Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

#1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81

Security Advisories

Reported CVEsVendorsProductsReports
4113Vulnerabilities found
CVE-2024-13357
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-10 Jun, 2025 | 13:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ditty – Responsive News Tickers, Sliders, and Lists < 3.1.52 - Author+ Stored XSS

The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-metaphorcreationsUnknown
Product-dittyDitty
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13313
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-10 Jun, 2025 | 12:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AWeber <= 7.3.20 - Admin+ Stored XSS

The AWeber WordPress plugin through 7.3.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownAWeber
Product-aweberAWeber
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13128
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-22 May, 2025 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnPress – WordPress LMS Plugin < 4.2.7.5.1 - Admin+ Stored XSS

The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownThimPress (PhysCode)
Product-learnpressLearnPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13127
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-22 May, 2025 | 19:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnPress – WordPress LMS Plugin < 4.2.7.5.1 - Admin+ Stored XSS

The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownThimPress (PhysCode)
Product-learnpressLearnPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13053
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Form Maker by 10Web < 1.15.33 - Admin+ Stored XSS via Theme Title

The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-form_makerForm Maker by 10Web
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12874
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 10.32%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Top Comments <= 1.0 - Admin+ Stored Cross-Site Scripting

The Top Comments WordPress plugin through 1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-top_comments_projectUnknown
Product-top_commentsTop Comments
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12873
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.04% / 11.77%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 19:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Custom Field Manager <= 1.0 - Reflected XSS Vulnerability

The Custom Field Manager WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-f1logicUnknown
Product-custom_field_managerCustom Field Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12812
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.06% / 19.02%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-27 Aug, 2025 | 12:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP ERP < 1.13.4 - Custom+ Unauthorized Access to Terminated Employee Information

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 is affected by an IDOR issue where employees can manipulate parameters to access the data of terminated employees.

Action-Not Available
Vendor-UnknownweDevs Pte. Ltd.
Product-wp_erpWP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CVE-2024-12808
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-10 Jun, 2025 | 12:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP ERP | Complete HR solution with recruitment < 1.13.4 - Admin+ Stored XSS

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownweDevs Pte. Ltd.
Product-wp_erpWP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12800
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-10 Jun, 2025 | 12:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IP Based Login < 2.4.1 - Admin+ Stored XSS

The IP Based Login WordPress plugin before 2.4.1 does not sanitise values when importing, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-brijeshk89Unknown
Product-ip_based_loginIP Based Login
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12770
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 4.35%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-10 Jun, 2025 | 12:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP ULike < 4.7.6 - Admin+ Stored XSS

The WP ULike WordPress plugin before 4.7.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-technowichUnknown
Product-wp_ulikeWP ULike
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12750
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.75%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Competition Form <= 2.0 - Competition Deletion via CSRF

The Competition Form WordPress plugin through 2.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-raiserwebUnknown
Product-competition_formCompetition Form
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-12743
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-10 Jun, 2025 | 11:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MailPoet < 5.5.2 - Admin+ Stored XSS

The MailPoet WordPress plugin before 5.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownAutomattic Inc.
Product-mailpoetMailPoet
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12739
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-11 Jun, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mobile Contact Bar < 3.0.5 - Admin+ Stored XSS

The Mobile Contact Bar WordPress plugin before 3.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-annabansaghiUnknown
Product-mobile_contact_barMobile Contact Bar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12735
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.2||HIGH
EPSS-0.04% / 13.09%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-22 May, 2025 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advance Post Prefix <= 1.1.1 - Admin+ SQL Injection

The Advance Post Prefix WordPress plugin through 1.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins and above to perform SQL injection attacks

Action-Not Available
Vendor-niceitUnknown
Product-advance_post_prefixAdvance Post Prefix
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12734
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 15.25%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-22 May, 2025 | 19:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advance Post Prefix <= 1.1.1 - Reflected XSS

The Advance Post Prefix WordPress plugin through 1.1.1, Advance Post Prefix WordPress plugin through 1.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-niceitUnknown
Product-advance_post_prefixAdvance Post Prefix
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12733
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 15.25%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-22 May, 2025 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AffiliateImporterEb <= 1.0.6 - Reflected XSS via Search

The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-cr1000Unknown
Product-affiliateimporterebAffiliateImporterEb
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12732
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 15.25%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-22 May, 2025 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AffiliateImporterEb <= 1.0.6 - Reflected XSS

The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-cr1000Unknown
Product-affiliateimporterebAffiliateImporterEb
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12726
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 15.25%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-11 Jun, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ClipArt <= 0.2 - Reflected XSS

