-04 | N/A | 6.4 MEDIUM |
| The Power Ups for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-30788 | 1 Monicahq | 1 Monica | 2025-02-04 | N/A | 5.4 MEDIUM |
| MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people/add` endpoint and nickName, description, lastName, middleName and firstName parameter. | |||||
| CVE-2023-1324 | 1 Yikesinc | 1 Easy Forms For Mailchimp | 2025-02-04 | N/A | 6.1 MEDIUM |
| The Easy Forms for Mailchimp WordPress plugin before 6.8.8 does not sanitise and escape some parameters before outputting them back in the response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-0899 | 1 Wp Live Chat Shoutbox Project | 1 Wp Live Chat Shoutbox | 2025-02-04 | N/A | 6.1 MEDIUM |
| The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before outputting it back in the Shoutbox, leading to Stored Cross-Site Scripting which could be used against high privilege users such as admins. | |||||
| CVE-2023-0420 | 1 Custom Post Type And Taxonomy Gui Manager Project | 1 Custom Post Type And Taxonomy Gui Manager | 2025-02-04 | N/A | 4.8 MEDIUM |
| The Custom Post Type and Taxonomy GUI Manager WordPress plugin through 1.1 does not have CSRF, and is lacking sanitising as well as escaping in some parameters, allowing attackers to make a logged in admin put Stored Cross-Site Scripting payloads via CSRF | |||||
| CVE-2023-0276 | 1 Weavertheme | 1 Weaver Xtreme Theme Support | 2025-02-04 | N/A | 5.4 MEDIUM |
| The Weaver Xtreme Theme Support WordPress plugin before 6.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-13470 | 1 Ninjaforms | 1 Ninja Forms | 2025-02-04 | N/A | 6.4 MEDIUM |
| The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 3.8.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-1126 | 1 Wp Fevents Book Project | 1 Wp Fevents Book | 2025-02-04 | N/A | 5.4 MEDIUM |
| The WP FEvents Book WordPress plugin through 0.46 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks | |||||
| CVE-2024-13586 | 1 Dineshrawat | 1 Masy Gallery | 2025-02-04 | N/A | 6.4 MEDIUM |
| The Masy Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'justified-gallery' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-13599 | 1 Thimpress | 1 Learnpress | 2025-02-04 | N/A | 6.4 MEDIUM |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.7.5 due to insufficient input sanitization and output escaping of a lesson name. This makes it possible for authenticated attackers, with LP Instructor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-10847 | 1 Sellerthemes | 1 Storely | 2025-02-04 | N/A | 6.4 MEDIUM |
| The Storely theme for WordPress is vulnerable to Stored Cross-Site Scripting via a malicious display name in all versions up to, and including, 16.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-11829 | 1 Posimyth | 1 The Plus Addons For Elementor | 2025-02-04 | N/A | 6.4 MEDIUM |
| The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Widget's searchable_label parameter in all versions up to, and including, 6.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-3588 | 1 Motopress | 1 Getwid | 2025-02-04 | N/A | 6.4 MEDIUM |
| The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block in all versions up to, and including, 2.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1948 | 1 Motopress | 1 Getwid | 2025-02-04 | N/A | 6.4 MEDIUM |
| The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block content in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-23989 | 1 Metagauss | 1 Registrationmagic | 2025-02-04 | N/A | 5.3 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic.This issue affects RegistrationMagic: from n/a through 5.1.9.2. | |||||
| CVE-2024-3053 | 1 Incsub | 1 Forminator | 2025-02-04 | N/A | 6.4 MEDIUM |
| The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ forminator_form shortcode attribute in versions up to, and including, 1.29.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||