In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between November 09-10, 2024.
During this period, The National Vulnerability Database published 197, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 11
High: 66
Medium: 67
Low: 2
Severity Not Assigned: 51
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-10284
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
References: https://plugins.trac.wordpress.org/browser/ce21-suite/trunk/single-sign-on-ce21.php?rev=3097700#L242
https://www.wordfence.com/threat-intel/vulnerabilities/id/45d66743-300e-480d-98b8-99dc30b6e786?source=cve
CWE-ID: CWE-288
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-10285
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The CE21 Suite plugin for WordPress is vulnerable to sensitive information disclosure via the plugin-log.txt in versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to log in the user associated with the JWT token.
References: https://plugins.trac.wordpress.org/browser/ce21-suite/trunk/single-sign-on-ce21.php?rev=3097700#L237
https://plugins.trac.wordpress.org/browser/ce21-suite/trunk/single-sign-on-ce21.php?rev=3097700#L281
https://www.wordfence.com/threat-intel/vulnerabilities/id/618a9ad7-3a13-43e6-84f4-35287f07e1c0?source=cve
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-10586
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Debug Tool plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the dbt_pull_image() function and missing file type validation in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to to create arbitrary files such as .php files that can be leveraged for remote code execution.
References: https://plugins.trac.wordpress.org/browser/debug-tool/trunk/tools/image-puller.php#L120
https://www.wordfence.com/threat-intel/vulnerabilities/id/5e9d5c93-dcd7-450e-8c52-5c95fc5473d2?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-10625
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_tmp_uploaded_file() function in all versions up to, and including, 17.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
References: https://codecanyon.net/item/woocommerce-support-ticket-system/17930050
https://www.wordfence.com/threat-intel/vulnerabilities/id/ddf1cecd-c630-498d-9aa0-3d0adeb73033?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-10626
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_uploaded_file() function in all versions up to, and including, 17.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
References: https://codecanyon.net/item/woocommerce-support-ticket-system/17930050
https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb2c829-579f-41e2-ad5f-8e4fc125d980?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-10627
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions up to, and including, 17.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://codecanyon.net/item/woocommerce-support-ticket-system/17930050
https://www.wordfence.com/threat-intel/vulnerabilities/id/1ac218f6-0bfa-480c-9159-d75a027022ba?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-10673
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Top Store theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the top_store_install_and_activate_callback() function in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins which can contain other exploitable vulnerabilities to elevate privileges and gain remote code execution.
References: https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=247826%40top-store&new=247826%40top-store&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/80510ade-cb58-45b3-89f2-2cbbc5640cae?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-10674
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Th Shop Mania theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the th_shop_mania_install_and_activate_callback() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins which can be leveraged to exploit other vulnerabilities and achieve remote code execution and privilege escalation.
References: https://themes.svn.wordpress.org/th-shop-mania/1.4.9/lib/notification/notify.php
https://themes.trac.wordpress.org/browser/th-shop-mania/1.4.9/lib/notification/notify.php
https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=247810%40th-shop-mania&new=247810%40th-shop-mania&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/b7832d37-19a9-491b-879e-4a22f2ba46ec?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-10470
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions in all versions up to, and including, 4.962. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The theme is vulnerable even when it is not activated.
References: https://themeforest.net/item/wplms-learning-management-system/6780226
https://www.wordfence.com/threat-intel/vulnerabilities/id/1932c9b4-2fea-40f8-9748-09ded8143c11?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-10508
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The RegistrationMagic – User Registration Plugin with Custom Registration Forms plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0.2.6. This is due to the plugin not properly validating the password reset token prior to updating a user's password. This makes it possible for unauthenticated attackers to reset the password of arbitrary users, including administrators, and gain access to these accounts.
References: https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.2.6/public/controllers/class_rm_login_controller.php#L239
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.2.6/public/controllers/class_rm_login_controller.php#L241
https://plugins.trac.wordpress.org/changeset/3181174/custom-registration-form-builder-with-submission-manager/trunk/public/controllers/class_rm_login_controller.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/c4679fa7-be6b-4f50-8cdf-ff9822794f19?source=cve
CWE-ID: CWE-230
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-10547
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WP Membership plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the user_profile_image_upload() function in all versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://codecanyon.net/item/wp-membership/10066554
https://www.wordfence.com/threat-intel/vulnerabilities/id/664e6e2a-faa1-4609-b250-d7e94c5d5a04?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-10589
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Leopard - WordPress Offload Media plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the import_settings() function in all versions up to, and including, 3.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
References: https://codecanyon.net/item/leopard-wordpress-offload-media/23728788
https://www.wordfence.com/threat-intel/vulnerabilities/id/c0b50597-18c1-4cbc-aebb-348f4d786ad9?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-10801
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions up to, and including, 16.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. User registration must be enabled for this to be exploited.
References: https://codecanyon.net/item/user-extra-fields/12949844
https://www.wordfence.com/threat-intel/vulnerabilities/id/6a60e2c3-4597-4b21-ad20-6a00e483fcf1?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-10871
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Category Ajax Filter plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.2 via the 'params[caf-post-layout]' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where files with a .php extension can be uploaded and included.
References: https://plugins.trac.wordpress.org/browser/category-ajax-filter/tags/2.8.2/includes/functions.php#L180
https://plugins.trac.wordpress.org/changeset/3183800/
https://www.wordfence.com/threat-intel/vulnerabilities/id/3cb03d81-ac33-487b-bf4d-927e8104866e?source=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-51570
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Odihost Easy Gallery allows SQL Injection.This issue affects Easy Gallery: from n/a through 1.4.
References: https://patchstack.com/database/vulnerability/simple-gallery-odihost/wordpress-easy-gallery-plugin-1-4-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-51579
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder.Biz 5 Stars Rating Funnel allows SQL Injection.This issue affects 5 Stars Rating Funnel: from n/a through 1.4.01.
References: https://patchstack.com/database/vulnerability/5-stars-rating-funnel/wordpress-5-stars-rating-funnel-plugin-1-4-01-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-51601
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Maksym Marko Website price calculator allows SQL Injection.This issue affects Website price calculator: from n/a through 4.1.
References: https://patchstack.com/database/vulnerability/price-calculator-to-your-website/wordpress-website-price-calculator-plugin-4-1-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-51602
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oleksandr Ustymenko Simple Job Manager allows SQL Injection.This issue affects Simple Job Manager: from n/a through 1.1.
References: https://patchstack.com/database/vulnerability/simple-job-manager/wordpress-simple-job-manager-plugin-1-1-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-51607
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Buddy Lindsey Golf Tracker allows SQL Injection.This issue affects Golf Tracker: from n/a through 0.7.
References: https://patchstack.com/database/vulnerability/golf-tracker/wordpress-golf-tracker-plugin-0-7-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
20. CVE-2024-51619
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Market360.Co Market 360 Viewer allows Blind SQL Injection.This issue affects Market 360 Viewer: from n/a through 1.01.
References: https://patchstack.com/database/vulnerability/market-360-viewer/wordpress-market-360-viewer-plugin-1-01-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
21. CVE-2024-51620
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Porsline allows Blind SQL Injection.This issue affects Porsline: from n/a through 1.0.2.
References: https://patchstack.com/database/vulnerability/porsline/wordpress-porsline-plugin-1-0-2-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
22. CVE-2024-51621
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Reza Sh Download-Mirror-Counter allows SQL Injection.This issue affects Download-Mirror-Counter: from n/a through 1.1.
References: https://patchstack.com/database/vulnerability/wp-download-mirror-counter/wordpress-download-mirror-counter-plugin-1-1-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
23. CVE-2024-51625
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in EDC Team (E-Da`wah Committee) Quran Shortcode allows Blind SQL Injection.This issue affects Quran Shortcode: from n/a through 1.5.
References: https://patchstack.com/database/vulnerability/quran-shortcode/wordpress-quran-shortcode-plugin-1-5-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
24. CVE-2024-51782
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sanjaysolutions Loginplus allows Stored XSS.This issue affects Loginplus: from n/a through 1.2.
References: https://patchstack.com/database/vulnerability/loginplus/wordpress-loginplus-plugin-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
25. CVE-2024-51783
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in zaus Forms: 3rd-Party Post Again allows Reflected XSS.This issue affects Forms: 3rd-Party Post Again: from n/a through 0.3.
References: https://patchstack.com/database/vulnerability/forms-3rdparty-post-again/wordpress-forms-3rd-party-post-again-plugin-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
26. CVE-2024-51784
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in VietFriend team FriendStore for WooCommerce allows Reflected XSS.This issue affects FriendStore for WooCommerce: from n/a through 1.4.2.
References: https://patchstack.com/database/vulnerability/friendstore-for-woocommerce/wordpress-friendstore-for-woocommerce-plugin-1-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
27. CVE-2024-10676
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wojciech Borowicz Conversion Helper allows Reflected XSS.This issue affects Conversion Helper: from n/a through 1.12.
References: https://patchstack.com/database/vulnerability/conversion-helper/wordpress-conversion-helper-plugin-1-12-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
28. CVE-2024-50524
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in quyle91 Administrator Z allows Blind SQL Injection.This issue affects Administrator Z: from n/a through 2024.11.04.
References: https://patchstack.com/database/vulnerability/administrator-z/wordpress-administrator-z-plugin-2024-10-27-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
29. CVE-2024-50539
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Lodgix Lodgix.Com Vacation Rental Website Builder allows SQL Injection.This issue affects Lodgix.Com Vacation Rental Website Builder: from n/a through 3.9.73.
References: https://patchstack.com/database/vulnerability/lodgixcom-vacation-rental-listing-management-booking-plugin/wordpress-lodgix-com-vacation-rental-website-builder-plugin-3-9-73-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
30. CVE-2024-50544
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Micah Blu RSVP ME allows SQL Injection.This issue affects RSVP ME: from n/a through 1.9.9.
References: https://patchstack.com/database/vulnerability/rsvp-me/wordpress-rsvp-me-plugin-1-9-9-sql-injection-vulnerability-2?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
31. CVE-2024-51762
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Nightshift Creative PropertyShift allows Reflected XSS.This issue affects PropertyShift: from n/a through 1.0.0.
References: https://patchstack.com/database/vulnerability/propertyshift/wordpress-propertyshift-plugin-1-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
32. CVE-2024-51763
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Biplob Adhikari Team Showcase and Slider – Team Members Builder allows Reflected XSS.This issue affects Team Showcase and Slider – Team Members Builder: from n/a through 1.3.
References: https://patchstack.com/database/vulnerability/team-showcase-ultimate/wordpress-team-showcase-and-slider-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
33. CVE-2024-51776
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in samhotchkiss Daily Image allows Reflected XSS.This issue affects Daily Image: from n/a through 1.0.
References: https://patchstack.com/database/vulnerability/daily-image/wordpress-daily-image-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
34. CVE-2024-51778
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Starfish Reviews Satisfaction Reports from Help Scout allows Reflected XSS.This issue affects Satisfaction Reports from Help Scout: from n/a through 2.0.3.
References: https://patchstack.com/database/vulnerability/happiness-reports-for-help-scout/wordpress-satisfaction-reports-from-help-scout-plugin-2-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
35. CVE-2024-51779
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Stranger Studios (WordCamp Philly) Don't Break The Code allows Reflected XSS.This issue affects Don't Break The Code: from n/a through .3.1.
References: https://patchstack.com/database/vulnerability/dont-break-the-code/wordpress-don-t-break-the-code-plugin-3-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
36. CVE-2024-51780
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Michael DUMONTET eewee admin custom allows Reflected XSS.This issue affects eewee admin custom: from n/a through 1.8.2.4.
References: https://patchstack.com/database/vulnerability/eewee-admincustom/wordpress-eewee-admin-custom-plugin-1-8-2-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
37. CVE-2024-51781
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Loop Now Technologies, Inc. Firework Shoppable Live Video allows Reflected XSS.This issue affects Firework Shoppable Live Video: from n/a through 6.3.
References: https://patchstack.com/database/vulnerability/firework-videos/wordpress-firework-shoppable-live-video-plugin-6-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
38. CVE-2024-10261
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
References: https://plugins.trac.wordpress.org/changeset/3182968/paid-member-subscriptions
https://www.wordfence.com/threat-intel/vulnerabilities/id/eaf19371-7b06-45c6-bf16-6ef7dfffb175?source=cve
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
39. CVE-2024-10640
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3183018%40woocommerce-currency-switcher&old=3178647%40woocommerce-currency-switcher&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/ceb0dffa-02a2-4193-b2c4-4774091eacfa?source=cve
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
40. CVE-2024-51707
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Webcodin WP Visual Adverts allows Reflected XSS.This issue affects WP Visual Adverts: from n/a through 2.3.0.
References: https://patchstack.com/database/vulnerability/wp-visual-adverts/wordpress-wp-visual-adverts-plugin-2-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
41. CVE-2024-51708
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Narnoo Wordpress developer Narnoo Commerce Manager allows Reflected XSS.This issue affects Narnoo Commerce Manager: from n/a through 1.6.0.
References: https://patchstack.com/database/vulnerability/narnoo-commerce-manager/wordpress-narnoo-commerce-manager-plugin-1-6-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
42. CVE-2024-51709
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Marian Dietz TeleAdmin allows Reflected XSS.This issue affects TeleAdmin: from n/a through 1.0.0.
References: https://patchstack.com/database/vulnerability/teleadmin/wordpress-teleadmin-plugin-1-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
43. CVE-2024-51710
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Minerva Infotech Responsive Data Table allows Reflected XSS.This issue affects Responsive Data Table: from n/a through 1.3.
References: https://patchstack.com/database/vulnerability/responsive-data-table/wordpress-responsive-data-table-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
44. CVE-2024-51711
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in saragna Saragna allows Reflected XSS.This issue affects Saragna: from n/a through 1.0.
References: https://patchstack.com/database/vulnerability/saragna-social-stream/wordpress-saragna-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
45. CVE-2024-51712
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Visser Labs Jigoshop – Store Toolkit allows Reflected XSS.This issue affects Jigoshop – Store Toolkit: from n/a through 1.4.0.
References: https://patchstack.com/database/vulnerability/jigoshop-store-toolkit/wordpress-jigoshop-plugin-1-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
46. CVE-2024-51713
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TRe Technology And Research S.R.L HQ60 Fidelity Card allows Reflected XSS.This issue affects HQ60 Fidelity Card: from n/a through 1.8.
References: https://patchstack.com/database/vulnerability/hq60-fidelity-card/wordpress-hq60-fidelity-card-plugin-1-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
47. CVE-2024-51714
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Syed Umair Hussain Shah User Password Reset allows Reflected XSS.This issue affects User Password Reset: from n/a through 1.0.
References: https://patchstack.com/database/vulnerability/user-password-reset/wordpress-user-password-reset-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
48. CVE-2024-51716
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gopi.R Twitter real time search scrolling allows Reflected XSS.This issue affects Twitter real time search scrolling: from n/a through 7.0.
References: https://patchstack.com/database/vulnerability/twitter-real-time-search-scrolling/wordpress-twitter-real-time-search-scrolling-plugin-7-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
49. CVE-2024-51717
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Perception System Ajax Content Filter allows Reflected XSS.This issue affects Ajax Content Filter: from n/a through 1.0.
References: https://patchstack.com/database/vulnerability/ajax-content-filter/wordpress-ajax-content-filter-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
50. CVE-2024-51718
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Adam Dehnel Simple Modal allows Reflected XSS.This issue affects Simple Modal: from n/a through 0.3.3.
References: https://patchstack.com/database/vulnerability/simplemodal/wordpress-simple-modal-plugin-0-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
51. CVE-2024-51719
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kevin Walker, Roman Peterhans Simplistic SEO allows Reflected XSS.This issue affects Simplistic SEO: from n/a through 2.3.0.
References: https://patchstack.com/database/vulnerability/simplistic-seo/wordpress-simplistic-seo-plugin-2-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
52. CVE-2024-51759
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Detlef Beyer SVT Simple allows Reflected XSS.This issue affects SVT Simple: from n/a through 1.0.1.
References: https://patchstack.com/database/vulnerability/svt-simple/wordpress-svt-simple-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
53. CVE-2024-51760
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in RistrettoApps Dashing Memberships allows Reflected XSS.This issue affects Dashing Memberships: from n/a through 1.1.
References: https://patchstack.com/database/vulnerability/dashing-memberships/wordpress-dashing-memberships-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
54. CVE-2024-51761
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zack Gilbert and Paul Jarvis WPHelpful allows Reflected XSS.This issue affects WPHelpful: from n/a through 1.2.4.
References: https://patchstack.com/database/vulnerability/wphelpful/wordpress-wphelpful-plugin-1-2-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
55. CVE-2024-51676
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Delicious Delisho allows Reflected XSS.This issue affects Delisho: from n/a through 1.0.6.
References: https://patchstack.com/database/vulnerability/dr-widgets-blocks/wordpress-delisho-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
56. CVE-2024-51689
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tobias Conrad CF7 WOW Styler allows Reflected XSS.This issue affects CF7 WOW Styler: from n/a through 1.6.8.
References: https://patchstack.com/database/vulnerability/cf7-styler/wordpress-cf7-wow-styler-plugin-1-6-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
57. CVE-2024-51690
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Neelam Samariya Thakor Wp Slide Categorywise allows Reflected XSS.This issue affects Wp Slide Categorywise: from n/a through 1.1.
