Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-5284

Summary
Assigner-WPScan
Assigner Org ID-1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At-13 Jul, 2024 | 06:00
Updated At-01 Aug, 2024 | 21:11
Rejected At-
Credits

WP Affiliate Platform < 6.5.1 - Stored XSS via CSRF

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:WPScan
Assigner Org ID:1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At:13 Jul, 2024 | 06:00
Updated At:01 Aug, 2024 | 21:11
Rejected At:
▼CVE Numbering Authority (CNA)
WP Affiliate Platform < 6.5.1 - Stored XSS via CSRF

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Affected Products
Vendor
Unknown
Product
wp-affiliate-platform
Default Status
unaffected
Versions
Affected
  • From 0 before 6.5.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Cross-Site Scripting (XSS)
CWECWE-352CWE-352 Cross-Site Request Forgery (CSRF)
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Cross-Site Scripting (XSS)
Type: CWE
CWE ID: CWE-352
Description: CWE-352 Cross-Site Request Forgery (CSRF)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Bob Matyas
coordinator
WPScan
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/a601a267-e781-439f-9c76-b4c841e819e5/
exploit
vdb-entry
technical-description
Hyperlink: https://wpscan.com/vulnerability/a601a267-e781-439f-9c76-b4c841e819e5/
Resource:
exploit
vdb-entry
technical-description
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
wp_affiliate_platform_project
Product
wp_affiliate_platform
CPEs
  • cpe:2.3:a:wp_affiliate_platform_project:wp_affiliate_platform:*:*:*:*:*:wordpress:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 6.5.1 (semver)
Metrics
VersionBase scoreBase severityVector
3.16.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Version: 3.1
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/a601a267-e781-439f-9c76-b4c841e819e5/
exploit
vdb-entry
technical-description
x_transferred
Hyperlink: https://wpscan.com/vulnerability/a601a267-e781-439f-9c76-b4c841e819e5/
Resource:
exploit
vdb-entry
technical-description
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:contact@wpscan.com
Published At:13 Jul, 2024 | 06:15
Updated At:19 May, 2025 | 14:59

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Type: Secondary
Version: 3.1
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
CPE Matches
Tips and Tricks HQ
tipsandtricks-hq
>>wp_affiliate_platform>>Versions before 6.5.1(exclusive)
cpe:2.3:a:tipsandtricks-hq:wp_affiliate_platform:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarynvd@nist.gov
CWE ID: CWE-352
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://wpscan.com/vulnerability/a601a267-e781-439f-9c76-b4c841e819e5/contact@wpscan.com
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/a601a267-e781-439f-9c76-b4c841e819e5/af854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/a601a267-e781-439f-9c76-b4c841e819e5/
Source: contact@wpscan.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/a601a267-e781-439f-9c76-b4c841e819e5/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

77Records found
CVE-2024-5281
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 45.77%
||
7 Day CHG+0.10%
Published-13 Jul, 2024 | 06:00
Updated-19 May, 2025 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Affiliate Platform < 6.5.1 - Reflected XSS via Affiliate Editing

The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Action-Not Available
Vendor-Unknownwp_affiliate_platform_projectTips and Tricks HQ
Product-wp_affiliate_platformwp-affiliate-platformwp_affiliate_platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5282
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.29% / 51.65%
||
7 Day CHG-0.09%
Published-13 Jul, 2024 | 06:00
Updated-19 May, 2025 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Affiliate Platform < 6.5.1 - Reflected XSS via Registration Form

The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Action-Not Available
Vendor-Unknownwp_affiliate_platform_projectTips and Tricks HQ
Product-wp_affiliate_platformwp-affiliate-platformwp_affiliate_platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5285
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-5.5||MEDIUM
EPSS-0.02% / 2.76%
||
7 Day CHG~0.00%
Published-29 Jul, 2024 | 06:00
Updated-07 Jul, 2025 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Affiliate Platform < 6.5.2 - Affiliate Deletion via CSRF

The wp-affiliate-platform WordPress plugin before 6.5.2 does not have CSRF check in place when deleting affiliates, which could allow attackers to make a logged in user change delete them via a CSRF attack

Action-Not Available
Vendor-UnknownslicewpTips and Tricks HQ
Product-wp_affiliate_platformwp-affiliate-platformwp-affiliate-platform
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-5075
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.19% / 41.13%
||
7 Day CHG~0.00%
Published-13 Jul, 2024 | 06:00
Updated-06 May, 2025 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP eMember < 10.6.6 - Reflected XSS

The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Action-Not Available
Vendor-UnknownTips and Tricks HQ
Product-wp_ememberwp-eMemberwp_emember
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5074
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 34.87%
||
7 Day CHG~0.00%
Published-13 Jul, 2024 | 06:00
Updated-02 May, 2025 | 12:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP eMember < 10.6.6 - Reflected XSS

