Search

Search Results (365162 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-12739 1 Annabansaghi 1 Mobile Contact Bar 2025-06-11 4.8 Medium
The Mobile Contact Bar WordPress plugin before 3.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2024-6584 1 Automattic 1 Jetpack Boost 2025-06-11 9.1 Critical
The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs.
CVE-2024-6693 1 Wp-buy 1 Wp Content Copy Protection \& No Right Click 2025-06-11 4.8 Medium
The wccp-pro WordPress plugin before 15.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-6712 1 Acugis 1 Mapfig Studio 2025-06-11 6.1 Medium
The MapFig Studio WordPress plugin through 0.2.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
CVE-2024-6713 1 Freebiesdownload 1 Pvn Auth Popup 2025-06-11 4.8 Medium
The PVN Auth Popup WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-7556 1 Missionmike 1 Simple Share 2025-06-11 4.8 Medium
The Simple Share WordPress plugin through 0.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2024-7759 1 Magazine3 1 Pwa For Wp \& Amp 2025-06-11 4.8 Medium
The PWA for WP WordPress plugin before 1.7.72 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2024-7761 1 Presstigers 1 Simple Job Board 2025-06-11 6.1 Medium
In the process of testing the Simple Job Board WordPress plugin before 2.12.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor
CVE-2024-7769 1 Clicksold 1 Clicksold Idx 2025-06-11 4.8 Medium
The ClickSold IDX WordPress plugin through 1.90 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2024-7984 1 Ultimatewpsms 1 Joy Of Text 2025-06-11 4.3 Medium
The Joy Of Text Lite WordPress plugin through 2.3.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-0748 1 Mozilla 1 Firefox 2025-06-11 4.3 Medium
A compromised content process could have updated the document URI. This could have allowed an attacker to set an arbitrary URI in the address bar or history. This vulnerability affects Firefox < 122.
CVE-2022-26858 1 Dell 798 Alienware M15 R6, Alienware M15 R6 Firmware, Chengming 3980 and 795 more 2025-06-11 6.1 Medium
Dell BIOS versions contain an Improper Authentication vulnerability. A locally authenticated malicious user could potentially exploit this vulnerability by sending malicious input to an SMI in order to bypass security controls.
CVE-2024-5440 1 If-so 1 Dynamic Content Personalization 2025-06-11 5.4 Medium
The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2024-6159 1 Pnfpb 1 Push Notification For Post And Buddypress 2025-06-11 9.8 Critical
The Push Notification for Post and BuddyPress WordPress plugin before 1.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
CVE-2024-6335 1 Data443 1 Tracking Code Manager 2025-06-11 4.8 Medium
The Tracking Code Manager WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-6462 1 Dyadyalesha 1 Dl Yandex Metrika 2025-06-11 4.8 Medium
The DL Yandex Metrika WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-6478 1 Thisfunctional 1 Ctt Expresso Para Woocommerce 2025-06-11 4.8 Medium
The CTT Expresso para WooCommerce WordPress plugin before 3.2.13 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-45194 1 Synacor 1 Zimbra Collaboration Suite 2025-06-11 4.8 Medium
In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring an email account. This injected code is stored on the server and executed in the context of the victim's browser when interacting with specific elements in the web interface. (The vulnerability can be mitigated by properly sanitizing input parameters to prevent the injection of malicious code.)
CVE-2024-6486 1 Orangelab 1 Imagemagick Engine 2025-06-11 7.2 High
The ImageMagick Engine ImageMagick Engine WordPress plugin before 1.7.11 for WordPress is vulnerable to OS Command Injection via the "cli_path" parameter. This allows authenticated attackers, with administrator-level permission to execute arbitrary OS commands on the server leading to remote code execution.
CVE-2024-0922 1 Tendacn 2 Ac10u, Ac10u Firmware 2025-06-11 4.7 Medium
A vulnerability classified as critical was found in Tenda AC10U 15.03.06.49_multi_TDE01. Affected by this vulnerability is the function formQuickIndex. The manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252127. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.