6.4
CVE-2024-11433 - Surbma | SalesAutopilot Shortcode <= 2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Surbma | SalesAutopilot Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sa-form' shortcode in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for aโฆ
6.4
CVE-2024-11914 - Gutenberg Blocks and Page Layouts โ Attire Blocks <= 1.9.5 - Authenticated (Contributor+) Stored Crโฆ
The Gutenberg Blocks and Page Layouts โ Attire Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'attire-blocks/post-carousel' block in all versions up to, and including, 1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authโฆ
6.4
CVE-2024-11427 - Catch Popup <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Catch Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catch-popup' shortcode in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attโฆ
6.1
CVE-2024-11279 - Schema App Structured Data <= 2.2.4 - Reflected Cross-Site Scripting
The Schema App Structured Data plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.2.4. This makes it possible for unauthenticated attackers to inject arbitrary web scripโฆ
8.8
CVE-2024-11689 - HQ Rental Software <= 1.5.29 - Cross-Site Request Forgery to Arbitrary Options Update
The HQ Rental Software plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.29. This is due to missing or incorrect nonce validation on the displaySettingsPage() function. This makes it possible for unauthenticated attackers to update arbitrary โฆ
6.4
CVE-2024-11413 - HostFact bestelformulier integratie <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scriptiโฆ
The HostFact bestelformulier integratie plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bestelformulier' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possโฆ
6.5
CVE-2024-11430 - SQL Chart Builder <= 2.3.6 - Authenticated (Contributor+) SQL Injection
The SQL Chart Builder plugin for WordPress is vulnerable to SQL Injection via the 'arg1' arg of the 'gvn_schart_2' shortcode in all versions up to, and including, 2.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This maโฆ
4.3
CVE-2024-12341 - Custom Skins Contact Form 7 <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitraryโฆ
The Custom Skins Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cf7cs_action_callback' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level acceโฆ
6.4
CVE-2024-11442 - Horizontal scroll image slideshow <= 10.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Horizontal scroll image slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'horizontal-scroll-image-slideshow' shortcode in all versions up to, and including, 10.1 due to insufficient input sanitization and output escaping on user supplied attributes. Tโฆ
8.5
CVE-2024-42407 -
Insertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Transmitter feature could allow an authenticated Operator to view some security sensitive information to which they have not been granted access. This issue affects: Command Centre Server 9.10 prior tโฆ