10
CVE-2024-8529 - LearnPress โ WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_fields'
The LearnPress โ WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_fields' parameter of the /wp-json/lp/v1/courses/archive-course REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sโฆ
6.1
CVE-2024-8622 - amCharts: Charts and Maps <= 1.4.4 - Reflected Cross-Site Scripting via Cross-Site Request Forgery
The amCharts: Charts and Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'amcharts_javascript' parameter in all versions up to, and including, 1.4.4 due to the ability to supply arbitrary JavaScript a lack of nonce validation on the preview functionality. This makeโฆ
6.1
CVE-2024-8056 - MM-Breaking News <= 0.7.9 - Reflected XSS
The MM-Breaking News WordPress plugin through 0.7.9 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
6.1
CVE-2024-8054 - MM-Breaking News <= 0.7.9 - Stored XSS via CSRF
The MM-Breaking News WordPress plugin through 0.7.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
4.3
CVE-2024-7862 - Blog Introduction <= 0.3.0 - Settings Update via CSRF
The blogintroduction-wordpress-plugin WordPress plugin through 0.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
6.1
CVE-2024-7861 - Misiek Paypal <= 1.1.20090324 - Stored XSS via CSRF
The Misiek Paypal WordPress plugin through 1.1.20090324 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
6.1
CVE-2024-7860 - Simple Headline Rotator <= 1.0 - Stored XSS via CSRF
The Simple Headline Rotator WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
6.5
CVE-2024-7859 - Visual Sound <= 1.03 - Settings Update via CSRF
The Visual Sound WordPress plugin through 1.03 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
6.1
CVE-2024-7822 - Quick Code <= 1.0 - Stored XSS via CSRF
The Quick Code WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
4.3
CVE-2024-7820 - ILC Thickbox <= 1.0 - Settings update via CSRF
The ILC Thickbox WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack