Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

#1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81

Security Advisories

Reported CVEsVendorsProductsReports
4113Vulnerabilities found
CVE-2025-1303
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.08% / 25.50%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-01 Aug, 2025 | 01:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Plugin Oficial – Getnet para WooCommerce <= 1.7.3 - Unauthenticated Reflected XSS

The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.

Action-Not Available
Vendor-coffee-codeUnknown
Product-plugin_oficialPlugin Oficial
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1289
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-01 Aug, 2025 | 01:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Plugin Oficial – Getnet para WooCommerce <= 1.7.3 - Admin+ Stored XSS

The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-coffee-codeUnknown
Product-plugin_oficialPlugin Oficial
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1288
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 6.43%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wooexim <= 5.0.0 - CSRF to Reflected XSS

The WOOEXIM WordPress plugin through 5.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make an unauthenticated user vulnerable to reflected XSS via a CSRF attack.

Action-Not Available
Vendor-bulkthemeUnknown
Product-wooeximWOOEXIM
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1286
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 5.10%
||
7 Day CHG-0.03%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download HTML TinyMCE Button <= 1.2 - Reflected XSS

The Download HTML TinyMCE Button WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-sfarbotaUnknown
Product-download_html_tinymce_buttonDownload HTML TinyMCE Button
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1033
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.03% / 7.08%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Badgearoo <= 1.0.14 - Admin+ Stored XSS

The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-danielpowneyUnknown
Product-badgearooBadgearoo
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-0688
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.04% / 11.08%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-28 May, 2025 | 15:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spiritual Gifts Survey <= 0.9.10 - Unauthenticated CSRF to XSS

The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.

Action-Not Available
Vendor-mynamediaUnknown
Product-spiritual_gifts_survey_\(and_optional_s.h.a.p.e_survey\)Spiritual Gifts Survey (and optional S.H.A.P.E survey)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-0687
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.04% / 11.08%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-28 May, 2025 | 15:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spiritual Gifts Survey <= 0.9.10 - Unauthenticated CSRF to XSS

The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.

Action-Not Available
Vendor-mynamediaUnknown
Product-spiritual_gifts_survey_\(and_optional_s.h.a.p.e_survey\)Spiritual Gifts Survey (and optional S.H.A.P.E survey)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-0329
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI ChatBot for WordPress – WPBot < 6.2.4 - Admin+ Stored XSS

The AI ChatBot for WordPress WordPress plugin before 6.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-quantumcloudUnknown
Product-wpbotAI ChatBot for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9882
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 10.32%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Salon Booking System < 10.9.4 - Admin+ Stored XSS

The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-salonbookingsystemUnknown
Product-salon_booking_systemSalon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9879
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 8.15%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Website File Changes < 2.1.1 - Authenticated SQL Injection

The Melapress File Monitor WordPress plugin before 2.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Action-Not Available
Vendor-melapressUnknown
Product-melapress_file_monitorMelapress File Monitor
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-9838
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 8.15%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Auto Affiliate Links < 6.4.7 - Admin+ SQL Injection

The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Action-Not Available
Vendor-flamescorpionUnknown
Product-auto_affiliate_linksAuto Affiliate Links
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-9831
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.2||HIGH
EPSS-0.04% / 13.09%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Taskbuilder < 3.0.9 - Admin+ SQL Injection

The Taskbuilder WordPress plugin before 3.0.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Action-Not Available
Vendor-taskbuilderUnknown
Product-taskbuilderTaskbuilder
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-9765
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 13.27%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-28 May, 2025 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EKC Tournament Manager < 2.2.2 - Local File Download Vulnerability

The EKC Tournament Manager WordPress plugin before 2.2.2 allows a logged in admin to download system files outside of the WordPress directory

Action-Not Available
Vendor-lukashuserUnknown
Product-ekc_tournament_managerEKC Tournament Manager
CWE ID-CWE-552
Files or Directories Accessible to External Parties
CVE-2024-9711
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.02% / 3.74%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-28 May, 2025 | 15:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EKC Tournament Manager < 2.2.2 - Delete Tournaments via CSRF

The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-lukashuserUnknown
Product-ekc_tournament_managerEKC Tournament Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-9709
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.02% / 3.74%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-28 May, 2025 | 15:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EKC Tournament Manager < 2.2.2 - Create Tournaments/Teams via CSRF

The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-lukashuserUnknown
Product-ekc_tournament_managerEKC Tournament Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-9663
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 10.50%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CYAN Backup < 2.5.3 - Admin+ Stored XSS via Remote Storage Settings

The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-toolstackUnknown
Product-cyan_backupCYAN Backup
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9662
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 10.50%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CYAN Backup < 2.5.3 - Admin+ Stored XSS via General Settings

The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-toolstackUnknown
Product-cyan_backupCYAN Backup
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9645
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 10.50%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post Grid and Gutenberg Blocks < 2.2.93 - Contributor+ Stored XSS

The Post Grid, Posts Slider, Posts Carousel, Post Filter, Post Masonry WordPress plugin before 2.2.93 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-pickpluginsUnknown
Product-post_gridPost Grid, Posts Slider, Posts Carousel, Post Filter, Post Masonry
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9599
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 10.50%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Popup Box < 4.7.8 - Admin+ Stored XSS

The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownAYS Pro Extensions
Product-popup_boxPopup Box
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9450
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.03% / 5.75%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking < 1.3.15 - Subscriber+ PayPal Settings Update

The Free Booking Plugin for Hotels, Restaurants and Car Rentals WordPress plugin before 1.3.15 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in subscriber change them via a CSRF attack

Action-Not Available
Vendor-syntacticsUnknown
Product-free_booking_plugin_for_hotels\,_restaurant_and_car_rentalFree Booking Plugin for Hotels, Restaurants and Car Rentals
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-9390
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RegistrationMagic < 6.0.2.1 - Stored XSS

The RegistrationMagic WordPress plugin before 6.0.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownMetagauss Inc.
Product-registrationmagicRegistrationMagic
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9238
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 10.50%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AVIF & SVG Uploader <= 1.1.0 - Author+ Stored XSS via SVG Uplaod

The AVIF Uploader WordPress plugin before 1.1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

Action-Not Available
Vendor-grandpluginsUnknown
Product-avif_uploaderAVIF Uploader
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9236
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Team Members Showcase < 4.4.2 - Editor+ Stored XSS

The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-radiusthemeUnknown
Product-team_-_wordpress_team_members_showcaseTeam
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9233
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.75%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GS Logo Slider < 3.7.1 - Settings Update via Cross-Site Request Forgery

The Logo Slider WordPress plugin before 3.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-gspluginsUnknown
Product-logo_sliderLogo Slider
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-9227
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-05 Jun, 2025 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PowerPress Podcasting < 11.9.18 - Author+ XSS

The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.9.18 does not sanitise and escape some of its settings when adding a podcast, which could allow admin users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-blubrryUnknown
Product-powerpressPowerPress Podcasting plugin by Blubrry
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9182
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Maspik - Advanced Spam protection < 2.1.3 - Admin+ Stored XSS

The Maspik WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

Action-Not Available
Vendor-wpmaspikUnknown
Product-maspikMaspik
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8854
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 10.50%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Polls CP <= 1.0.75 - Admin+ Stored XSS via Custom Styles

The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multi site setup).

Action-Not Available
Vendor-UnknownCodePeople
Product-polls_cpPolls CP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8851
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 10.50%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Polls CP <= 1.0.75 - Admin+ Stored Cross-Site Scripting

The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multi site setup).

Action-Not Available
Vendor-UnknownCodePeople
Product-polls_cpPolls CP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8759
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nested Pages <= 3.2.8 - Editor+ Stored XSS

The Nested Pages WordPress plugin before 3.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-kylephillipsUnknown
Product-nested_pagesNested Pages
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8703
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 15.25%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-28 May, 2025 | 15:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Z-Downloads < 1.11.6 - Unauthenticated Stored XSS

The Z-Downloads WordPress plugin before 1.11.6 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks when accessing share URLs.

Action-Not Available
Vendor-urbanbaseUnknown
Product-z-downloadsZ-Downloads
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8702
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 3.25%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Backup Database <= 4.9 - Admin+ Stored XSS

The Backup Database WordPress plugin through 4.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wpprokingUnknown
Product-backup_databaseBackup Database
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8701
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 15:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Event Calendar <= 1.0.4 - Admin+ Stored XSS

The events-calendar WordPress plugin through 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-snumb130Unknown
Product-events_calendarevents-calendar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8700
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.04% / 12.19%
||
7 Day CHG-0.02%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Event Calendar <= 1.0.4 - Unauthenticated Arbitrary Calendar Deletion

The Event Calendar WordPress plugin through 1.0.4 does not check for authorization on delete actions, allowing unauthenticated users to delete arbitrary calendars.