The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Action-Not Available
Vendor-UnknownTips and Tricks HQ
Product-wp_ememberwp-eMemberwp_emember
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5076
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.39% / 59.38%
||
7 Day CHG-0.17%
Published-13 Jul, 2024 | 06:00
Updated-06 May, 2025 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP eMember < 10.6.6 - Bulk Delete via CSRF

The wp-eMember WordPress plugin before 10.6.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

Action-Not Available
Vendor-UnknownTips and Tricks HQ
Product-wp_ememberwp-eMemberwp_emember
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5079
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.87% / 74.26%
||
7 Day CHG~0.00%
Published-13 Jul, 2024 | 06:00
Updated-06 May, 2025 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP eMember < 10.6.7 - Unauthenticated Stored XSS via Member Registration

The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape some of the fields when members register, which allows unauthenticated users to perform Stored Cross-Site Scripting attacks

Action-Not Available
Vendor-UnknownwpememberTips and Tricks HQ
Product-wp_ememberwp-eMemberwpemember
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5081
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 15.78%
||
7 Day CHG~0.00%
Published-05 Aug, 2024 | 06:00
Updated-09 Jun, 2025 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP eMember <= v10.7.0 - Stored XSS via CSRF

The wp-eMember WordPress plugin before v10.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Action-Not Available
Vendor-Unknownwp_ememberTips and Tricks HQ
Product-wp_ememberwp-eMemberwp_emember
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24694
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.91%
||
7 Day CHG~0.00%
Published-24 Jan, 2022 | 08:00
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Download Monitor < 3.9.11 - Contributor+ Stored Cross-Site Scripting via Shortcodes

The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode.

Action-Not Available
Vendor-UnknownTips and Tricks HQ
Product-simple_download_monitorSimple Download Monitor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24693
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-9||CRITICAL
EPSS-0.62% / 69.08%
||
7 Day CHG~0.00%
Published-08 Nov, 2021 | 17:35
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Download Monitor < 3.9.5 - Contributor+ Stored Cross-Site Scripting via File Thumbnail

The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could make JavaScript code execute in a context of a reviewer such as admin and make them create a rogue admin account, or install a malicious plugin

Action-Not Available
Vendor-UnknownTips and Tricks HQ
Product-simple_download_monitorSimple Download Monitor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24799
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.79%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 08:46
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Far Future Expiry Header < 1.5 - Plugin's Settings Update via CSRF

The Far Future Expiry Header WordPress plugin before 1.5 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Action-Not Available
Vendor-UnknownTips and Tricks HQ
Product-far_future_expiry_headerFar Future Expiry Header
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-24711
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.15% / 35.84%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Software License Manager < 4.5.1 - Arbitrary Domain Deletion via CSRF

The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack

Action-Not Available
Vendor-UnknownTips and Tricks HQ
Product-software_license_managerSoftware License Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-24734
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.91%
||
7 Day CHG~0.00%
Published-18 Oct, 2021 | 13:46
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Compact WP Audio Player < 1.9.7 - Contributor+ Stored Cross-Site Scripting

The Compact WP Audio Player WordPress plugin before 1.9.7 does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-UnknownTips and Tricks HQ
Product-compact_wp_audio_playerCompact WP Audio Player
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-40332
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.05% / 14.47%
||
7 Day CHG~0.00%
Published-10 Jul, 2024 | 00:00
Updated-02 Aug, 2024 | 04:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/moneyRecord_deal.php?mudi=delRecord

Action-Not Available
Vendor-idccmsn/aidccms_project
Product-idccmsn/aidccms
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-38833
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-6.8||MEDIUM
EPSS-0.19% / 41.35%
||
7 Day CHG+0.02%
Published-26 Nov, 2024 | 11:54
Updated-14 May, 2025 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored cross-site scripting vulnerability (CVE-2024-38833)

VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with editing access to email templates might inject malicious script leading to stored cross-site scripting in the product VMware Aria Operations.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-cloud_foundationaria_operationsVMware Aria Operations
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-39155
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.07% / 22.21%
||
7 Day CHG~0.00%
Published-27 Jun, 2024 | 00:00
Updated-15 Apr, 2025 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/ipRecord_deal.php?mudi=add.

