6.4
CVE-2024-11899 - Slider Pro Lite <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Slider Pro Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sliderpro' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated a…
5.3
CVE-2024-12559 - ClickDesigns <= 1.8.0 - Missing Authorization to API Key Modification or Removal
The ClickDesigns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clickdesigns_add_api' and the 'clickdesigns_remove_api' functions in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to m…
6.1
CVE-2024-12098 - ARS Affiliate Page Plugin <= 2.0.2 - Reflected Cross-Site Scripting
The ARS Affiliate Page Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'utm_keyword' parameter in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject a…
6.4
CVE-2024-12592 - Sellsy <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Sellsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'testSellsy' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers…
6.4
CVE-2024-11777 - Sell Media <= 2.5.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Sell Media plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sell_media_search_form_gutenberg' shortcode in all versions up to, and including, 2.5.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible…
7.5
CVE-2024-12416 - Woomotiv <= 3.6.1 - Unauthenticated SQL Injection
The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to SQL Injection via the 'woomotiv_seen_products_.*' cookie in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the exi…
5.4
CVE-2024-12541 - Chative Live chat and Chatbot <= 1.1 - Cross-Site Request Forgery via add_chative_widget_action Fun…
The Chative Live chat and Chatbot plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the add_chative_widget_action() function. This makes it possible for unauthenticated attackers to cha…
6.5
CVE-2024-12419 - Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler <= 1.7.1 - Unauthenticated Arbitr…
The The Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.0. This is due to the software allowing users to execute an action that does not properly validate a value before r…
6.4
CVE-2024-12528 - WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress <= 1.7.5 - Authenticated (Cont…
The WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsurveypoll_results' shortcode in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping on user…
6.4
CVE-2024-11934 - Formaloo Form Maker & Customer Analytics for WordPress & WooCommerce <= 2.1.3.2 - Authenticated (Co…
The Formaloo Form Maker & Customer Analytics for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formaloo' shortcode in all versions up to, and including, 2.1.3.2 due to insufficient input sanitization and output escaping. This makes it possible fo…