5.9
CVE-2024-37432 - WordPress Esteem theme <= 1.5.0 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ThemeGrill Esteem allows Stored XSS.This issue affects Esteem: from n/a through 1.5.0.
7.1
CVE-2024-37433 - WordPress Mailster plugin <= 4.0.9 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EverPress Mailster mailster.This issue affects Mailster: from n/a through <= 4.0.9.
5.9
CVE-2024-37434 - WordPress Atarim plugin <= 3.31 - Authenticated Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vito Peleg Atarim atarim-visual-collaboration.This issue affects Atarim: from n/a through <= 3.31.
7.1
CVE-2024-37436 - WordPress Uncanny Toolkit Pro for LearnDash plugin < 4.1.4.1 - Reflected Cross Site Scripting (XSS)โฆ
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Uncanny Owl Uncanny Toolkit Pro for LearnDash allows Reflected XSS.This issue affects Uncanny Toolkit Pro for LearnDash: from n/a before 4.1.4.1.
6.5
CVE-2024-37445 - WordPress HTML5 Audio Player plugin <= 2.2.23 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in bPlugins Html5 Audio Player allows Stored XSS.This issue affects Html5 Audio Player: from n/a through 2.2.23.
5.4
CVE-2024-6271 - Community Events < 1.5 - Event Deletion via CSRF
The Community Events WordPress plugin before 1.5 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete arbitrary events via a CSRF attack
8.8
CVE-2024-6244 - pz-frontend-manager < 1.0.6 - CSRF change user profile picture
The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
4.8
CVE-2024-6243 - HTML Forms < 1.3.33 - Admin+ Stored XSS
The HTML Forms WordPress plugin before 1.3.33 does not sanitize and escape the form message inputs, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disabled.
8.8
CVE-2024-5973 - MasterStudy LMS < 3.3.24 - Privilege Escalation to Instructor
The MasterStudy LMS WordPress Plugin WordPress plugin before 3.3.24 does not prevent students from creating instructor accounts, which could be used to get access to functionalities they shouldn't have.
4.8
CVE-2024-5529 - WP QuickLaTeX < 3.8.8 - Admin+ Stored XSS
The WP QuickLaTeX WordPress plugin before 3.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).