Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5668 | 1 Firecask | 1 Whatsapp Share Button | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The WhatsApp Share Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'whatsapp' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5667 | 1 Themepoints | 1 Tab Ultimate | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Tab Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5666 | 1 Themepoints | 1 Accordion | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tcpaccordion' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5665 | 1 Paystack | 1 Payment Forms For Paystack | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Payment Forms for Paystack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-32130 is likely a duplicate of this ...
Show More |
|||||
| CVE-2023-5664 | 1 Ggnome | 1 Garden Gnome Package | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Garden Gnome Package plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ggpkg' shortcode in all versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in version 2.2.7 ...
Show More |
|||||
| CVE-2023-5662 | 1 Wpsimplesponsorships | 1 Sponsors | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Sponsors plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sponsors' shortcode in all versions up to, and including, 3.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5661 | 1 Web-settler | 1 Social Feed | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Social Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialfeed' shortcode in all versions up to, and including, 1.5.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5660 | 1 Pressified | 1 Sendpress | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The SendPress Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.22.3.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5659 | 1 Tryinteract | 1 Interact\ | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Interact: Embed A Quiz On Your Site plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'interact-quiz' shortcode in all versions up to, and including, 3.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5658 | 1 Chandnipatel | 1 Wp Mapit | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The WP MapIt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_mapit' shortcode in all versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5653 | 1 Wassup Real Time Analytics Project | 1 Wassup Real Time Analytics | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The WassUp Real Time Analytics WordPress plugin through 1.9.4.5 does not escape IP address provided via some headers before outputting them back in an admin page, allowing unauthenticated users to perform Stored XSS attacks against logged in admins
|
|||||
| CVE-2023-5641 | 1 Martinstools | 1 Free \& Easy Link Building | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The Martins Free & Easy SEO BackLink Link Building Network WordPress plugin before 1.2.30 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2023-5639 | 1 Themepoints | 1 Team Showcase | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tmfshortcode' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5638 | 1 Booster | 1 Booster For Woocommerce | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcj_image' shortcode in versions up to, and including, 7.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5621 | 1 I13websolution | 1 Thumbnail Slider With Lightbox | 2024-11-21 | N/A | 4.4 MEDIUM |
|
The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Title field in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has b ...
Show More |
|||||
| CVE-2023-5620 | 1 Webpushr | 1 Web Push Notifications | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The Web Push Notifications WordPress plugin before 4.35.0 does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks.
|
|||||
| CVE-2023-5618 | 1 Prismtechstudios | 1 Modern Footnotes | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Modern Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in versions up to, and including, 1.4.16 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5615 | 1 Ravanh | 1 Skype Legacy Buttons | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Skype Legacy Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skype-status' shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5614 | 1 Plugin-planet | 1 Theme Switcha | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Theme Switcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'theme_switcha_list' shortcode in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5609 | 1 S-sols | 1 Seraphinite Accelerator | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The Seraphinite Accelerator WordPress plugin before 2.2.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2023-5605 | 1 Kaizencoders | 1 Url Shortify | 2024-11-21 | N/A | 4.8 MEDIUM |
|
The URL Shortify WordPress plugin before 1.7.9.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2023-5599 | 1 Dassault | 2 3dswymer 3dexperience 2022, 3dswymer 3dexperience 2023 | 2024-11-21 | N/A | 5.4 MEDIUM |
|
A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboard in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2023x allows an attacker to execute arbitrary script code.
|
|||||
| CVE-2023-5598 | 1 Dassault | 2 3dswymer 3dexperience 2022, 3dswymer 3dexperience 2023 | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Stored Cross-site Scripting (XSS) vulnerabilities affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2023x allow an attacker to execute arbitrary script code.
|
|||||
| CVE-2023-5597 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
|
A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboard in 3DSwymer from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code.
|
|||||
| CVE-2023-5585 | 1 Oretnom23 | 1 Online Motorcycle \(bike\) Rental System | 2024-11-21 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in SourceCodester Online Motorcycle Rental System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/?page=bike of the component Bike List. The manipulation of the argument Model with the input "><script>confirm (document.cookie)</script> leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-242170 is the identifier assigned to this vulnerab ...
Show More |
|||||
| CVE-2023-5581 | 1 Oretnom23 | 1 Medicine Tracker System | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic was found in SourceCodester Medicine Tracker System 1.0. This vulnerability affects unknown code of the file index.php. The manipulation of the argument page leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-242146 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2023-5577 | 1 Bitly | 1 Bitly | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Bitly's plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpbitly' shortcode in all versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5567 | 1 Spreendigital | 1 Qr Code Tag | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The QR Code Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'qrcodetag' shortcode in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5564 | 1 Froxlor | 1 Froxlor | 2024-11-21 | N/A | 4.8 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1.
|
|||||
| CVE-2023-5562 | 1 Knime | 1 Knime Analytics Platform | 2024-11-21 | N/A | 6.1 MEDIUM |
|
An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.
KNIME Analytics Platf ...
Show More |
|||||
| CVE-2023-5560 | 1 Lesterchan | 1 Wp-useronline | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The WP-UserOnline WordPress plugin before 2.88.3 does not sanitise and escape the X-Forwarded-For header before outputting its content on the page, which allows unauthenticated users to perform Cross-Site Scripting attacks.
|
|||||
| CVE-2023-5558 | 1 Thimpress | 1 Learnpress | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The LearnPress WordPress plugin before 4.2.5.5 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2023-5556 | 1 Structurizr | 1 On-premises Installation | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194.
|
|||||
| CVE-2023-5547 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2024-11-21 | N/A | 3.3 LOW |
|
The course upload preview contained an XSS risk for users uploading unsafe data.
|
|||||
| CVE-2023-5546 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2024-11-21 | N/A | 4.3 MEDIUM |
|
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.
|
|||||
| CVE-2023-5544 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.
|
|||||
| CVE-2023-5541 | 1 Moodle | 1 Moodle | 2024-11-21 | N/A | 3.3 LOW |
|
The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.
|
|||||
| CVE-2023-5538 | 1 Mrpeng | 1 Mpoperationlogs | 2024-11-21 | N/A | 7.2 HIGH |
|
The MpOperationLogs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the IP Request Headers in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5530 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | N/A | 4.8 MEDIUM |
|
The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue
|
|||||
| CVE-2023-5507 | 1 Imagemapper Project | 1 Imagemapper | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The ImageMapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'imagemap' shortcode in versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||