The ClipArt WordPress plugin through 0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-takienUnknown
Product-clipartClipArt
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12725
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.04% / 11.77%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-11 Jun, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Clasify Classified Listing <= 1.0.7 - Reflected XSS

The Clasify Classified Listing WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-smartdatasoftUnknown
Product-clasify_classified_listingClasify Classified Listing
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12724
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 15.25%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-11 Jun, 2025 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP DeskLite <= 1.0.0 - Reflected XSS

The WP DeskLite WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-codeflockUnknown
Product-wp_deskliteWP DeskLite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12722
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 7.54%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-11 Jun, 2025 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Twitter Bootstrap Collapse aka Accordian Shortcode <= 1.0 - Stored XSS via Shortcode

The Twitter Bootstrap Collapse aka Accordian Shortcode WordPress plugin through 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-mohsinrasoolUnknown
Product-twitter_bootstrap_collapse_aka_accordian_shortcodeTwitter Bootstrap Collapse aka Accordian Shortcode
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12716
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-11 Jun, 2025 | 19:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Basic Contact Form < 20250114 - Admin+ Stored XSS

The Simple Basic Contact Form WordPress plugin before 20250114 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wpkubeUnknown
Product-simple_basic_contact_formSimple Basic Contact Form
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12680
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-28 May, 2025 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prisna GWT < 1.4.14 - Admin+ Stored XSS

The Prisna GWT WordPress plugin before 1.4.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-prisnaUnknown
Product-google_website_translatorPrisna GWT
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12679
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-28 May, 2025 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prisna GWT < 1.4.14 - Admin+ Stored XSS

The Prisna GWT WordPress plugin before 1.4.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-prisnaUnknown
Product-google_website_translatorPrisna GWT
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12301
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.02% / 3.75%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JSP Store Locator <= 1.0 - Deletion via Missing CSRF

The JSP Store Locator WordPress plugin through 1.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.

Action-Not Available
Vendor-UnknownJoomlaServiceProvider
Product-jsp_store_locatorJSP Store Locator
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-12282
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.02% / 3.65%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress连接微博 <= 2.5.6 - Stored XSS via CSRF

The WordPress连接微博 WordPress plugin through 2.5.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Action-Not Available
Vendor-smyxUnknown
Product-wp-connectWordPress连接微博
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11843
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Panorama – WordPress Project Management Plugin <= 1.5.1 - Admin+ Stored XSS

The Panorama WordPress plugin through 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-projectpanoramaUnknown
Product-panoramaPanorama
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11719
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 4.92%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
tarteaucitron.js for WordPress < 0.3.0 - Stored XSS via CSRF

The tarteaucitron-wp WordPress plugin before 0.3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Action-Not Available
Vendor-couleurcitronUnknown
Product-tarteaucitron-wptarteaucitron-wp
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11718
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 10.50%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
tarteaucitron.js for WordPress < 0.3.0 - Author+ Stored XSS

The tarteaucitron-wp WordPress plugin before 0.3.0 allows author level and above users to add HTML into a post/page, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-couleurcitronUnknown
Product-tarteaucitron-wptarteaucitron-wp
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11502
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 7.54%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Planning Center Online Giving <= 1.0.0 - Contributor+ XSS via Shortcode

The Planning Center Online Giving WordPress plugin through 1.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-wpchurchteamUnknown
Product-planning_center_online_givingPlanning Center Online Giving
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11373
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.75%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Connexion Logs <= 3.0.2 - Log Deletion via CSRF

The Connexion Logs WordPress plugin through 3.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-floriansimunekUnknown
Product-connexion_logsConnexion Logs
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-11372
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.2||HIGH
EPSS-0.07% / 21.59%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Connexion Logs <= 3.0.2 - Admin+ SQL Injection

The Connexion Logs WordPress plugin through 3.0.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Action-Not Available
Vendor-floriansimunekUnknown
Product-connexion_logsConnexion Logs
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-11269
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.2||HIGH
EPSS-0.04% / 13.09%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-12 Jun, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AHAthat Plugin <= 1.6 - Admin+ SQL Injection

The AHAthat Plugin WordPress plugin through 1.6 does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks.

Action-Not Available
Vendor-mitchelllevyUnknown
Product-ahathatAHAthat Plugin
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-11267
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.05% / 15.77%
||
7 Day CHG-0.02%
Published-15 May, 2025 | 20:06
Updated-12 Jun, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JSP Store Locator <= 1.0 - Contributor+ SQL Injection

The JSP Store Locator WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing user with Contributor to perform SQL injection attacks.

