4.8
CVE-2024-13053 - Form Maker by 10Web < 1.15.33 - Admin+ Stored XSS via Theme Title
The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
4.8
CVE-2024-12874 - Top Comments <= 1.0 - Admin+ Stored Cross-Site Scripting
The Top Comments WordPress plugin through 1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
6.1
CVE-2024-12873 - Custom Field Manager <= 1.0 - Reflected XSS Vulnerability
The Custom Field Manager WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
7.5
CVE-2024-12812 - WP ERP < 1.13.4 - Custom+ Unauthorized Access to Terminated Employee Information
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 is affected by an IDOR issue where employees can manipulate parameters to access the data of terminated employees.
4.8
CVE-2024-12808 - WP ERP | Complete HR solution with recruitment < 1.13.4 - Admin+ Stored XSS
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltโฆ
4.8
CVE-2024-12800 - IP Based Login < 2.4.1 - Admin+ Stored XSS
The IP Based Login WordPress plugin before 2.4.1 does not sanitise values when importing, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
4.8
CVE-2024-12770 - WP ULike < 4.7.6 - Admin+ Stored XSS
The WP ULike WordPress plugin before 4.7.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
4.3
CVE-2024-12750 - Competition Form <= 2.0 - Competition Deletion via CSRF
The Competition Form WordPress plugin through 2.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
4.8
CVE-2024-12743 - MailPoet < 5.5.2 - Admin+ Stored XSS
The MailPoet WordPress plugin before 5.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
4.8
CVE-2024-12739 - Mobile Contact Bar < 3.0.5 - Admin+ Stored XSS
The Mobile Contact Bar WordPress plugin before 3.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).