Action-Not Available
Vendor-idccmsn/aidccms_project
Product-idccmsn/aidccms
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-3669
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.8||MEDIUM
EPSS-0.10% / 29.22%
||
7 Day CHG~0.00%
Published-30 Jul, 2024 | 06:00
Updated-28 May, 2025 | 00:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Web Directory Free < 1.7.2 - Reflected XSS

The Web Directory Free WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Action-Not Available
Vendor-salephpscriptsUnknownsalephpscripts
Product-web_directory_freeWeb Directory Freeweb_directory_free
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-3710
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.8||MEDIUM
EPSS-0.32% / 54.78%
||
7 Day CHG-0.01%
Published-13 Jul, 2024 | 06:00
Updated-13 May, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Photo Gallery Final Tiles Grid < 3.6.0 - Contributor+ Stored XSS

The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin

Action-Not Available
Vendor-wpchillUnknownmachothemes
Product-image_photo_gallery_final_tiles_gridImage Photo Gallery Final Tiles Gridimage_photo_gallery_final_tiles_grid
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2907
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.8||MEDIUM
EPSS-0.25% / 48.38%
||
7 Day CHG~0.00%
Published-25 Apr, 2024 | 05:00
Updated-14 May, 2025 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AGCA – Custom Dashboard & Login Page < 7.2.2 - Admin+ Stored XSS via Image URL

The AGCA WordPress plugin before 7.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-cusminUnknownwordpress_plugin
Product-absolutely_glamorous_custom_adminAGCA agca
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2640
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.8||MEDIUM
EPSS-0.28% / 50.79%
||
7 Day CHG~0.00%
Published-12 Jul, 2024 | 06:00
Updated-01 Aug, 2024 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Watu Quiz < 3.4.1.2 - Author+ Stored XSS

The Watu Quiz WordPress plugin before 3.4.1.2 does not sanitise and escape some of its settings, which could allow users such as authors (if they've been authorized by admins) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-kibokolabsUnknownkibokolabs
Product-watu_quizWatu Quizwatu_quiz
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-49983
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.39% / 59.00%
||
7 Day CHG~0.00%
Published-06 Mar, 2024 | 00:00
Updated-16 Apr, 2025 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the component /management/class of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.

Action-Not Available
Vendor-n/aSourceCodesteroretnom23
Product-school_fees_management_systemn/aschool_fees_management_system
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-28487
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-6.8||MEDIUM
EPSS-0.52% / 65.73%
||
7 Day CHG~0.00%
Published-22 Jan, 2021 | 17:15
Updated-17 Sep, 2024 | 02:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS)

This affects the package vis-timeline before 7.4.4. An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application.

Action-Not Available
Vendor-visjsn/a
Product-vis-timelinevis-timeline
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2703
Matching Score-4
Assigner-Grafana Labs
ShareView Details
Matching Score-4
Assigner-Grafana Labs
CVSS Score-6.8||MEDIUM
EPSS-0.02% / 3.75%
||
7 Day CHG+0.01%
Published-23 Apr, 2025 | 11:36
Updated-10 Jun, 2025 | 11:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.

Action-Not Available
Vendor-Grafana Labs
Product-Grafana EnterpriseGrafana
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4305
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.8||MEDIUM
EPSS-0.15% / 36.55%
||
7 Day CHG~0.00%
Published-17 Jun, 2024 | 06:00
Updated-13 May, 2025 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PostX < 4.1.0 - Contributor+ Stored XSS

The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress plugin before 4.1.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Action-Not Available
Vendor-wpxpoUnknownWordPress Download Manager Pro
Product-postxPost Grid Gutenberg Blocks and WordPress Blog Plugin gutenberg_blocks_for_wordpress_download_manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6021
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.8||MEDIUM
EPSS-0.20% / 42.30%
||
7 Day CHG+0.11%
Published-30 Jul, 2024 | 06:00
Updated-30 May, 2025 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Donation Block for PayPal <= 2.1.0 - Unauthenticated Stored XSS

The Donation Block For PayPal WordPress plugin through 2.1.0 does not sanitise and escape form submissions, leading to a stored cross-site scripting vulnerability

Action-Not Available
Vendor-bharatkambariyaUnknowndonation_block_for_paypal_project
Product-donation_block_for_paypalDonation Block For PayPaldonation_block_for_paypal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4977
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.8||MEDIUM
EPSS-0.33% / 55.24%
||
7 Day CHG~0.00%
Published-13 Jul, 2024 | 06:00
Updated-13 Jun, 2025 | 00:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Index WP MySQL For Speed < 1.4.18 - Admin+ Reflected XSS

The Index WP MySQL For Speed WordPress plugin before 1.4.18 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Action-Not Available
Vendor-plumislandmediaUnknownanynines
Product-index_wp_mysql_for_speedIndex WP MySQL For Speedmysql
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-32344
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.08% / 23.33%
||
7 Day CHG~0.00%
Published-17 Apr, 2024 | 00:00
Updated-11 Apr, 2025 | 14:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the Settings menu of CMSimple v5.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit parameter under the Language section.

Action-Not Available
Vendor-cmsimplen/acmsimple
Product-cmsimplen/acmsimple
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • Next
Details not found