6.1
CVE-2024-9652 - Locatoraid Store Locator <= 3.9.47 - Reflected Cross-Site Scripting
The Locatoraid Store Locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST keys in all versions up to, and including, 3.9.47 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrβ¦
4.3
CVE-2024-9891 - Multiline files upload for contact form 7 <= 2.8.1 - Missing Authorization to Authenticated (Subscrβ¦
The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugin_form_submission() function in all versions up to, and including, 2.8.1. This makes it possible forβ¦
8.1
CVE-2024-9305 - AppPresser β Mobile App Framework <= 4.4.4 - Privilege Escalation and Account Takeover via Weak OTP
The AppPresser β Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.4. This is due to the appp_reset_password() and validate_reset_password() functions not having enough controls to prevent a successful brutβ¦
4.3
CVE-2024-9649 - WP ULike <= 4.7.4 - Cross-Site Request Forgery to Statistic Deletion
The WP ULike β The Ultimate Engagement Toolkit for Websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7.4. This is due to missing or incorrect nonce validation on the wp_ulike_delete_history_api() function. This makes it possible for unβ¦
5.6
CVE-2024-9104 - UltimateAI <= 2.8.3 - Limited User Password Change due to Improper Empty and Missing Default Value β¦
The UltimateAI plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.3. This is due to the improper empty value check and a missing default activated value check in the 'ultimate_ai_change_pass' function. This makes it possible for unauthenticated attβ¦
6.1
CVE-2024-8787 - Smart Online Order for Clover <= 1.5.7 - Reflected Cross-Site Scripting
The Smart Online Order for Clover plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.5.7. This makes it possible for unauthenticated attackers to injeβ¦
4.7
CVE-2024-8541 - Discount Rules for WooCommerce β Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO β¦
The Discount Rules for WooCommerce β Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.6.5. Thβ¦
6.4
CVE-2024-9521 - SEO Manager <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta
The SEO Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post meta in versions up to, and including, 1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level andβ¦
6.1
CVE-2024-10033 - Aap-gateway: xss on aap-gateway
A vulnerability was found in aap-gateway. A Cross-site Scripting (XSS) vulnerability exists in the gateway component. This flaw allows a malicious user to perform actions that impact users by using the "?next=" in a URL, which can lead to redirecting, injecting malicious script, stealing sessions aβ¦
6.1
CVE-2024-48744 -
A Reflected Cross Site Scripting (XSS) vulnerability was found in /trms/listed- teachers.php in PHPGurukul Teachers Record Management System v2.1, which allows remote attackers to execute arbitrary code via "searchinput" POST request parameter.