4.8
CVE-2024-4384 - CSSable Countdown <= 1.5 - Admin+ Stored XSS
The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
4.3
CVE-2024-4382 - CB (legacy) <= 0.9.4.18 - Code/Timeframe/Booking Deletion via CSRF
The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF attacks
4.8
CVE-2024-4381 - CB (legacy) <= 0.9.4.18 - Admin+ Stored XSS
The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
6.1
CVE-2024-4377 - DOP Shortcodes <= 1.2 - Contributor+ Stored XSS via Shortcode
The DOP Shortcodes WordPress plugin through 1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
9.8
CVE-2024-5756 - Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.23 - Unauthβ¦
The Email Subscribers by Icegram Express β Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied parameteβ¦
5.3
CVE-2024-3961 - ConvertKit <= 2.4.9 - Missing Authorization
The ConvertKit β Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for unauthenβ¦
8.8
CVE-2024-5455 - The Plus Addons for Elementor β Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <β¦
The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level aβ¦
4.3
CVE-2023-3352 - Smush β Lazy Load Images, Optimize & Compress Images <= 3.16.4 - Missing Authorization to Resmush Lβ¦
The Smush plugin for WordPress is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the delete_resmush_list() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to delete the resmush list for Nextgeβ¦
4.3
CVE-2024-1955 - Hide Dashboard Notifications <= 1.3 - Missing Authorization to Authenticated(Contributor+) Plugin Sβ¦
The Hide Dashboard Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'warning_notices_settings' function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with contributor accesβ¦
6.5
CVE-2024-1639 - License Manager for WooCommerce <= 3.0.7 - Improper Authorization to Authenticated(Contributor+) Seβ¦
The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with adβ¦