9.8
CVE-2024-9634 - GiveWP β Donation Plugin and Fundraising Platform <= 3.16.3 - Unauthenticated PHP Object Injection β¦
The GiveWP β Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input from the give_company_name parameter. This makes it possible for unauthenticated attackers to inject aβ¦
6.1
CVE-2024-9647 - Kama SpamBlock <= 1.8.2 - Reflected Cross-Site Scripting
The Kama SpamBlock plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST values in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pβ¦
6.1
CVE-2024-9652 - Locatoraid Store Locator <= 3.9.47 - Reflected Cross-Site Scripting
The Locatoraid Store Locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST keys in all versions up to, and including, 3.9.47 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrβ¦
4.3
CVE-2024-9891 - Multiline files upload for contact form 7 <= 2.8.1 - Missing Authorization to Authenticated (Subscrβ¦
The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugin_form_submission() function in all versions up to, and including, 2.8.1. This makes it possible forβ¦
8.1
CVE-2024-9305 - AppPresser β Mobile App Framework <= 4.4.4 - Privilege Escalation and Account Takeover via Weak OTP
The AppPresser β Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.4. This is due to the appp_reset_password() and validate_reset_password() functions not having enough controls to prevent a successful brutβ¦
4.3
CVE-2024-9649 - WP ULike <= 4.7.4 - Cross-Site Request Forgery to Statistic Deletion
The WP ULike β The Ultimate Engagement Toolkit for Websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7.4. This is due to missing or incorrect nonce validation on the wp_ulike_delete_history_api() function. This makes it possible for unβ¦
5.6
CVE-2024-9104 - UltimateAI <= 2.8.3 - Limited User Password Change due to Improper Empty and Missing Default Value β¦
The UltimateAI plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.3. This is due to the improper empty value check and a missing default activated value check in the 'ultimate_ai_change_pass' function. This makes it possible for unauthenticated attβ¦
6.1
CVE-2024-8787 - Smart Online Order for Clover <= 1.5.7 - Reflected Cross-Site Scripting
The Smart Online Order for Clover plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.5.7. This makes it possible for unauthenticated attackers to injeβ¦
4.7
CVE-2024-8541 - Discount Rules for WooCommerce β Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO β¦
The Discount Rules for WooCommerce β Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.6.5. Thβ¦
6.4
CVE-2024-9521 - SEO Manager <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta
The SEO Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post meta in versions up to, and including, 1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level andβ¦