6.1
CVE-2024-11276 - PDF Builder for WooCommerce. Create invoices,packing slips and more <= 1.2.136 - Reflected Cross-Siβ¦
The PDF Builder for WooCommerce. Create invoices,packing slips and more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.2.136 due to insufficient input sanitization and output escaping. This makes it possible for β¦
6.1
CVE-2024-11368 - Splash Sync <= 2.0.7 - Reflected Cross-Site Scripting
The Splash Sync plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages thaβ¦
6.1
CVE-2024-11336 - Clickbank WordPress Plugin (Storefront) <= 1.7 - Cross-Site Request Forgery to Stored Cross-Site Scβ¦
The Clickbank WordPress Plugin (Storefront) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing or incorrect nonce validation via the cs_menu page. This makes it possible for unauthenticated attackers to update settings β¦
4.3
CVE-2024-12027 - Message Filter for Contact Form 7 <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Fβ¦
The Message Filter for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateFilter() and deleteFilter() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with suβ¦
8.8
CVE-2024-11323 - AI Quiz | Quiz Maker <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Optionβ¦
The AI Quiz | Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ai_quiz_update_style() function in all versions up to, and including, 1.1. This makes it possible for authenticated attackeβ¦
5.4
CVE-2024-9866 - Event Tickets with Ticket Scanner <= 2.4.4 - Missing Authorization to Authenticated (Subscriber+) Sβ¦
The Event Tickets with Ticket Scanner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data' parameters in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping and missing authorization on the functionality to manage tickets. β¦
4.3
CVE-2024-9705 - Ultimate Coming Soon & Maintenance <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) β¦
The Ultimate Coming Soon & Maintenance plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ucsm_update_template_name_lite' function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subβ¦
6.4
CVE-2024-10849 - NewsMash <= 1.0.71 - Authenticated (Contributor+) Stored Cross-Site Scripting
The NewsMash theme for WordPress is vulnerable to Stored Cross-Site Scripting via a malicious display name in all versions up to, and including, 1.0.71 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and aβ¦
5.3
CVE-2024-11292 - WP Private Content Plus <= 3.6.1 - Unauthenticated Content Restriction Bypass to Sensitive Informatβ¦
The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.1 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to β¦
4.3
CVE-2024-11444 - CLUEVO LMS, E-Learning Platform <= 1.13.2 - Cross-Site Request Forgery to Module Deletion
The CLUEVO LMS, E-Learning Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.13.2. This is due to missing or incorrect nonce validation on the cluevo_render_module_ui() function. This makes it possible for unauthenticated attackers to β¦