| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated Cross Site Scripting (XSS) in NanoMag <= 1.8 versions. |
| Contributor Broken Access Control in SEOPress PRO <= 9.1.1 versions. |
| Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions. |
| Subscriber Server Side Request Forgery (SSRF) in Kirki <= 6.0.11 versions. |
| Unauthenticated Sensitive Data Exposure in WCBoost – Products Compare <= 1.1.0 versions. |
| Unauthenticated Cross Site Request Forgery (CSRF) in FunnelKit Payment Gateway for Stripe WooCommerce <= 1.14.0.3 versions. |
| Contributor Cross Site Scripting (XSS) in Fluent Booking <= 2.1.0 versions. |
| Contributor SQL Injection in Restaurant Menu by MotoPress <= 2.4.10 versions. |
| Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer <= 1.6.1 versions. |
| Contributor Cross Site Scripting (XSS) in Ghost Kit <= 3.6.0 versions. |
| Unauthenticated Cross Site Request Forgery (CSRF) in Child Theme Wizard <= 1.4 versions. |
| Author Cross Site Scripting (XSS) in Hester Core <= 1.1.8 versions. |
| Unauthenticated Cross Site Request Forgery (CSRF) in Gmail SMTP <= 1.2.3.19 versions. |
| Unauthenticated Cross Site Request Forgery (CSRF) in Paid Memberships Pro - Add Member From Admin <= 0.7.2 versions. |
| Unauthenticated Sensitive Data Exposure in Bopo – WooCommerce Product Bundle Builder <= 1.1.6 versions. |
| Unauthenticated Insecure Direct Object References (IDOR) in GravityView <= 3.0.0 versions. |
| Sales Representative SQL Injection in Groundhogg <= 4.5 versions. |
| The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point' Post Meta in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to, and including, 9.8.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |
| The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |