5.4
CVE-2024-9838 - Auto Affiliate Links < 6.4.7 - Admin+ SQL Injection
The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
7.2
CVE-2024-9831 - Taskbuilder < 3.0.9 - Admin+ SQL Injection
The Taskbuilder WordPress plugin before 3.0.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
6.5
CVE-2024-9765 - EKC Tournament Manager < 2.2.2 - Local File Download Vulnerability
The EKC Tournament Manager WordPress plugin before 2.2.2 allows a logged in admin to download system files outside of the WordPress directory
5.4
CVE-2024-9711 - EKC Tournament Manager < 2.2.2 - Delete Tournaments via CSRF
The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
5.4
CVE-2024-9709 - EKC Tournament Manager < 2.2.2 - Create Tournaments/Teams via CSRF
The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
5.4
CVE-2024-9663 - CYAN Backup < 2.5.3 - Admin+ Stored XSS via Remote Storage Settings
The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
5.4
CVE-2024-9662 - CYAN Backup < 2.5.3 - Admin+ Stored XSS via General Settings
The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
5.4
CVE-2024-9645 - Post Grid and Gutenberg Blocks < 2.2.93 - Contributor+ Stored XSS
The Post Grid, Posts Slider, Posts Carousel, Post Filter, Post Masonry WordPress plugin before 2.2.93 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stβ¦
5.4
CVE-2024-9599 - Popup Box < 4.7.8 - Admin+ Stored XSS
The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
6.5
CVE-2024-9450 - Free Booking Plugin for Hotels, Restaurants and Car Rentals β eaSYNC Booking < 1.3.15 - Subscriber+β¦
The Free Booking Plugin for Hotels, Restaurants and Car Rentals WordPress plugin before 1.3.15 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in subscriber change them via a CSRF attack