5.3
CVE-2024-7221 - SourceCodester/Campcodes School Log Management System manage_user.php sql injection
A vulnerability was determined in SourceCodester/Campcodes School Log Management System 1.0. This affects an unknown part of the file /admin/manage_user.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and …
5.4
CVE-2024-6536 - Zephyr Project Manager < 3.3.99 - Editor+ XSS
The Zephyr Project Manager WordPress plugin before 3.3.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors and admins to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multis…
6.5
CVE-2024-6230 - Pardakht Delkhah <= 2.9.8 - Form Fields Reset via CSRF
The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack
6.1
CVE-2024-6226 - WpStickyBar <= 2.1.0 - Reflected XSS
The WpStickyBar WordPress plugin through 2.1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
5.9
CVE-2024-6224 - Send email only on Reply to My Comment <= 1.0.6 - Stored XSS via CSRF
The Send email only on Reply to My Comment WordPress plugin through 1.0.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
6.1
CVE-2024-6223 - Send email only on Reply to My Comment <= 1.0.6 - Reflected XSS
The Send email only on Reply to My Comment WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
6.8
CVE-2024-6021 - Donation Block for PayPal <= 2.1.0 - Unauthenticated Stored XSS
The Donation Block For PayPal WordPress plugin through 2.1.0 does not sanitise and escape form submissions, leading to a stored cross-site scripting vulnerability
9.1
CVE-2024-5975 - CZ Loan Management <= 1.1 - Unauthenticated SQLi
The CZ Loan Management WordPress plugin through 1.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
6.1
CVE-2024-5809 - WP Ajax Contact Form <= 2.2.2 - Reflected Cross-Site Scripting
The WP Ajax Contact Form WordPress plugin through 2.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin users
4.3
CVE-2024-5808 - WP Ajax Contact Form <= 2.2.2 - Arbitrary Email Deletion via CSRF
The WP Ajax Contact Form WordPress plugin through 2.2.2 does not have CSRF check in place when deleting emails from the email list, which could allow attackers to make a logged in admin perform such action via a CSRF attack