6.1
CVE-2024-8663 - WP Simple Booking Calendar <= 2.0.10 - Reflected Cross-Site Scripting
The WP Simple Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.10. This makes it possible for unauthenticated attackers to injectβ¦
6.4
CVE-2024-8742 - Essential Addons for Elementor <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting β¦
The Essential Addons for Elementor β Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Filterable Gallery widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization β¦
6.1
CVE-2024-8664 - WP Test Email <= 1.1.7 - Reflected Cross-Site Scripting
The WP Test Email plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tβ¦
6.4
CVE-2024-5567 - Betheme | Responsive Multipurpose WordPress & WooCommerce Theme <= 27.5.5 - Authenticated (Author+)β¦
The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 27.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to β¦
6.3
CVE-2024-7888 - Classified Listing β Classified ads & Business Directory Plugin <= 3.1.7 - Missing Authorization
The Classified Listing β Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. Tβ¦
6.1
CVE-2024-8665 - YITH Custom Login <= 1.7.3 - Reflected Cross-Site Scripting
The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pagβ¦
7.5
CVE-2024-38816 - CVE-2024-38816: Path traversal vulnerability in functional web frameworks
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application iβ¦
6.5
CVE-2024-7864 - Favicon Generator < 2.1 - Arbitrary File Deletion via CSRF
The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the server
8.1
CVE-2024-7863 - Favicon Generator < 2.1 - Arbitrary File Upload via CSRF
The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server
4.8
CVE-2024-7133 - My Sticky Bar < 2.7.3 - Admin+ Stored XSS
The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.3 does not validate and escape some of its settings before outputting them back in the page, which could allow users with a high role to perform Stored Cross-Site Scripβ¦