9.8
CVE-2024-6159 - Push Notification for Post and BuddyPress <=1.93 - Multiple Unauthenticated SQLi
The Push Notification for Post and BuddyPress WordPress plugin before 1.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
5.4
CVE-2024-5440 - If-So Dynamic Content Personalization < 1.8.0.3 - Contributor+ Shortcode Stored XSS
The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Sโฆ
4.8
CVE-2024-5026 - CM Tooltip Glossary < 4.3.4 - Admin+ Stored XSS
The CM Tooltip Glossary WordPress plugin before 4.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
6.1
CVE-2024-13865 - drm-protected-video-streaming <= 4.2.1 - Reflected XSS
The S3Player WordPress plugin through 4.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
6.1
CVE-2024-13828 - Badgearoo <= 1.0.14 - Reflected XSS
The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
6.1
CVE-2024-13823 - 360 Product Rotation <= 1.5.8 - Reflected XSS
The 360 Product Rotation WordPress plugin through 1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
4.8
CVE-2024-13730 - Podlove Podcast Publisher < 4.2.1 - Admin+ Stored XSS
The Podlove Podcast Publisher WordPress plugin before 4.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
4.8
CVE-2024-13729 - Podlove Podcast Publisher < 4.1.24 - Admin+ Stored XSS
The Podlove Podcast Publisher WordPress plugin before 4.1.24 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
6.1
CVE-2024-13727 - MemberSpace โ Membership Plugin and Paid Subscriptions < 2.1.14 - Reflected XSS
The MemberSpace WordPress plugin before 2.1.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
4.8
CVE-2024-13621 - The GDPR Framework By Data443 < 2.2.0 - Admin+ Stored XSS
The GDPR Framework By Data443 WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).