Action-Not Available
Vendor-total-softUnknown
Product-event_calendarEvent Calendar
CWE ID-CWE-284
Improper Access Control
CVE-2024-8699
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.2||HIGH
EPSS-0.11% / 30.88%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-28 May, 2025 | 15:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Z-Downloads < 1.11.5 - Admin+ Arbitrary File Upload

The Z-Downloads WordPress plugin before 1.11.5 does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

Action-Not Available
Vendor-urbanbaseUnknown
Product-z-downloadsZ-Downloads
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-8673
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-9.1||CRITICAL
EPSS-6.24% / 90.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-28 May, 2025 | 15:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Z-Downloads < 1.11.7 - Admin+ Stored XSS via SVG Upload

The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.

Action-Not Available
Vendor-urbanbaseUnknown
Product-z-downloadsZ-Downloads
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8670
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 3.25%
||
7 Day CHG-0.02%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Photo Gallery by 10Web < 1.8.29 - Admin+ Stored XSS

The Photo Gallery by 10Web WordPress plugin before 1.8.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-photo_galleryPhoto Gallery by 10Web
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8620
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MapPress Maps for WordPress < 2.93 - Admin+ Stored XSS via Map Settings

The MapPress Maps for WordPress plugin before 2.93 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-mappressproUnknown
Product-mappressMapPress Maps for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8619
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.01% / 0.29%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ajax Search Lite <= 4.12.2 - Admin+ Stored XSS

The Ajax Search Lite WordPress plugin before 4.12.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wp-dreamsUnknown
Product-ajax_searchAjax Search Lite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8618
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-27 May, 2025 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Page Builder: Pagelayer < 1.9.0- Admin+ Stored XSS

The Page Builder: Pagelayer WordPress plugin before 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-pagelayerUnknown
Product-pagelayerPage Builder: Pagelayer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8617
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quiz Maker <= 6.5.9.8 - Admin+ Stored XSS

The Quiz Maker WordPress plugin before 6.5.9.9 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-UnknownAYS Pro Extensions
Product-quiz_makerQuiz Maker
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8542
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 10.32%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Everest Forms < 3.0.3.1 - Admin+ Stored XSS

The Everest Forms WordPress plugin before 3.0.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wpeverestUnknown
Product-everest_formsEverest Forms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8493
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 3.25%
||
7 Day CHG-0.02%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The Events Calendar < 6.6.4 - Admin+ Stored XSS

The Events Calendar WordPress plugin before 6.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownThe Events Calendar (StellarWP)
Product-the_events_calendarThe Events Calendar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8492
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 3.25%
||
7 Day CHG-0.02%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 15:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hustle < 7.8.5 - Admin+ Stored XSS

The Hustle WordPress plugin through 7.8.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Action-Not Available
Vendor-UnknownIncsub, LLC
Product-hustleHustle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8426
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-27 May, 2025 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pagelayer < 1.8.8 - Admin+ Stored XSS

The Page Builder: Pagelayer WordPress plugin before 1.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Action-Not Available
Vendor-pagelayerUnknown
Product-pagelayerPage Builder: Pagelayer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8398
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.35%
||
7 Day CHG-0.01%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Nav Archives <= 2.1.3 - Settings Update via CSRF

The Simple Nav Archives WordPress plugin through 2.1.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-philipwaltonUnknown
Product-simple_nav_archivesSimple Nav Archives
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8397
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.02% / 3.74%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GDPR Cookie Consent <= 2.6.0 - Unauthenticated Stored XSS

The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Consent report' page and the malicious script is executed in the admin context.

Action-Not Available
Vendor-webtoffeeUnknown
Product-gdpr_cookie_consentwebtoffee-gdpr-cookie-consent
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8286
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.01% / 1.35%
||
7 Day CHG-0.01%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GDPR Cookie Consent <= 2.6.0 - Bulk Delete via CSRF

The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting visit logs via CSRF attacks

Action-Not Available
Vendor-webtoffeeUnknown
Product-gdpr_cookie_consentwebtoffee-gdpr-cookie-consent
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8284
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 10.32%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Manager <= 3.2.98 - Admin+ Stored XSS

The Download Manager WordPress plugin before 3.2.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Action-Not Available
Vendor-UnknownW3 Eden, Inc.
Product-download_managerDownload Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8245
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 5.12%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GamiPress - Reset User <= 1.0.0 - GamiPress User Data Removal via CSRF

The GamiPress WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-gamipressUnknown
Product-gamipress_-_reset_userGamiPress
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8187
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 3.25%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-27 May, 2025 | 19:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Smart Post Show <= 3.0.0 - Editor+ Stored XSS

The Smart Post Show WordPress plugin before 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-shapedpluginUnknown
Product-smart_post_showSmart Post Show
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 82
  • 83
  • Next