6.4
CVE-2024-3559 - Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post…
The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the 'cfs[post_content]' parameter versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-le…
6.4
CVE-2024-4564 - CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More <= …
The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Shop Slider, Tabs Classic, and Image Comparison widgets in all versions up to, and including, 4.4.1 due to insuffici…
4.4
CVE-2024-5553 - Premium Addons for Elementor <= 4.10.33 - Authenticated (Contributor+) DOM-Based Stored Cross-Site …
The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via several parameters in all versions up to, and including, 4.10.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Cont…
8.1
CVE-2024-5543 - Slideshow Gallery LITE <= 1.8.1 - Authenticated (Contributor+) SQL Injection
The Slideshow Gallery LITE plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in all versions up to, and including, 1.8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possibl…
6.4
CVE-2024-4892 - BuddyPress <= 12.4.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting
The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ parameter in versions up to, and including, 12.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permission…
9.1
CVE-2024-4315 - LFI Vulnerability due to Lack of Path Sanitization in parisneo/lollms
parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The `sanitize_path_from_endpoint` function fails to properly sanitize Windows-style paths (backward slash `\`), allowing attackers to perform directory traversal attacks on Windows…
6.8
CVE-2024-36103 -
OS command injection vulnerability in WRC-X5400GS-B v1.0.10 and earlier, and WRC-X5400GSA-B v1.0.10 and earlier allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product.
6.1
CVE-2024-37629 -
SummerNote v0.9.1 is vulnerable to Cross Site Scripting (XSS) via the Code View Function.
6.3
CVE-2024-36691 -
Insecure permissions in the AdminController.AjaxSave() method of PPGo_Jobs v2.8.0 allows authenticated attackers to arbitrarily modify users' account information.
8.8
CVE-2024-37665 -
An access control issue in Wvp GB28181 Pro 2.0 allows authenticated attackers to escalate privileges to Administrator via a crafted POST request.