8.2
CVE-2024-4856 - FS Product Inquiry <= 1.1.1 - Reflected XSS
The FS Product Inquiry WordPress plugin through 1.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users
5.3
CVE-2024-4750 - BuddyBoss Platform < 2.6.0 - Insecure Direct Object Reference on Like Comment
The buddyboss-platform WordPress plugin before 2.6.0 contains an IDOR vulnerability that allows a user to like a private post by manipulating the ID included in the request
8.3
CVE-2024-4749 - WP eMember < 10.3.9 - Reflected XSS
The wp-eMember WordPress plugin before 10.3.9 does not sanitize and escape the "fieldId" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
9.1
CVE-2024-4180 - The Events Calendar < 6.4.0.1 - Reflected XSS
The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX.
6.1
CVE-2024-4057 - Gutenberg Blocks by Kadence Blocks < 3.2.37 - Contributor+ Stored XSS
The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.37 does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scriptinβ¦
5.4
CVE-2024-2470 - Simple Ajax Chat < 20240412 - Admin+ Stored XSS
The Simple Ajax Chat WordPress plugin before 20240412 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
5.4
CVE-2024-0757 - Insert or Embed Articulate Content into WordPress <= 4.3000000023 - Author+ Upload to RCE
The Insert or Embed Articulate Content into WordPress plugin through 4.3000000023 is not properly filtering which file extensions are allowed to be imported on the server, allowing the uploading of malicious code within zip files
4.4
CVE-2024-4462 - Nafeza Prayer Time <= 1.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
The Nafeza Prayer Time plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissionβ¦
5.3
CVE-2024-4997 - WPUpper Share Buttons <= 3.43 - Missing Authorization
The WPUpper Share Buttons plugin for WordPress is vulnerable to unauthorized access of data when preparing sharing links for posts and pages in all versions up to, and including, 3.43. This makes it possible for unauthenticated attackers to obtain the contents of password protected posts and pages.
6.4
CVE-2024-4273 - Essential Real Estate <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortβ¦
The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ere_property_map' shortcode in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for auβ¦