5.4
CVE-2024-4477 - WP Logs Book <= 1.0.1 - Unauthenticated Stored XSS
The WP Logs Book WordPress plugin through 1.0.1 does not sanitise and escape some of its log data before outputting them back in an admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting
4.3
CVE-2024-4475 - WP Logs Book <= 1.0.1 - Log Clearing via CSRF
The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF attack
4.3
CVE-2024-4474 - WP Logs Book <= 1.0.1 - Disable Logging via CSRF
The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
4.8
CVE-2024-4384 - CSSable Countdown <= 1.5 - Admin+ Stored XSS
The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
4.3
CVE-2024-4382 - CB (legacy) <= 0.9.4.18 - Code/Timeframe/Booking Deletion via CSRF
The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF attacks
4.8
CVE-2024-4381 - CB (legacy) <= 0.9.4.18 - Admin+ Stored XSS
The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
6.1
CVE-2024-4377 - DOP Shortcodes <= 1.2 - Contributor+ Stored XSS via Shortcode
The DOP Shortcodes WordPress plugin through 1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
9.8
CVE-2024-5756 - Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.23 - Unauthβ¦
The Email Subscribers by Icegram Express β Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied parameteβ¦
5.3
CVE-2024-3961 - ConvertKit <= 2.4.9 - Missing Authorization
The ConvertKit β Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for unauthenβ¦
8.8
CVE-2024-5455 - The Plus Addons for Elementor β Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <β¦
The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level aβ¦