4.8
CVE-2024-3918 - Pet Manager <= 1.4 - Contributor+ Stored XSS
The Pet Manager WordPress plugin through 1.4 does not sanitise and escape some of its Pet settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting attacks.
6.1
CVE-2024-3917 - Pet Manager <= 1.4 - Reflected XSS
The Pet Manager WordPress plugin through 1.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
8.7
CVE-2024-3594 - IDonate <= 1.9.0 - Admin+ Stored XSS
The IDonate WordPress plugin through 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
3.5
CVE-2024-2220 - Button contact VR <= 4.7 - Admin+ Stored XSS
The Button contact VR WordPress plugin through 4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
6.4
CVE-2024-5177 - Hash Elements <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameterβ¦
The Hash Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter within multiple widgets in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authentiβ¦
4.3
CVE-2024-3711 - Brizy β Page Builder <= 2.4.43 - Missing Authorization
The Brizy β Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This makes it possible for autβ¦
7.2
CVE-2024-4347 - WP Fastest Cache <= 1.2.6 - Authenticated (Administrator+) Arbitrary File Deletion
The WP Fastest Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.2.6 via the specificDeleteCache function. This makes it possible for authenticated attackers to delete arbitrary files on the server, which can include wp-config.php files of the aβ¦
4.3
CVE-2024-3626 - Email Subscribers by Icegram Express β Email Marketing, Newsletters, Automation for WordPress & Wooβ¦
The Email Subscribers by Icegram Express β Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_template_content function in all versions up to, and including, 5.7.17. Thisβ¦
5.3
CVE-2024-5238 - Campcodes Complete Web-Based School Management System timetable_insert_form.php sql injection
A vulnerability, which was classified as critical, was found in Campcodes Complete Web-Based School Management System 1.0. This affects an unknown part of the file /view/timetable_insert_form.php. The manipulation of the argument grade leads to sql injection. It is possible to initiate the attack rβ¦
5.3
CVE-2024-5237 - Campcodes Complete Web-Based School Management System timetable_grade_wise.php sql injection
A vulnerability, which was classified as critical, has been found in Campcodes Complete Web-Based School Management System 1.0. Affected by this issue is some unknown functionality of the file /view/timetable_grade_wise.php. The manipulation of the argument grade leads to sql injection. The attack β¦