5.4
CVE-2024-9711 - EKC Tournament Manager < 2.2.2 - Delete Tournaments via CSRF
The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
5.4
CVE-2024-9709 - EKC Tournament Manager < 2.2.2 - Create Tournaments/Teams via CSRF
The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
5.4
CVE-2024-9663 - CYAN Backup < 2.5.3 - Admin+ Stored XSS via Remote Storage Settings
The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
5.4
CVE-2024-9662 - CYAN Backup < 2.5.3 - Admin+ Stored XSS via General Settings
The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
5.4
CVE-2024-9645 - Post Grid and Gutenberg Blocks < 2.2.93 - Contributor+ Stored XSS
The Post Grid, Posts Slider, Posts Carousel, Post Filter, Post Masonry WordPress plugin before 2.2.93 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stβ¦
5.4
CVE-2024-9599 - Popup Box < 4.7.8 - Admin+ Stored XSS
The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
6.5
CVE-2024-9450 - Free Booking Plugin for Hotels, Restaurants and Car Rentals β eaSYNC Booking < 1.3.15 - Subscriber+β¦
The Free Booking Plugin for Hotels, Restaurants and Car Rentals WordPress plugin before 1.3.15 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in subscriber change them via a CSRF attack
4.8
CVE-2024-9390 - RegistrationMagic < 6.0.2.1 - Stored XSS
The RegistrationMagic WordPress plugin before 6.0.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
5.4
CVE-2024-9238 - AVIF & SVG Uploader <= 1.1.0 - Author+ Stored XSS via SVG Uplaod
The AVIF Uploader WordPress plugin before 1.1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
4.8
CVE-2024-9236 - Team Members Showcase < 4.4.2 - Editor+ Stored XSS
The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).