7.1
CVE-2024-13668 - WordPress Activity O Meter <= 1 - Reflected XSS
The WordPress Activity O Meter WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admins.
4.8
CVE-2024-9458 - Reservit Hotel < 3.0 - Admin+ Stored XSS
The Reservit Hotel WordPress plugin before 3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
5.5
CVE-2024-13857 - WPGet API <= 2.2.10 - Authenticated (Administrator+) Server-Side Request Forgery
The WPGet API β Connect to any external REST API plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locationsβ¦
4.3
CVE-2024-13635 - VK Blocks <= 1.94.2.2 - Missing Authorization to Sensitive Information Exposure
The VK Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.94.2.2 via the page content block. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the content β¦
4.3
CVE-2024-13552 - SupportCandy β Helpdesk & Customer Support Ticket System <= 3.3.0 - Insecure Direct Object Reference
The SupportCandy β Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.0 via file upload due to missing validation on a user controlled key. This makes it possible for authenticated attackers to dβ¦
6.4
CVE-2024-13805 - Advanced File Manager <= 5.2.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG Fβ¦
The Advanced File Manager β Ultimate WordPress File Manager and Document Library Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.2.14 due to insufficient input sanitization and output escaping. This makes it possiβ¦
6.1
CVE-2024-13431 - Appointment Booking Calendar β Simply Schedule Appointments Booking Plugin <= 1.6.8.3 - Reflected Cβ¦
The Appointment Booking Calendar β Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the accent_color and background parameter in all versions up to, and including, 1.6.8.3 due to insufficient input sanitization and output escaping.β¦
9.8
CVE-2024-12876 - Golo - Directory & Listing, Travel WordPress Theme <= 1.6.10 - Missing Authorization to Privilege Eβ¦
The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.10. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for β¦
9.8
CVE-2025-1315 - InWave Jobs <= 3.5.1 - Unauthenticated Privilege Escalation via Password Reset
The InWave Jobs plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 3.5.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to chβ¦
8.8
CVE-2025-0959 - Eventer - WordPress Event & Booking Manager Plugin <= 3.9.9.2 - Authenticated (Subscriber+) SQL Injβ¦
The Eventer - WordPress Event & Booking Manager Plugin plugin for WordPress is vulnerable to SQL Injection via the reg_id parameter in all versions up to, and including, 3.9.9.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.β¦