Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-30780: WordPress User IP and Location plugin <= 2.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in TheGuideX User IP and Location plugin <= 2.2 versions.

CVE
#xss#vulnerability#web#wordpress#auth
CVE-2023-23667: WordPress Brands for WooCommerce plugin <= 3.7.0.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in BeRocket Brands for WooCommerce plugin <= 3.7.0.6 versions.

CVE-2022-47157: WordPress WP Custom Fields Search plugin <= 1.2.34 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Don Benjamin WP Custom Fields Search plugin <= 1.2.34 versions.

CVE-2023-31233: WordPress Baidu Tongji generator plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Haoqisir Baidu Tongji generator plugin <= 1.0.2 versions.

CVE-2023-32515: WordPress Custom Field Suite plugin <= 2.6.2.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Matt Gibbs Custom Field Suite plugin <= 2.6.2.1 versions.

CVE-2023-30868: WordPress CMS Tree Page View plugin <= 1.6.7 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Jon Christopher CMS Tree Page View plugin <= 1.6.7 versions.

CVE-2023-30487: WordPress LearnPress Export Import plugin <= 4.0.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ThimPress LearnPress Export Import plugin <= 4.0.2 versions.

GHSA-h538-r9x6-rcmc: LavaLite vulnerable to Cross Site Scripting

LavaLite v9.0.0 is vulnerable to Cross Site Scripting (XSS).

CVE-2023-2757: templates.php in waiting/tags/0.6.2/templates – WordPress Plugin Repository

The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on 'saveLang' functions in versions up to, and including, 0.6.2. This could lead to Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for subscriber-level attackers to access functions to save plugin data that can potentially lead to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.