Total
293202 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-10518 | 1 Properfraction | 1 Profilepress | 2025-05-17 | N/A | 4.8 MEDIUM |
| The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Membership Plan settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-10517 | 1 Properfraction | 1 Profilepress | 2025-05-17 | N/A | 4.8 MEDIUM |
| The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Drag & Drop Builder fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-10499 | 1 Meowapps | 1 Ai Engine | 2025-05-17 | N/A | 7.2 HIGH |
| The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks | |||||
| CVE-2024-11972 | 1 Themehunk | 1 Hunk Companion | 2025-05-17 | N/A | 9.8 CRITICAL |
| The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed. | |||||
| CVE-2024-11842 | 1 Digireturn | 1 Shipping By Weight For Woocommerce | 2025-05-17 | N/A | 4.3 MEDIUM |
| The DN Shipping by Weight for WooCommerce WordPress plugin before 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-11841 | 1 Jordangillman | 1 Tithe.ly Giving Button | 2025-05-17 | N/A | 5.4 MEDIUM |
| The Tithe.ly Giving Button WordPress plugin through 1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-48074 | 1 Draytek | 2 Vigor2960, Vigor2960 Firmware | 2025-05-17 | N/A | 8.0 HIGH |
| An authorized RCE vulnerability exists in the DrayTek Vigor2960 router version 1.4.4, where an attacker can place a malicious command into the table parameter of the doPPPoE function in the cgi-bin/mainfunction.cgi route, and finally the command is executed by the system function. | |||||
| CVE-2024-8983 | 1 Smashballoon | 1 Custom Twitter Feeds | 2025-05-17 | N/A | 4.8 MEDIUM |
| Custom Twitter Feeds WordPress plugin before 2.2.3 is not filtering some of its settings allowing high privilege users to inject scripts. | |||||
| CVE-2024-7313 | 1 Getshieldsecurity | 1 Shield Security | 2025-05-17 | N/A | 6.1 MEDIUM |
| The Shield Security WordPress plugin before 20.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2024-6879 | 1 Expresstech | 1 Quiz And Survey Master | 2025-05-17 | N/A | 4.7 MEDIUM |
| The Quiz and Survey Master (QSM) WordPress plugin before 9.1.1 fails to validate and escape certain Quiz fields before displaying them on a page or post where the Quiz is embedded, which could allows contributor and above roles to perform Stored Cross-Site Scripting (XSS) attacks. | |||||
| CVE-2024-6715 | 1 Metaphorcreations | 1 Ditty | 2025-05-17 | N/A | 6.1 MEDIUM |
| The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39 | |||||
| CVE-2024-3282 | 1 Wptablebuilder | 1 Wp Table Builder | 2025-05-17 | N/A | 4.8 MEDIUM |
| The WP Table Builder WordPress plugin through 1.5.0 does not sanitise and escape some of its Table data, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-45404 | 1 Citeum | 1 Opencti | 2025-05-17 | N/A | 8.1 HIGH |
| OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting. As of time of publication, it is unknown whether a patch is available. | |||||
| CVE-2024-11107 | 1 Bowo | 1 System Dashboard | 2025-05-17 | N/A | 6.1 MEDIUM |
| The System Dashboard WordPress plugin before 2.8.15 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks. | |||||
| CVE-2024-10708 | 1 Bowo | 1 System Dashboard | 2025-05-17 | N/A | 4.9 MEDIUM |
| The System Dashboard WordPress plugin before 2.8.15 does not validate user input used in a path, which could allow high privilege users such as admin to perform path traversal attacks an read arbitrary files on the server | |||||
| CVE-2022-38946 | 1 Divscorp | 1 Doctor-appointment | 2025-05-17 | N/A | 9.8 CRITICAL |
| Arbitrary File Upload vulnerability in Doctor-Appointment version 1.0 in /Frontend/signup_com.php, allows attackers to execute arbitrary code. | |||||
| CVE-2022-38947 | 1 Jigar-sable | 1 Flipkart-clone-php | 2025-05-17 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in Flipkart-Clone-PHP version 1.0 in entry.php in product_title parameter, allows attackers to execute arbitrary code. | |||||
| CVE-2024-10480 | 1 Wp3dprinting | 1 3dprint Lite | 2025-05-17 | N/A | 4.3 MEDIUM |
| The 3DPrint Lite WordPress plugin before 2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | |||||
| CVE-2024-10893 | 1 Wpbookingcalendar | 1 Wp Booking Calendar | 2025-05-17 | N/A | 4.8 MEDIUM |
| The WP Booking Calendar WordPress plugin before 10.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-9934 | 1 Aueda | 1 Wp-imagezoom | 2025-05-17 | N/A | 6.1 MEDIUM |
| The Wp-ImageZoom WordPress plugin through 1.1.0 does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||