Action-Not Available
Vendor-UnknownJoomlaServiceProvider
Product-jsp_store_locatorJSP Store Locator
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-11266
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-12 Jun, 2025 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Geocache Stat Bar Widget <= 0.911 - Admin+ Stored XSS

The Geocache Stat Bar Widget WordPress plugin through 0.911 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-pixeljarUnknown
Product-geocache_stat_bar_widgetGeocache Stat Bar Widget
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11221
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.01% / 0.29%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-12 Jun, 2025 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Full Screen (Page) Background Image Slideshow <= 1.1 - Admin+ Stored XSS

The Full Screen (Page) Background Image Slideshow WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-mohsinrasoolUnknown
Product-full_screen_\(page\)_background_image_slideshowFull Screen (Page) Background Image Slideshow
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11190
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 3.25%
||
7 Day CHG-0.02%
Published-15 May, 2025 | 20:06
Updated-12 Jun, 2025 | 14:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jwp-a11y <= 4.1.7 - Admin+ Stored XSS

The jwp-a11y WordPress plugin through 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-jidaikoboUnknown
Product-jwp-a11yjwp-a11y
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11189
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Social Share And Social Locker – ARSocial < 1.4.2 - Admin+ Stored XSS

The Social Share And Social Locker WordPress plugin before 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-reputeinfosystemsUnknown
Product-social_share_and_social_lockerSocial Share And Social Locker
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11141
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 15.25%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-12 Jun, 2025 | 14:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sailthru Triggermail < 1.1 - Subscriber+ Stored XSS

The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape some of its settings and is missing CSRF protection which could allow subscribers to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-jontascUnknown
Product-sailthru_triggermailSailthru Triggermail
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-11140
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.04% / 10.32%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Real WP Shop Lite Ajax eCommerce Shopping Cart <= 2.0.8 - Admin+ Stored XSS

The Real WP Shop Lite Ajax eCommerce Shopping Cart WordPress plugin through 2.0.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-vk011Unknown
Product-real_wp_shop_lite_ajax_ecommerce_shopping_cartReal WP Shop Lite Ajax eCommerce Shopping Cart
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11109
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-04 Jun, 2025 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Google Review Slider < 15.6 - Admin+ Stored XSS

The WP Google Review Slider WordPress plugin before 15.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-ljappsUnknown
Product-wp_google_review_sliderWP Google Review Slider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10818
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 10.50%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-12 Jun, 2025 | 14:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JSFiddle Shortcode < 1.1.3 - Contributor+ XSS via Shortcode

The JSFiddle Shortcode WordPress plugin before 1.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-wvegaUnknown
Product-jsfiddle_shortcodeJSFiddle Shortcode
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10677
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.75%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-12 Jun, 2025 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BTEV <= 2.0.2 - Settings Update via CSRF

The BTEV WordPress plugin through 2.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-bluetraitUnknown
Product-blue_trait_event_viewerBTEV
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-10639
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-12 Jun, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Auto Prune Posts < 3.0.0- Admin+ Stored XSS

The Auto Prune Posts WordPress plugin before 3.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-klarnedUnknown
Product-auto_prune_postsAuto Prune Posts
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10634
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.75%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nokaut Offers Box <= 1.4.0 - Plugin Reset via CSRF

The Nokaut Offers Box WordPress plugin through 1.4.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset the Nokaut Offers Box WordPress plugin through 1.4.0 via a CSRF attack

Action-Not Available
Vendor-nokautplUnknown
Product-nokaut_offers_boxNokaut Offers Box
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10632
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 10.32%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nokaut Offers Box <= 1.4.0 - Admin+ Stored XSS

The Nokaut Offers Box WordPress plugin through 1.4.0 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-nokautplUnknown
Product-nokaut_offers_boxNokaut Offers Box
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10631
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 12.98%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Countdown Timer <= 1.0.5 - Contributor+ Stored XSS

The Countdown Timer for WordPress Block Editor WordPress plugin through 1.0.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-flickdevsUnknown
Product-countdown_timer_for_wordpress_block_editorCountdown Timer for WordPress Block Editor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10504
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 20.60%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-04 Jun, 2025 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ARForms Builder < 1.7.1 - Unauthenticated Stored XSS

The Contact Form, Survey, Quiz & Popup Form Builder WordPress plugin before 1.7.1 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks.

Action-Not Available
Vendor-reputeinfosystemsUnknown
Product-arformsContact Form, Survey, Quiz & Popup Form Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10475
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 13.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lead Form Builder < 1.9.8 - Admin+ Stored XSS

The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin before 1.9.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-themehunkUnknown
Product-contact_form_\&_lead_form_elementor_builderResponsive Contact Form Builder & Lead Generation Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • ...
  • 82
  • 83
  • Next