Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13441 | 1 Ylefebvre | 1 Bilingual Linker | 2025-02-04 | N/A | 5.4 MEDIUM |
| The Bilingual Linker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bl_otherlang_link_1 parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-13458 | 1 Notice | 1 Notice Faq | 2025-02-04 | N/A | 5.4 MEDIUM |
| The WordPress SEO Friendly Accordion FAQ with AI assisted content generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'noticefaq' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-13467 | 1 Mr-kalathiya | 1 Wp Contect Form7 Email Spam Blocker | 2025-02-04 | N/A | 6.1 MEDIUM |
| The WP Contact Form7 Email Spam Blocker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-12334 | 1 Codexpert | 1 Wc Affiliate | 2025-02-04 | N/A | 6.1 MEDIUM |
| The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-13548 | 1 Wppug | 1 Power Ups For Elementor | 2025-02-04 | N/A | 5.4 MEDIUM |
| The Power Ups for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-30788 | 1 Monicahq | 1 Monica | 2025-02-04 | N/A | 5.4 MEDIUM |
| MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people/add` endpoint and nickName, description, lastName, middleName and firstName parameter. | |||||
| CVE-2024-13470 | 1 Ninjaforms | 1 Ninja Forms | 2025-02-04 | N/A | 5.4 MEDIUM |
| The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 3.8.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-13586 | 1 Dineshrawat | 1 Masy Gallery | 2025-02-04 | N/A | 5.4 MEDIUM |
| The Masy Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'justified-gallery' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-13599 | 1 Thimpress | 1 Learnpress | 2025-02-04 | N/A | 5.4 MEDIUM |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.7.5 due to insufficient input sanitization and output escaping of a lesson name. This makes it possible for authenticated attackers, with LP Instructor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-10847 | 1 Sellerthemes | 1 Storely | 2025-02-04 | N/A | 5.4 MEDIUM |
| The Storely theme for WordPress is vulnerable to Stored Cross-Site Scripting via a malicious display name in all versions up to, and including, 16.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-11829 | 1 Posimyth | 1 The Plus Addons For Elementor | 2025-02-04 | N/A | 5.4 MEDIUM |
| The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Widget's searchable_label parameter in all versions up to, and including, 6.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-3588 | 1 Motopress | 1 Getwid | 2025-02-04 | N/A | 5.4 MEDIUM |
| The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block in all versions up to, and including, 2.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1948 | 1 Motopress | 1 Getwid | 2025-02-04 | N/A | 5.4 MEDIUM |
| The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block content in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-3053 | 1 Incsub | 1 Forminator | 2025-02-04 | N/A | 5.4 MEDIUM |
| The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ forminator_form shortcode attribute in versions up to, and including, 1.29.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-2783 | 1 Gamipress | 1 Gamipress | 2025-02-04 | N/A | 5.4 MEDIUM |
| The GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 6.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-13505 | 1 Ays-pro | 1 Survey Maker | 2025-02-04 | N/A | 4.8 MEDIUM |
| The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ays_sections[5][questions][8][title]’ parameter in all versions up to, and including, 5.1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2025-0844 | 1 Needyamin | 1 Library Card System | 2025-02-04 | N/A | 6.1 MEDIUM |
| A vulnerability was found in needyamin Library Card System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file signup.php of the component Registration Page. The manipulation of the argument firstname/lastname/email/borrow/user_address leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | |||||
| CVE-2024-34064 | 2025-02-04 | N/A | N/A | ||
| Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4. | |||||
| CVE-2023-25347 | 1 Churchcrm | 1 Churchcrm | 2025-02-04 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields. These input fields are located in the "Title" Input Field in EventEditor.php. | |||||
| CVE-2022-28354 | 1 Mybb | 1 Active Threads | 2025-02-04 | N/A | 6.1 MEDIUM |
| In the Active Threads Plugin 1.3.0 for MyBB, the activethreads.php date parameter is vulnerable to XSS when setting a time period. | |||||