9.1
CVE-2025-47928 - Spotipy repo vulnerable to secrets exfiltration via `pull_request_target`
Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using `pull_request_target` on `.github/workflows/integration_tests.yml` followed by the checking out the head.sha of a forked PR can be exploited by attackers, since untrusted code can be exβ¦
4.3
CVE-2024-8009 - Sensei LMS < 4.20.0 - Teacher+ Users Email Address Disclosure
The Sensei LMS WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page
3.5
CVE-2024-6711 - Event Tickets with Ticket Scanner < 2.3.8 - Admin+ Stored XSS
The Event Tickets with Ticket Scanner WordPress plugin before 2.3.8 does not sanitise and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks
6.4
CVE-2024-4665 - EventPrime β Events Calendar, Bookings and Tickets < 3.5.0 - Subscriber+ Arbitrary booking settingβ¦
The EventPrime WordPress plugin before 3.5.0 does not properly validate permissions when updating bookings, allowing users to change/cancel bookings for other users. Additionally, the feature is lacking a nonce.
3.5
CVE-2024-4091 - Responsive Gallery Grid < 2.3.15 - Admin+ Stored XSS
The Responsive Gallery Grid WordPress plugin before 2.3.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
3.5
CVE-2024-4004 - Advanced Cron Manager < 2.5.7 - Admin+ Stored XSS
The Advanced Cron Manager WordPress plugin before 2.5.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
3.5
CVE-2024-4002 - Carousel, Slider, Gallery by WP Carousel < 2.6.9 - Editor+ Stored XSS
The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in mβ¦
3.5
CVE-2024-3996 - Post Grid, Post Carousel, & List Category Posts < 2.4.28 - Editor+ Stored XSS
The Smart Post Show WordPress plugin before 2.4.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
6.8
CVE-2024-3901 - Genesis Blocks <= 3.1.3 - Contributor+ Stored XSS
The Genesis Blocks WordPress plugin through 3.1.3 does not properly escape attributes provided to some of its custom blocks, making it possible for users allowed to write posts (like those with the contributor role) to conduct Stored XSS attacks.
4.8
CVE-2024-3062 - Save as PDF by Pdfcrowd < 3.2.2 - Admin+ Stored XSS
The Save as Image Plugin by Pdfcrowd WordPress plugin before 3.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite β¦