4.3
CVE-2024-4969 - Widget Bundle <= 2.0.0 - Widget Disable/Enable via CSRF
The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack
4.8
CVE-2024-4755 - Google CSE <= 1.0.7 - Admin+ Stored XSS
The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
6.1
CVE-2024-4616 - Widget Bundle <= 2.0.0 - Unauthencated Reflected XSS
The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users
5.4
CVE-2024-4477 - WP Logs Book <= 1.0.1 - Unauthenticated Stored XSS
The WP Logs Book WordPress plugin through 1.0.1 does not sanitise and escape some of its log data before outputting them back in an admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting
4.3
CVE-2024-4475 - WP Logs Book <= 1.0.1 - Log Clearing via CSRF
The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF attack
4.3
CVE-2024-4474 - WP Logs Book <= 1.0.1 - Disable Logging via CSRF
The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
4.8
CVE-2024-4384 - CSSable Countdown <= 1.5 - Admin+ Stored XSS
The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
4.3
CVE-2024-4382 - CB (legacy) <= 0.9.4.18 - Code/Timeframe/Booking Deletion via CSRF
The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF attacks
4.8
CVE-2024-4381 - CB (legacy) <= 0.9.4.18 - Admin+ Stored XSS
The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
6.1
CVE-2024-4377 - DOP Shortcodes <= 1.2 - Contributor+ Stored XSS via Shortcode
The DOP Shortcodes WordPress plugin through 1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks