7.5
CVE-2024-12812 - WP ERP < 1.13.4 - Custom+ Unauthorized Access to Terminated Employee Information
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 is affected by an IDOR issue where employees can manipulate parameters to access the data of terminated employees.
4.8
CVE-2024-12808 - WP ERP | Complete HR solution with recruitment < 1.13.4 - Admin+ Stored XSS
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltโฆ
4.8
CVE-2024-12800 - IP Based Login < 2.4.1 - Admin+ Stored XSS
The IP Based Login WordPress plugin before 2.4.1 does not sanitise values when importing, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
4.8
CVE-2024-12770 - WP ULike < 4.7.6 - Admin+ Stored XSS
The WP ULike WordPress plugin before 4.7.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
4.3
CVE-2024-12750 - Competition Form <= 2.0 - Competition Deletion via CSRF
The Competition Form WordPress plugin through 2.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
4.8
CVE-2024-12743 - MailPoet < 5.5.2 - Admin+ Stored XSS
The MailPoet WordPress plugin before 5.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
4.8
CVE-2024-12739 - Mobile Contact Bar < 3.0.5 - Admin+ Stored XSS
The Mobile Contact Bar WordPress plugin before 3.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
7.2
CVE-2024-12735 - Advance Post Prefix <= 1.1.1 - Admin+ SQL Injection
The Advance Post Prefix WordPress plugin through 1.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins and above to perform SQL injection attacks
6.1
CVE-2024-12734 - Advance Post Prefix <= 1.1.1 - Reflected XSS
The Advance Post Prefix WordPress plugin through 1.1.1, Advance Post Prefix WordPress plugin through 1.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
6.1
CVE-2024-12733 - AffiliateImporterEb <= 1.0.6 - Reflected XSS via Search
The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.