5.5
CVE-2024-13848 - Reaction Buttons <= 2.1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
The Reaction Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions โฆ
4.3
CVE-2024-13687 - Team Builder โ Meet the Team <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Settingsโฆ
The Team Builder โ Meet the Team plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_team_builder_options() function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with Subscriber-levelโฆ
6.4
CVE-2024-13573 - Zigaform โ Form Builder Lite <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Zigaform โ Form Builder Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zgfm_rfvar' shortcode in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for aโฆ
7.2
CVE-2024-12314 - Rapid Cache <= 1.2.3 - Unauthenticated Cache Poisoning
The Rapid Cache plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including, 1.2.3. This is due to plugin storing HTTP headers in the cached data. This makes it possible for unauthenticated attackers to poison the cache with custom HTTP headers that may be unsanitizedโฆ
5.3
CVE-2024-13535 - Actionwear products sync <= 2.3.2 - Unauthenticated Full Patch Disclosure
The Actionwear products sync plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.3.2. This is due the composer-setup.php file being publicly accessible with 'display_errors' set to true. This makes it possible for unauthenticated attackers to retrieve โฆ
6.4
CVE-2024-13576 - Gumlet Video <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Gumlet Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gumlet' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackeโฆ
9.8
CVE-2024-13725 - Keap Official Opt-in Forms <= 2.0.1 - Unauthenticated Limited Local File Inclusion
The Keap Official Opt-in Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.1 via the service parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those fโฆ
6.4
CVE-2024-12525 - Easy MLS Listings Import <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Easy MLS Listings Import plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'homeasap-featured-listings' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it poโฆ
6.4
CVE-2024-13588 - Simplebooklet PDF Viewer and Embedder <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scrโฆ
The Simplebooklet PDF Viewer and Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'simplebooklet' shortcode in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it poโฆ
8.8
CVE-2024-13852 - Option Editor <= 1.0 - Cross-Site Request Forgery to Arbitrary Options Update
The Option Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing nonce validation on the plugin_page() function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request, granโฆ