6.1
CVE-2024-9378 - YML for Yandex Market <= 4.7.2 - Reflected Cross-Site Scripting
The YML for Yandex Market plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 4.7.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we…
6.1
CVE-2024-9344 - BerqWP – Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images…
The BerqWP – Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' parameter in all versions up to, and including, 2.1.1 due to insufficient input sanitizatio…
6.1
CVE-2024-8800 - RabbitLoader – Website Speed Optimization for improving Core Web Vital metrics with Cache, Image Op…
The RabbitLoader – Website Speed Optimization for improving Core Web Vital metrics with Cache, Image Optimization, and more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and includi…
6.1
CVE-2024-9210 - MC4WP: Mailchimp Top Bar <= 1.6.0 - Reflected Cross-Site Scripting
The MC4WP: Mailchimp Top Bar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts…
6.1
CVE-2024-9222 - Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <=…
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.12.8. This makes …
6.1
CVE-2024-9225 - SEOPress – On-site SEO <= 8.1.1 - Reflected Cross-Site Scripting
The SEOPress – On-site SEO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 8.1.1. This makes it possible for unauthenticated attackers to inject arbi…
6.4
CVE-2024-9172 - Demo Importer Plus <= 2.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Uplo…
The Demo Importer Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and abov…
6.4
CVE-2024-8967 - PWA — easy way to Progressive Web App <= 1.6.3 - Authenticated (Author+) Stored Cross-Site Scriptin…
The PWA — easy way to Progressive Web App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-le…
5.4
CVE-2024-8254 - Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & Woo…
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does…
7.5
CVE-2024-7315 - Migration, Backup, Staging – WPvivid < 0.9.106 - Unauthenticated Sensitive Data Exposure
The Migration, Backup, Staging WordPress plugin before 0.9.106 does not use sufficient randomness in the filename that is created when generating a backup, which could be bruteforced by attackers to leak sensitive information about said backups.