The Simple Buttons Creator WordPress plugin through 1.04 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-15
Updated
2024-04-15
The Simple Buttons Creator WordPress plugin through 1.04 does not have any authorisation as well as CSRF in its add button function, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-15
Updated
2024-04-15
The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.64 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-15
Updated
2024-04-15
The Genesis Blocks WordPress plugin before 3.1.3 does not properly escape data input provided to some of its blocks, allowing using with at least contributor privileges to conduct Stored XSS attacks.
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-19
Updated
2024-04-19
The Advanced Search WordPress plugin through 1.1.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-15
Updated
2024-04-15
The Otter Blocks WordPress plugin before 2.6.6 does not properly escape its mainHeadings blocks' attribute before appending it to the final rendered block, allowing contributors to conduct Stored XSS attacks.
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-18
Updated
2024-04-18
The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.0.5 does not properly escape some of its shortcodes attributes before they are echoed back to users, making it possible for users with the contributor role to conduct Stored XSS attacks.
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-13
Updated
2024-04-15
The Gutenberg Blocks by Kadence Blocks WordPress plugin before 3.2.26 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-05
Updated
2024-04-08
The Inline Related Posts WordPress plugin before 3.5.0 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-06
Updated
2024-04-08
The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping in one of the settings, this also allows them to perform Stored XSS attacks
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-10
Updated
2024-04-10
The Page Builder Gutenberg Blocks WordPress plugin before 3.1.7 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-02
Updated
2024-04-08
The WooCommerce Cart Abandonment Recovery WordPress plugin before 1.2.27 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admins delete arbitrary email templates as well as delete and unsubscribe users from abandoned orders via CSRF attacks.
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-03
Updated
2024-04-03
The WP STAGING WordPress Backup Plugin WordPress plugin before 3.4.0, wp-staging-pro WordPress plugin before 5.4.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-17
Updated
2024-04-17
Themify WordPress plugin before 1.4.4 does not sanitise and escape some of its Filters settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-01
Updated
2024-04-01
Themify WordPress plugin before 1.4.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-01
Updated
2024-04-01
Themify WordPress plugin before 1.4.4 does not have CSRF check in its bulk action, which could allow attackers to make logged in users delete arbitrary filters via CSRF attack, granted they know the related filter slugs
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-01
Updated
2024-04-01
The Social Media Share Buttons & Social Sharing Icons WordPress plugin before 2.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-17
Updated
2024-04-17
The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field and 'sms_prefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious script is executed in the admin context.
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-17
Updated
2024-04-17
The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the malicious script is executed in the admin context.
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-17
Updated
2024-04-17
The Simple Ajax Chat WordPress plugin before 20240223 does not prevent visitors from using malicious Names when using the chat, which will be reflected unsanitized to other users.
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-03-20
Updated
2024-03-20
The CM Download Manager WordPress plugin before 2.9.1 does not have CSRF checks in some places, which could allow attackers to make logged in admins edit downloads via a CSRF attack
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-03-25
Updated
2024-03-25
The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-08
Updated
2024-04-08
The wpb-show-core WordPress plugin before 2.7 does not sanitise and escape the parameters before outputting it back in the response of an unauthenticated request, leading to a Reflected Cross-Site Scripting
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-08
Updated
2024-04-08
The WP Customer Reviews WordPress plugin before 3.7.1 does not validate a parameter allowing contributor and above users to redirect a page to a malicious URL
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-15
Updated
2024-04-15
The Responsive Tabs WordPress plugin before 4.0.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-15
Updated
2024-04-15
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!