4.7
CVE-2024-5678 - SQL Injection
Zohocorp ManageEngine Applications Manager versionsΒ 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature.
4.3
CVE-2024-5331 - Breakdance <= 1.7.2 - Missing Authorization
The Breakdance plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 1.7.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to export form submissions.
6.4
CVE-2024-5330 - Breakdance <= 1.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the breakdance_css_file_paths_cache parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contribβ¦
6.4
CVE-2024-7302 - Blog2Social: Social Media Auto Post & Scheduler <= 7.5.4 - Authenticated (Author+) Stored Cross-Sitβ¦
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 3gp2 file uploads in all versions up to, and including, 7.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, witβ¦
7.1
CVE-2024-6529 - Ultimate Classified Listings < 1.4 - Reflected XSS
The Ultimate Classified Listings WordPress plugin before 1.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
6.5
CVE-2024-6496 - Light Poll <= 1.0.0 - Polls Deletion via CSRF
The Light Poll WordPress plugin through 1.0.0 does not have CSRF checks when deleting polls, which could allow attackers to make logged in users perform such action via a CSRF attack
4.8
CVE-2024-4090 - My Sticky Bar < 2.7.2 - Admin+ Stored XSS
The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_hβ¦
8.1
CVE-2024-3983 - WooCommerce Customers Manager < 30.1 - Bulk Action via CSRF
The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacks
4.8
CVE-2024-2872 - Swift Framework < 2024.04.30 - Contributor+ Stored XSS
The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisiteβ¦
6.5
CVE-2024-2843 - WooCommerce Customers Manager < 30.1 - User Deletion via CSRF
The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin users delete users via CSRF attacks