6.4
CVE-2024-4043 - WP Ultimate Post Grid <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpupgβ¦
The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpupg-text' shortcode in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authentiβ¦
6.4
CVE-2024-3648 - ShareThis Share Buttons <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via shaβ¦
The ShareThis Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sharethis-inline-button' shortcode in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibβ¦
5.3
CVE-2024-5240 - Campcodes Complete Web-Based School Management System unread_msg.php sql injection
A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /view/unread_msg.php. The manipulation of the argument my_index leads to sql injection. The attack may be initiated remotely. Theβ¦
8
CVE-2024-4835 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.
5.3
CVE-2024-5239 - Campcodes Complete Web-Based School Management System timetable_update_form.php sql injection
A vulnerability has been found in Campcodes Complete Web-Based School Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /view/timetable_update_form.php. The manipulation of the argument grade leads to sql injection. The attack can be initiated remβ¦
9.1
CVE-2024-4399 - CAS <= 1.0.0 - Unauthenticated SSRF
The does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attack
7.5
CVE-2024-4388 - CAS <= 1.0.0 - Unauthenticated Arbitrary File Access
This does not validate a path generated with user input when downloading files, allowing unauthenticated user to download arbitrary files from the server
3.5
CVE-2024-3920 - Flattr <= 1.2.2 - Admin+ Stored XSS
The Flattr WordPress plugin through 1.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
4.8
CVE-2024-3918 - Pet Manager <= 1.4 - Contributor+ Stored XSS
The Pet Manager WordPress plugin through 1.4 does not sanitise and escape some of its Pet settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting attacks.
6.1
CVE-2024-3917 - Pet Manager <= 1.4 - Reflected XSS
The Pet Manager WordPress plugin through 1.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin