Total
30542 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5666 | 1 Idioweb | 1 Extensions For Elementor | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Extensions for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the EE Button widget in all versions up to, and including, 2.0.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5664 | 1 Sonaar | 1 Mp3 Audio Player For Music\, Radio \& Podcast | 2024-11-21 | N/A | 6.4 MEDIUM |
| The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute within the plugin's sonaar_audioplayer shortcode in all versions up to, and including, 5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5663 | 1 Ultimateaddons | 1 Cards For Beaver Builder | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Cards for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Cards widget in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5645 | 1 Envothemes | 1 Envo Extra | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_css_id’ parameter within the Button widget in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5641 | 1 Cedcommerce | 1 One Click Order Re-order | 2024-11-21 | N/A | 6.4 MEDIUM |
| The One Click Order Re-Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ced_ocor_save_general_setting' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the plugin settings, including adding stored cross-site scripting. | |||||
| CVE-2024-5640 | 1 Bdthemes | 1 Prime Slider | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ attribute within the Pacific widget in all versions up to, and including, 3.14.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5638 | 1 Awplife | 1 Formula | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Formula theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in the 'ti_customizer_notify_dismiss_recommended_plugins' AJAX action in all versions up to, and including, 0.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-5626 | 1 Data443 | 1 Inline Related Posts | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Inline Related Posts WordPress plugin before 3.7.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-5613 | 1 Awplife | 1 Formula | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Formula theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in the 'quality_customizer_notify_dismiss_action' AJAX action in all versions up to, and including, 0.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-5612 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Essential Addons for Elementor Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eael_lightbox_open_btn_icon’ parameter within the Lightbox & Modal widget in all versions up to, and including, 5.8.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5601 | 1 Mediavine | 1 Create | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Create by Mediavine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Schema Meta shortcode in all versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5582 | 1 Magazine3 | 1 Schema \& Structured Data For Wp \& Amp | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' attribute within the Q&A Block widget in all versions up to, and including, 1.33 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5571 | 1 Wpdeveloper | 1 Embedpress | 2024-11-21 | N/A | 6.4 MEDIUM |
| The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the plugin's EmbedPress PDF widget in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5555 | 1 Bdthemes | 1 Element Pack | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘social-link-title’ parameter in all versions up to, and including, 5.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5554 | 1 Bdthemes | 1 Element Pack | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘onclick_event’ parameter in all versions up to, and including, 5.6.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5544 | 1 Davidlingren | 1 Media Library Assistant | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the order parameter in all versions up to, and including, 3.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-5542 | 1 Master-addons | 1 Master Addons | 2024-11-21 | N/A | 7.2 HIGH |
| The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Navigation Menu widget of the plugin's Mega Menu extension in all versions up to, and including, 2.0.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5536 | 1 Gamipress | 1 Gamipress - Link | 2024-11-21 | N/A | 6.4 MEDIUM |
| The GamiPress – Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's gamipress_link shortcode in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5533 | 1 Elegantthemes | 1 Divi | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Divi theme for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.25.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5529 | 1 Holoborodko | 1 Wp Quicklatex | 2024-11-21 | N/A | 4.8 MEDIUM |
| The WP QuickLaTeX WordPress plugin before 3.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||