References: https://patchstack.com/database/vulnerability/wp-slide-categorywise/wordpress-wp-slide-categorywise-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
58. CVE-2024-51691
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aryan Duntley Admin Amplify allows Reflected XSS.This issue affects Admin Amplify: from n/a through 1.3.0.
References: https://patchstack.com/database/vulnerability/wpr-admin-amplify/wordpress-admin-amplify-plugin-1-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
59. CVE-2024-51692
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Askew Brook Bing Search API Integration allows Reflected XSS.This issue affects Bing Search API Integration: from n/a through 0.3.3.
References: https://patchstack.com/database/vulnerability/abbs-bing-search/wordpress-bing-search-api-integration-plugin-0-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
60. CVE-2024-51693
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in laboratorio d’Avanguardia Search order by product SKU for WooCommerce allows Reflected XSS.This issue affects Search order by product SKU for WooCommerce: from n/a through 0.2.
References: https://patchstack.com/database/vulnerability/search-order-by-product-sku-for-woocommerce/wordpress-search-order-by-product-sku-for-woocommerce-plugin-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
61. CVE-2024-51694
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Digfish Geotagged Media allows Reflected XSS.This issue affects Geotagged Media: from n/a through 0.3.0.
References: https://patchstack.com/database/vulnerability/geotagged-media/wordpress-geotagged-media-plugin-0-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
62. CVE-2024-51695
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Fabrica Fabrica Synced Pattern Instances allows Reflected XSS.This issue affects Fabrica Synced Pattern Instances: from n/a through 1.0.8.
References: https://patchstack.com/database/vulnerability/fabrica-reusable-block-instances/wordpress-fabrica-synced-pattern-instances-plugin-1-0-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
63. CVE-2024-51696
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Benjamin Moody Content Syndication Toolkit Reader allows Reflected XSS.This issue affects Content Syndication Toolkit Reader: from n/a through 1.5.
References: https://patchstack.com/database/vulnerability/content-syndication-toolkit-reader/wordpress-content-syndication-toolkit-reader-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
64. CVE-2024-51697
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Doofinder allows Reflected XSS.This issue affects Doofinder: from n/a through 0.5.4.
References: https://patchstack.com/database/vulnerability/doofinder/wordpress-doofinder-plugin-0-5-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
65. CVE-2024-51698
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Luis Rock Master Bar allows Reflected XSS.This issue affects Master Bar: from n/a through 1.0.
References: https://patchstack.com/database/vulnerability/master-bar/wordpress-master-bar-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
66. CVE-2024-51699
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Buooy Buooy Sticky Header allows Reflected XSS.This issue affects Buooy Sticky Header: from n/a through 0.5.2.
References: https://patchstack.com/database/vulnerability/buooy-sticky-header/wordpress-buooy-sticky-header-plugin-0-5-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
67. CVE-2024-51701
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Mahesh Waghmare MG Post Contributors allows Reflected XSS.This issue affects MG Post Contributors: from n/a through 1.3..
References: https://patchstack.com/database/vulnerability/mg-post-contributors/wordpress-mg-post-contributors-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
68. CVE-2024-51702
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Benjamin Moody, Eric Holmes SrcSet Responsive Images for WordPress allows Reflected XSS.This issue affects SrcSet Responsive Images for WordPress: from n/a through 1.4.
References: https://patchstack.com/database/vulnerability/truenorth-srcset/wordpress-srcset-responsive-images-for-wordpress-plugin-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
69. CVE-2024-51703
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Genethick WP-Basics allows Reflected XSS.This issue affects WP-Basics: from n/a through 2.0.
References: https://patchstack.com/database/vulnerability/wp-basics/wordpress-wp-basics-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
70. CVE-2024-51704
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Hanusek imPress allows Reflected XSS.This issue affects imPress: from n/a through 0.1.4.
References: https://patchstack.com/database/vulnerability/wp-js-impress/wordpress-impress-plugin-0-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
71. CVE-2024-51705
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in James Bruner WP MMenu Lite allows Reflected XSS.This issue affects WP MMenu Lite: from n/a through 1.0.0.
References: https://patchstack.com/database/vulnerability/wp-mmenu-lite/wordpress-wp-mmenu-lite-plugin-1-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
72. CVE-2024-51706
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Upeksha Wisidagama UW Freelancer allows Reflected XSS.This issue affects UW Freelancer: from n/a through 0.1.
References: https://patchstack.com/database/vulnerability/uw-freelancer/wordpress-uw-freelancer-plugin-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
73. CVE-2024-51623
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mehrdad Farahani WP EIS allows SQL Injection.This issue affects WP EIS: from n/a through 1.3.3.
References: https://patchstack.com/database/vulnerability/wp-eis/wordpress-wp-eis-plugin-1-3-3-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
74. CVE-2024-51630
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Request Forgery (CSRF) vulnerability in Lars Schenk Responsive Flickr Gallery allows Stored XSS.This issue affects Responsive Flickr Gallery: from n/a through 1.3.1.
References: https://patchstack.com/database/vulnerability/responsive-flickr-gallery/wordpress-responsive-flickr-gallery-plugin-1-3-1-csrf-to-stored-xss-vulnerability?_s_id=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
75. CVE-2024-51647
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Request Forgery (CSRF) vulnerability in Chaser324 Featured Posts Scroll allows Stored XSS.This issue affects Featured Posts Scroll: from n/a through 1.25.
References: https://patchstack.com/database/vulnerability/featured-posts-scroll/wordpress-featured-posts-scroll-plugin-1-25-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
76. CVE-2024-51606
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Blrt Blrt WP Embed allows SQL Injection.This issue affects Blrt WP Embed: from n/a through 1.6.9.
References: https://patchstack.com/database/vulnerability/blrt-wp-embed/wordpress-blrt-wp-embed-plugin-1-6-9-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
77. CVE-2024-51608
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pluginhandy AmaDiscount allows SQL Injection.This issue affects AmaDiscount: from n/a through 1.0.
References: https://patchstack.com/database/vulnerability/amadiscount/wordpress-amadiscount-plugin-plugin-1-0-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between November 09-10, 2024.
During this period, The National Vulnerability Database published 197, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 11
High: 66
Medium: 67
Low: 2
Severity Not Assigned: 51
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-10284
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
References: https://plugins.trac.wordpress.org/browser/ce21-suite/trunk/single-sign-on-ce21.php?rev=3097700#L242
https://www.wordfence.com/threat-intel/vulnerabilities/id/45d66743-300e-480d-98b8-99dc30b6e786?source=cve
CWE-ID: CWE-288
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-10285
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The CE21 Suite plugin for WordPress is vulnerable to sensitive information disclosure via the plugin-log.txt in versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to log in the user associated with the JWT token.
References: https://plugins.trac.wordpress.org/browser/ce21-suite/trunk/single-sign-on-ce21.php?rev=3097700#L237
https://plugins.trac.wordpress.org/browser/ce21-suite/trunk/single-sign-on-ce21.php?rev=3097700#L281
https://www.wordfence.com/threat-intel/vulnerabilities/id/618a9ad7-3a13-43e6-84f4-35287f07e1c0?source=cve
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-10586
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Debug Tool plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the dbt_pull_image() function and missing file type validation in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to to create arbitrary files such as .php files that can be leveraged for remote code execution.
References: https://plugins.trac.wordpress.org/browser/debug-tool/trunk/tools/image-puller.php#L120
https://www.wordfence.com/threat-intel/vulnerabilities/id/5e9d5c93-dcd7-450e-8c52-5c95fc5473d2?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-10625
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_tmp_uploaded_file() function in all versions up to, and including, 17.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
References: https://codecanyon.net/item/woocommerce-support-ticket-system/17930050
https://www.wordfence.com/threat-intel/vulnerabilities/id/ddf1cecd-c630-498d-9aa0-3d0adeb73033?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-10626
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_uploaded_file() function in all versions up to, and including, 17.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
References: https://codecanyon.net/item/woocommerce-support-ticket-system/17930050
https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb2c829-579f-41e2-ad5f-8e4fc125d980?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-10627
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions up to, and including, 17.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://codecanyon.net/item/woocommerce-support-ticket-system/17930050
https://www.wordfence.com/threat-intel/vulnerabilities/id/1ac218f6-0bfa-480c-9159-d75a027022ba?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-10673
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Top Store theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the top_store_install_and_activate_callback() function in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins which can contain other exploitable vulnerabilities to elevate privileges and gain remote code execution.
References: https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=247826%40top-store&new=247826%40top-store&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/80510ade-cb58-45b3-89f2-2cbbc5640cae?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-10674
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Th Shop Mania theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the th_shop_mania_install_and_activate_callback() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins which can be leveraged to exploit other vulnerabilities and achieve remote code execution and privilege escalation.
References: https://themes.svn.wordpress.org/th-shop-mania/1.4.9/lib/notification/notify.php
https://themes.trac.wordpress.org/browser/th-shop-mania/1.4.9/lib/notification/notify.php
https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=247810%40th-shop-mania&new=247810%40th-shop-mania&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/b7832d37-19a9-491b-879e-4a22f2ba46ec?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-10470
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions in all versions up to, and including, 4.962. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The theme is vulnerable even when it is not activated.
References: https://themeforest.net/item/wplms-learning-management-system/6780226
https://www.wordfence.com/threat-intel/vulnerabilities/id/1932c9b4-2fea-40f8-9748-09ded8143c11?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-10508
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The RegistrationMagic – User Registration Plugin with Custom Registration Forms plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0.2.6. This is due to the plugin not properly validating the password reset token prior to updating a user's password. This makes it possible for unauthenticated attackers to reset the password of arbitrary users, including administrators, and gain access to these accounts.
References: https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.2.6/public/controllers/class_rm_login_controller.php#L239
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.2.6/public/controllers/class_rm_login_controller.php#L241
https://plugins.trac.wordpress.org/changeset/3181174/custom-registration-form-builder-with-submission-manager/trunk/public/controllers/class_rm_login_controller.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/c4679fa7-be6b-4f50-8cdf-ff9822794f19?source=cve
CWE-ID: CWE-230
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-10547
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WP Membership plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the user_profile_image_upload() function in all versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://codecanyon.net/item/wp-membership/10066554
https://www.wordfence.com/threat-intel/vulnerabilities/id/664e6e2a-faa1-4609-b250-d7e94c5d5a04?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-10589
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Leopard - WordPress Offload Media plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the import_settings() function in all versions up to, and including, 3.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
References: https://codecanyon.net/item/leopard-wordpress-offload-media/23728788
https://www.wordfence.com/threat-intel/vulnerabilities/id/c0b50597-18c1-4cbc-aebb-348f4d786ad9?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-10801
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions up to, and including, 16.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. User registration must be enabled for this to be exploited.
References: https://codecanyon.net/item/user-extra-fields/12949844
https://www.wordfence.com/threat-intel/vulnerabilities/id/6a60e2c3-4597-4b21-ad20-6a00e483fcf1?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-10871
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Category Ajax Filter plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.2 via the 'params[caf-post-layout]' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where files with a .php extension can be uploaded and included.
References: https://plugins.trac.wordpress.org/browser/category-ajax-filter/tags/2.8.2/includes/functions.php#L180
https://plugins.trac.wordpress.org/changeset/3183800/
https://www.wordfence.com/threat-intel/vulnerabilities/id/3cb03d81-ac33-487b-bf4d-927e8104866e?source=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-51570
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Odihost Easy Gallery allows SQL Injection.This issue affects Easy Gallery: from n/a through 1.4.
References: https://patchstack.com/database/vulnerability/simple-gallery-odihost/wordpress-easy-gallery-plugin-1-4-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-51579
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder.Biz 5 Stars Rating Funnel allows SQL Injection.This issue affects 5 Stars Rating Funnel: from n/a through 1.4.01.
References: https://patchstack.com/database/vulnerability/5-stars-rating-funnel/wordpress-5-stars-rating-funnel-plugin-1-4-01-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-51601
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Maksym Marko Website price calculator allows SQL Injection.This issue affects Website price calculator: from n/a through 4.1.
References: https://patchstack.com/database/vulnerability/price-calculator-to-your-website/wordpress-website-price-calculator-plugin-4-1-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-51602
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oleksandr Ustymenko Simple Job Manager allows SQL Injection.This issue affects Simple Job Manager: from n/a through 1.1.
References: https://patchstack.com/database/vulnerability/simple-job-manager/wordpress-simple-job-manager-plugin-1-1-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-51607
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Buddy Lindsey Golf Tracker allows SQL Injection.This issue affects Golf Tracker: from n/a through 0.7.
References: https://patchstack.com/database/vulnerability/golf-tracker/wordpress-golf-tracker-plugin-0-7-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
20. CVE-2024-51619
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Market360.Co Market 360 Viewer allows Blind SQL Injection.This issue affects Market 360 Viewer: from n/a through 1.01.
References: https://patchstack.com/database/vulnerability/market-360-viewer/wordpress-market-360-viewer-plugin-1-01-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
21. CVE-2024-51620
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Porsline allows Blind SQL Injection.This issue affects Porsline: from n/a through 1.0.2.
References: https://patchstack.com/database/vulnerability/porsline/wordpress-porsline-plugin-1-0-2-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
22. CVE-2024-51621
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Reza Sh Download-Mirror-Counter allows SQL Injection.This issue affects Download-Mirror-Counter: from n/a through 1.1.
References: https://patchstack.com/database/vulnerability/wp-download-mirror-counter/wordpress-download-mirror-counter-plugin-1-1-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
23. CVE-2024-51625
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in EDC Team (E-Da`wah Committee) Quran Shortcode allows Blind SQL Injection.This issue affects Quran Shortcode: from n/a through 1.5.
References: https://patchstack.com/database/vulnerability/quran-shortcode/wordpress-quran-shortcode-plugin-1-5-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
24. CVE-2024-51782
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sanjaysolutions Loginplus allows Stored XSS.This issue affects Loginplus: from n/a through 1.2.
References: https://patchstack.com/database/vulnerability/loginplus/wordpress-loginplus-plugin-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
25. CVE-2024-51783
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in zaus Forms: 3rd-Party Post Again allows Reflected XSS.This issue affects Forms: 3rd-Party Post Again: from n/a through 0.3.
References: https://patchstack.com/database/vulnerability/forms-3rdparty-post-again/wordpress-forms-3rd-party-post-again-plugin-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
26. CVE-2024-51784
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in VietFriend team FriendStore for WooCommerce allows Reflected XSS.This issue affects FriendStore for WooCommerce: from n/a through 1.4.2.
References: https://patchstack.com/database/vulnerability/friendstore-for-woocommerce/wordpress-friendstore-for-woocommerce-plugin-1-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
27. CVE-2024-10676
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wojciech Borowicz Conversion Helper allows Reflected XSS.This issue affects Conversion Helper: from n/a through 1.12.
References: https://patchstack.com/database/vulnerability/conversion-helper/wordpress-conversion-helper-plugin-1-12-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
28. CVE-2024-50524
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in quyle91 Administrator Z allows Blind SQL Injection.This issue affects Administrator Z: from n/a through 2024.11.04.
References: https://patchstack.com/database/vulnerability/administrator-z/wordpress-administrator-z-plugin-2024-10-27-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
29. CVE-2024-50539
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Lodgix Lodgix.Com Vacation Rental Website Builder allows SQL Injection.This issue affects Lodgix.Com Vacation Rental Website Builder: from n/a through 3.9.73.
References: https://patchstack.com/database/vulnerability/lodgixcom-vacation-rental-listing-management-booking-plugin/wordpress-lodgix-com-vacation-rental-website-builder-plugin-3-9-73-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
30. CVE-2024-50544
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Micah Blu RSVP ME allows SQL Injection.This issue affects RSVP ME: from n/a through 1.9.9.
References: https://patchstack.com/database/vulnerability/rsvp-me/wordpress-rsvp-me-plugin-1-9-9-sql-injection-vulnerability-2?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
31. CVE-2024-51762
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Nightshift Creative PropertyShift allows Reflected XSS.This issue affects PropertyShift: from n/a through 1.0.0.
References: https://patchstack.com/database/vulnerability/propertyshift/wordpress-propertyshift-plugin-1-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
32. CVE-2024-51763
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Biplob Adhikari Team Showcase and Slider – Team Members Builder allows Reflected XSS.This issue affects Team Showcase and Slider – Team Members Builder: from n/a through 1.3.
References: https://patchstack.com/database/vulnerability/team-showcase-ultimate/wordpress-team-showcase-and-slider-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
33. CVE-2024-51776
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in samhotchkiss Daily Image allows Reflected XSS.This issue affects Daily Image: from n/a through 1.0.
References: https://patchstack.com/database/vulnerability/daily-image/wordpress-daily-image-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
34. CVE-2024-51778
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Starfish Reviews Satisfaction Reports from Help Scout allows Reflected XSS.This issue affects Satisfaction Reports from Help Scout: from n/a through 2.0.3.
References: https://patchstack.com/database/vulnerability/happiness-reports-for-help-scout/wordpress-satisfaction-reports-from-help-scout-plugin-2-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
35. CVE-2024-51779
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Stranger Studios (WordCamp Philly) Don't Break The Code allows Reflected XSS.This issue affects Don't Break The Code: from n/a through .3.1.
References: https://patchstack.com/database/vulnerability/dont-break-the-code/wordpress-don-t-break-the-code-plugin-3-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
36. CVE-2024-51780
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Michael DUMONTET eewee admin custom allows Reflected XSS.This issue affects eewee admin custom: from n/a through 1.8.2.4.
References: https://patchstack.com/database/vulnerability/eewee-admincustom/wordpress-eewee-admin-custom-plugin-1-8-2-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
37. CVE-2024-51781
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Loop Now Technologies, Inc. Firework Shoppable Live Video allows Reflected XSS.This issue affects Firework Shoppable Live Video: from n/a through 6.3.
References: https://patchstack.com/database/vulnerability/firework-videos/wordpress-firework-shoppable-live-video-plugin-6-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
38. CVE-2024-10261
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
References: https://plugins.trac.wordpress.org/changeset/3182968/paid-member-subscriptions
https://www.wordfence.com/threat-intel/vulnerabilities/id/eaf19371-7b06-45c6-bf16-6ef7dfffb175?source=cve
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
39. CVE-2024-10640
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3183018%40woocommerce-currency-switcher&old=3178647%40woocommerce-currency-switcher&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/ceb0dffa-02a2-4193-b2c4-4774091eacfa?source=cve
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
40. CVE-2024-51707
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Webcodin WP Visual Adverts allows Reflected XSS.This issue affects WP Visual Adverts: from n/a through 2.3.0.
References: https://patchstack.com/database/vulnerability/wp-visual-adverts/wordpress-wp-visual-adverts-plugin-2-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
41. CVE-2024-51708
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Narnoo Wordpress developer Narnoo Commerce Manager allows Reflected XSS.This issue affects Narnoo Commerce Manager: from n/a through 1.6.0.
References: https://patchstack.com/database/vulnerability/narnoo-commerce-manager/wordpress-narnoo-commerce-manager-plugin-1-6-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
42. CVE-2024-51709
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Marian Dietz TeleAdmin allows Reflected XSS.This issue affects TeleAdmin: from n/a through 1.0.0.
References: https://patchstack.com/database/vulnerability/teleadmin/wordpress-teleadmin-plugin-1-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
43. CVE-2024-51710
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Minerva Infotech Responsive Data Table allows Reflected XSS.This issue affects Responsive Data Table: from n/a through 1.3.
References: https://patchstack.com/database/vulnerability/responsive-data-table/wordpress-responsive-data-table-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
44. CVE-2024-51711
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in saragna Saragna allows Reflected XSS.This issue affects Saragna: from n/a through 1.0.
References: https://patchstack.com/database/vulnerability/saragna-social-stream/wordpress-saragna-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
45. CVE-2024-51712
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Visser Labs Jigoshop – Store Toolkit allows Reflected XSS.This issue affects Jigoshop – Store Toolkit: from n/a through 1.4.0.
References: https://patchstack.com/database/vulnerability/jigoshop-store-toolkit/wordpress-jigoshop-plugin-1-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
46. CVE-2024-51713
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TRe Technology And Research S.R.L HQ60 Fidelity Card allows Reflected XSS.This issue affects HQ60 Fidelity Card: from n/a through 1.8.
References: https://patchstack.com/database/vulnerability/hq60-fidelity-card/wordpress-hq60-fidelity-card-plugin-1-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
47. CVE-2024-51714
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Syed Umair Hussain Shah User Password Reset allows Reflected XSS.This issue affects User Password Reset: from n/a through 1.0.
References: https://patchstack.com/database/vulnerability/user-password-reset/wordpress-user-password-reset-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
48. CVE-2024-51716
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gopi.R Twitter real time search scrolling allows Reflected XSS.This issue affects Twitter real time search scrolling: from n/a through 7.0.
References: https://patchstack.com/database/vulnerability/twitter-real-time-search-scrolling/wordpress-twitter-real-time-search-scrolling-plugin-7-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
49. CVE-2024-51717
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Perception System Ajax Content Filter allows Reflected XSS.This issue affects Ajax Content Filter: from n/a through 1.0.
References: https://patchstack.com/database/vulnerability/ajax-content-filter/wordpress-ajax-content-filter-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
50. CVE-2024-51718
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Adam Dehnel Simple Modal allows Reflected XSS.This issue affects Simple Modal: from n/a through 0.3.3.
References: https://patchstack.com/database/vulnerability/simplemodal/wordpress-simple-modal-plugin-0-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
51. CVE-2024-51719
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kevin Walker, Roman Peterhans Simplistic SEO allows Reflected XSS.This issue affects Simplistic SEO: from n/a through 2.3.0.
References: https://patchstack.com/database/vulnerability/simplistic-seo/wordpress-simplistic-seo-plugin-2-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
52. CVE-2024-51759
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Detlef Beyer SVT Simple allows Reflected XSS.This issue affects SVT Simple: from n/a through 1.0.1.
References: https://patchstack.com/database/vulnerability/svt-simple/wordpress-svt-simple-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
53. CVE-2024-51760
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in RistrettoApps Dashing Memberships allows Reflected XSS.This issue affects Dashing Memberships: from n/a through 1.1.
References: https://patchstack.com/database/vulnerability/dashing-memberships/wordpress-dashing-memberships-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
54. CVE-2024-51761
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zack Gilbert and Paul Jarvis WPHelpful allows Reflected XSS.This issue affects WPHelpful: from n/a through 1.2.4.
References: https://patchstack.com/database/vulnerability/wphelpful/wordpress-wphelpful-plugin-1-2-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
55. CVE-2024-51676
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Delicious Delisho allows Reflected XSS.This issue affects Delisho: from n/a through 1.0.6.
References: https://patchstack.com/database/vulnerability/dr-widgets-blocks/wordpress-delisho-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
56. CVE-2024-51689
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tobias Conrad CF7 WOW Styler allows Reflected XSS.This issue affects CF7 WOW Styler: from n/a through 1.6.8.
References: https://patchstack.com/database/vulnerability/cf7-styler/wordpress-cf7-wow-styler-plugin-1-6-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
57. CVE-2024-51690
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Neelam Samariya Thakor Wp Slide Categorywise allows Reflected XSS.This issue affects Wp Slide Categorywise: from n/a through 1.1.
References: https://patchstack.com/database/vulnerability/wp-slide-categorywise/wordpress-wp-slide-categorywise-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
58. CVE-2024-51691
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aryan Duntley Admin Amplify allows Reflected XSS.This issue affects Admin Amplify: from n/a through 1.3.0.
References: https://patchstack.com/database/vulnerability/wpr-admin-amplify/wordpress-admin-amplify-plugin-1-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
59. CVE-2024-51692
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Askew Brook Bing Search API Integration allows Reflected XSS.This issue affects Bing Search API Integration: from n/a through 0.3.3.
References: https://patchstack.com/database/vulnerability/abbs-bing-search/wordpress-bing-search-api-integration-plugin-0-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
60. CVE-2024-51693
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in laboratorio d’Avanguardia Search order by product SKU for WooCommerce allows Reflected XSS.This issue affects Search order by product SKU for WooCommerce: from n/a through 0.2.
References: https://patchstack.com/database/vulnerability/search-order-by-product-sku-for-woocommerce/wordpress-search-order-by-product-sku-for-woocommerce-plugin-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
61. CVE-2024-51694
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Digfish Geotagged Media allows Reflected XSS.This issue affects Geotagged Media: from n/a through 0.3.0.
References: https://patchstack.com/database/vulnerability/geotagged-media/wordpress-geotagged-media-plugin-0-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
62. CVE-2024-51695
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Fabrica Fabrica Synced Pattern Instances allows Reflected XSS.This issue affects Fabrica Synced Pattern Instances: from n/a through 1.0.8.
References: https://patchstack.com/database/vulnerability/fabrica-reusable-block-instances/wordpress-fabrica-synced-pattern-instances-plugin-1-0-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
63. CVE-2024-51696
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Benjamin Moody Content Syndication Toolkit Reader allows Reflected XSS.This issue affects Content Syndication Toolkit Reader: from n/a through 1.5.
References: https://patchstack.com/database/vulnerability/content-syndication-toolkit-reader/wordpress-content-syndication-toolkit-reader-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
64. CVE-2024-51697
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Doofinder allows Reflected XSS.This issue affects Doofinder: from n/a through 0.5.4.
References: https://patchstack.com/database/vulnerability/doofinder/wordpress-doofinder-plugin-0-5-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
65. CVE-2024-51698
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Luis Rock Master Bar allows Reflected XSS.This issue affects Master Bar: from n/a through 1.0.
References: https://patchstack.com/database/vulnerability/master-bar/wordpress-master-bar-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
66. CVE-2024-51699
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Buooy Buooy Sticky Header allows Reflected XSS.This issue affects Buooy Sticky Header: from n/a through 0.5.2.
References: https://patchstack.com/database/vulnerability/buooy-sticky-header/wordpress-buooy-sticky-header-plugin-0-5-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
67. CVE-2024-51701
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Mahesh Waghmare MG Post Contributors allows Reflected XSS.This issue affects MG Post Contributors: from n/a through 1.3..
References: https://patchstack.com/database/vulnerability/mg-post-contributors/wordpress-mg-post-contributors-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
68. CVE-2024-51702
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Benjamin Moody, Eric Holmes SrcSet Responsive Images for WordPress allows Reflected XSS.This issue affects SrcSet Responsive Images for WordPress: from n/a through 1.4.
References: https://patchstack.com/database/vulnerability/truenorth-srcset/wordpress-srcset-responsive-images-for-wordpress-plugin-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
69. CVE-2024-51703
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Genethick WP-Basics allows Reflected XSS.This issue affects WP-Basics: from n/a through 2.0.
References: https://patchstack.com/database/vulnerability/wp-basics/wordpress-wp-basics-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
70. CVE-2024-51704
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Hanusek imPress allows Reflected XSS.This issue affects imPress: from n/a through 0.1.4.
References: https://patchstack.com/database/vulnerability/wp-js-impress/wordpress-impress-plugin-0-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
71. CVE-2024-51705
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in James Bruner WP MMenu Lite allows Reflected XSS.This issue affects WP MMenu Lite: from n/a through 1.0.0.
References: https://patchstack.com/database/vulnerability/wp-mmenu-lite/wordpress-wp-mmenu-lite-plugin-1-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
72. CVE-2024-51706
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Upeksha Wisidagama UW Freelancer allows Reflected XSS.This issue affects UW Freelancer: from n/a through 0.1.
References: https://patchstack.com/database/vulnerability/uw-freelancer/wordpress-uw-freelancer-plugin-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
73. CVE-2024-51623
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mehrdad Farahani WP EIS allows SQL Injection.This issue affects WP EIS: from n/a through 1.3.3.
References: https://patchstack.com/database/vulnerability/wp-eis/wordpress-wp-eis-plugin-1-3-3-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
74. CVE-2024-51630
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Request Forgery (CSRF) vulnerability in Lars Schenk Responsive Flickr Gallery allows Stored XSS.This issue affects Responsive Flickr Gallery: from n/a through 1.3.1.
References: https://patchstack.com/database/vulnerability/responsive-flickr-gallery/wordpress-responsive-flickr-gallery-plugin-1-3-1-csrf-to-stored-xss-vulnerability?_s_id=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
75. CVE-2024-51647
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Request Forgery (CSRF) vulnerability in Chaser324 Featured Posts Scroll allows Stored XSS.This issue affects Featured Posts Scroll: from n/a through 1.25.
References: https://patchstack.com/database/vulnerability/featured-posts-scroll/wordpress-featured-posts-scroll-plugin-1-25-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
76. CVE-2024-51606
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Blrt Blrt WP Embed allows SQL Injection.This issue affects Blrt WP Embed: from n/a through 1.6.9.
References: https://patchstack.com/database/vulnerability/blrt-wp-embed/wordpress-blrt-wp-embed-plugin-1-6-9-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
77. CVE-2024-51608
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pluginhandy AmaDiscount allows SQL Injection.This issue affects AmaDiscount: from n/a through 1.0.
References: https://patchstack.com/database/vulnerability/amadiscount/wordpress-amadiscount-plugin-plugin-1-0-sql-injection-vulnerability?_s_id=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found