4.8
CVE-2024-9768 - Formidable Forms < 6.14.1 - Admin+ Stored XSS
The Formidable Forms WordPress plugin before 6.14.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
4.8
CVE-2024-9600 - Ditty < 3.1.47 - Author+ Stored XSS
The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks.
4.3
CVE-2024-8157 - Alphabetical List <= 1.0.3 - Settings Update via CSRF
The Alphabetical List WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
4.8
CVE-2024-5029 - CM Table Of Contents β WordPress TOC Plugin < 1.2.4 - Stored XSS via CSRF
The CM Table Of Contents WordPress plugin before 1.2.4 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
5.4
CVE-2024-10482 - Media Library Tools < 1.5.0 - Author+ Stored XSS via SVG
The Media File Rename, Find Unused File, Add Alt text, Caption, Desc For Image SEO WordPress plugin before 1.5.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
8.5
CVE-2024-7517 - Privileged escalation via crafted use of portcfg command
A command injection vulnerability in Brocade Fabric OS before 9.2.0c, and 9.2.1 through 9.2.1a on IP extension platforms could allow a local authenticated attacker to perform a privileged escalation via crafted use of the portcfg command. This specific exploitation is only possible on IP Extensionβ¦
5.9
CVE-2024-10403 - SFTP/FTP password could be captured in plain text in Supportsave generated from SANnav
Brocade Fabric OS versions before 8.2.3e2, versions 9.0.0 through 9.2.0c, and 9.2.1 through 9.2.1a can capture the SFTP/FTP server password used for a firmware download operation initiated by SANnav or through WebEM in a weblinker core dump that is later captured via supportsave.
4.3
CVE-2024-10671 - Button Block β Get fully customizable & multi-functional buttons <= 1.1.4 - Authenticated (Contribuβ¦
The Button Block β Get fully customizable & multi-functional buttons plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.4 via the [btn_block] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for autheβ¦
4.3
CVE-2024-11334 - My Contador lesr <= 2.0 - Missing Authorization to Unauthenticated User Registration CSV Export
The My Contador lesr plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportar_registros() function in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to export user data.
7.2
CVE-2024-10788 - Activity Log β Monitor & Record User Changes <= 2.11.1 - Unauthenticated Stored Cross-Site Scriptinβ¦
The Activity Log β Monitor & Record User Changes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event parameters in all versions up to, and including, 2.11.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers tβ¦