2.4
CVE-2024-3823 - Base64 Encoder/Decoder <= 0.9.2 - Stored XSS via CSRF
The Base64 Encoder/Decoder WordPress plugin through 0.9.2 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
4.8
CVE-2024-3822 - Base64 Encoder/Decoder <= 0.9.2 - Reflected XSS
The Base64 Encoder/Decoder WordPress plugin through 0.9.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
6.5
CVE-2024-3749 - SP Project & Document Manager <= 4.71 - Subscriber+ File Download via IDOR
The SP Project & Document Manager WordPress plugin through 4.71 lacks proper access controllers and allows a logged in user to view and download files belonging to another user
6.5
CVE-2024-3748 - SP Project & Document Manager <= 4.71 - Data Update via IDOR
The SP Project & Document Manager WordPress plugin through 4.71 is missing validation in its upload function, allowing a user to manipulate the `user_id` to make it appear that a file was uploaded by another user
4.8
CVE-2024-3634 - month name translation benaceur < 2.3.8 - Admin+ Stored XSS
The month name translation benaceur WordPress plugin before 2.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite sโฆ
4.3
CVE-2024-3631 - HL Twitter <= 2014.1.18 - Unlink Twitter Account via CSRF
The HL Twitter WordPress plugin through 2014.1.18 does not have CSRF check when unlinking twitter accounts, which could allow attackers to make logged in admins perform such actions via a CSRF attack
5.4
CVE-2024-3630 - HL Twitter <= 2014.1.18 - Admin+ Stored XSS via Widget
The HL Twitter WordPress plugin through 2014.1.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
2.4
CVE-2024-3629 - HL Twitter <= 2014.1.18 - Settings Update via CSRF
The HL Twitter WordPress plugin through 2014.1.18 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
6.1
CVE-2024-3548 - Shortcodes Ultimate < 7.1.2 - Contributor+ Stored XSS
The WP Shortcodes Plugin โ Shortcodes Ultimate WordPress plugin before 7.1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
5.3
CVE-2024-3407 - WP Prayer <= 2.0.9 - Arbitrary Prayer Deletion via CSRF
The WP Prayer WordPress plugin through 2.0.9 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks