Total
30576 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8056 | 1 Mm-breaking News Project | 1 Mm-breaking News | 2024-09-27 | N/A | 6.1 MEDIUM |
| The MM-Breaking News WordPress plugin through 0.7.9 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | |||||
| CVE-2024-6493 | 1 Ninjateam | 1 Header Footer Custom Code | 2024-09-27 | N/A | 4.8 MEDIUM |
| The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-6617 | 1 Ninjateam | 1 Header Footer Custom Code | 2024-09-27 | N/A | 4.8 MEDIUM |
| The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-7133 | 1 Premio | 1 My Sticky Bar | 2024-09-27 | N/A | 4.8 MEDIUM |
| The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.3 does not validate and escape some of its settings before outputting them back in the page, which could allow users with a high role to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-7860 | 1 Outtolunchproductions | 1 Simple Headline Rotator | 2024-09-27 | N/A | 6.1 MEDIUM |
| The Simple Headline Rotator WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2024-7861 | 1 Michalaugustyniak | 1 Misiek Paypal | 2024-09-27 | N/A | 6.1 MEDIUM |
| The Misiek Paypal WordPress plugin through 1.1.20090324 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2024-6850 | 1 Majeedraza | 1 Carousel Slider | 2024-09-27 | N/A | 4.8 MEDIUM |
| The Carousel Slider WordPress plugin before 2.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2024-5170 | 1 Wp-master | 1 Logo Manager For Enamad | 2024-09-27 | N/A | 4.8 MEDIUM |
| The Logo Manager For Enamad WordPress plugin through 0.7.1 does not sanitise and escape in its widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-7818 | 1 Michalaugustyniak | 1 Misiek Photo Album | 2024-09-27 | N/A | 6.1 MEDIUM |
| The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2024-7822 | 1 Gwycon | 1 Quick Code | 2024-09-27 | N/A | 6.1 MEDIUM |
| The Quick Code WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2024-7629 | 1 Kirstyburgoine | 1 Responsive Video | 2024-09-27 | N/A | 5.4 MEDIUM |
| The Responsive video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's video settings function in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires responsive videos to be enabled for posts. | |||||
| CVE-2024-8665 | 1 Yithemes | 1 Yith Custom Login | 2024-09-27 | N/A | 6.1 MEDIUM |
| The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-8543 | 1 Artembovkun | 1 Slider Comparison Image Before And After | 2024-09-27 | N/A | 5.4 MEDIUM |
| The Slider comparison image before and after plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [sciba] shortcode in all versions up to, and including, 0.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-47227 | 1 Iredmail | 1 Iredadmin | 2024-09-27 | N/A | 6.1 MEDIUM |
| iRedAdmin before 2.6 allows XSS, e.g., via order_name. | |||||
| CVE-2024-8663 | 1 Wpsimplebookingcalendar | 1 Wp Simple Booking Calendar | 2024-09-27 | N/A | 6.1 MEDIUM |
| The WP Simple Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-9077 | 1 Gitapp | 1 Dingfanzu | 2024-09-27 | 4.0 MEDIUM | 5.4 MEDIUM |
| A vulnerability classified as problematic has been found in dingfangzu up to 29d67d9044f6f93378e6eb6ff92272217ff7225c. Affected is an unknown function of the file scripts/order.js of the component Order Checkout. The manipulation of the argument address-name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-8742 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2024-09-27 | N/A | 5.4 MEDIUM |
| The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Filterable Gallery widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-9092 | 1 Rems | 1 Profile Registration Without Reload\/refresh | 2024-09-27 | 4.0 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in SourceCodester Profile Registration without Reload Refresh 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file add.php of the component Registration Form. The manipulation of the argument full_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | |||||
| CVE-2024-9089 | 1 Mayurik | 1 Modern Loan Management System | 2024-09-27 | 4.0 MEDIUM | 5.4 MEDIUM |
| A vulnerability was found in SourceCodester Modern Loan Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file update_loan_record.php. The manipulation of the argument amount leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-9083 | 1 Razormist | 1 Employee Management System | 2024-09-27 | 3.3 LOW | 4.8 MEDIUM |
| A vulnerability classified as problematic has been found in SourceCodester Employee Management System 1.0. This affects an unknown part of the file /Admin/add-admin.php. The manipulation of the argument txtfullname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||