6.1
CVE-2024-10522 - Co-marquage service-public.fr <= 0.5.76 - Reflected Cross-Site Scripting via add_query_arg Parameter
The Co-marquage service-public.fr plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.5.76. This makes it possible for unauthenticated attackers to inject arbitrary web s…
4.2
CVE-2024-11197 - Lock User Account <= 1.0.5 - User Lock Bypass
The Lock User Account plugin for WordPress is vulnerable to user lock bypass in all versions up to, and including, 1.0.5. This is due to permitting application password logins when user accounts are locked. This makes it possible for authenticated attackers, with existing application passwords, to …
6.4
CVE-2024-11412 - Shine PDF Embeder <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Shine PDF Embeder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shinepdf' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated at…
6.1
CVE-2024-11435 - salavat counter Plugin <= 0.9.4 - Reflected Cross-Site Scripting
The salavat counter Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 0.9.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w…
6.4
CVE-2024-11432 - SuevaFree Essential Kit <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
The SuevaFree Essential Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'counter' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authentic…
6.4
CVE-2024-11428 - Lazy load videos and sticky control <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scrip…
The Lazy load videos and sticky control plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lazy-load-videos-and-sticky-control' shortcode in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping on user supplied attribut…
4.3
CVE-2024-11354 - Ultimate YouTube Video & Shorts Player With Vimeo <= 3.3 - Missing Authorization to Authenticated (…
The Ultimate YouTube Video & Shorts Player With Vimeo plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the del_ytsingvid() function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Subscri…
6.1
CVE-2024-10726 - Friendly Functions for Welcart <= 1.2.4 - Cross-Site Request Forgery to Reflected Cross-Site Script…
The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious web…
6.1
CVE-2024-11370 - Subaccounts for WooCommerce <= 1.6.0 - Reflected Cross-Site Scripting
The Subaccounts for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to inject arbitrary web scri…
6.4
CVE-2024-9111 - Product Designer <= 1.0.36 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above…