7.2
CVE-2024-5807 - Business Card <= 1.0.0 - Admin+ File Upload
The Business Card WordPress plugin through 1.0.0 does not prevent high privilege users like administrators from uploading malicious PHP files, which could allow them to run arbitrary code on servers hosting their site, even in MultiSite configurations.
5.3
CVE-2024-7220 - SourceCodester/Campcodes School Log Management System print_barcode.php sql injection
A vulnerability was found in SourceCodester/Campcodes School Log Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/print_barcode.php. The manipulation of the argument tbl results in sql injection. It is possible to launch the attack remotely. The exploitβ¦
9.8
CVE-2024-5765 - WpStickyBar <= 2.1.0 - Unauthenticated SQLi
The WpStickyBar WordPress plugin through 2.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
5.9
CVE-2024-4096 - Responsive Tabs <= 4.0.8 - Contributor+ Stored XSS
The Responsive Tabs WordPress plugin through 4.0.8 does not sanitise and escape some of its Tab settings, which could allow high privilege users such as Contributors and above to perform Stored Cross-Site Scripting attacks
4.8
CVE-2024-3986 - SportsPress < 2.7.22 - Admin+ Stored XSS
The SportsPress WordPress plugin before 2.7.22 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
6.8
CVE-2024-3669 - Web Directory Free < 1.7.2 - Reflected XSS
The Web Directory Free WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
5.9
CVE-2024-3113 - FormFlow < 2.12.2 - Admin+ Stored XSS
The FormFlow: WhatsApp Social and Advanced Form Builder with Easy Lead Collection WordPress plugin before 2.12.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabβ¦
6.5
CVE-2024-1287 - Paid Memberships Pro - Member Directory Add On < 1.2.6 - Contributor+ Sensitive Information Disclosβ¦
The pmpro-member-directory WordPress plugin before 1.2.6 does not prevent users with at least the contributor role from leaking other users' sensitive information, including password hashes via an SQLi vector.
4.9
CVE-2024-1286 - Paid Memberships Pro - Membership Maps Add On < 0.7 - Contributor+ Sensitive Information Disclosure
The pmpro-membership-maps WordPress plugin before 0.7 does not prevent users with at least the contributor role from leaking sensitive information about users with a membership on the site.
6.9
CVE-2024-7219 - SourceCodester/Campcodes School Log Management System ajax.php sql injection
A vulnerability has been found in SourceCodester/Campcodes School Log Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=login. The manipulation of the argument Username leads to sql injection. It is possible to initiate the attack rβ¦