CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38516 – WordPress Audio Player with Playlist Ultimate Plugin <= 1.2.2 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-38516
20 Jul 2023 — Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WP OnlineSupport, Essential Plugin Audio Player with Playlist Ultimate plugin <= 1.2.2 versions. Vulnerabilidad de Coss-Site Scripting (XSS) autenticada (con permisos de colaboradores o superiores) almacenada en WP OnlineSupport, en el complemento Essential Plugin Audio Player with Playlist Ultimate, versión 1.2.2 y anteriores. The Audio Player with Playlist Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in v... • https://patchstack.com/database/vulnerability/audio-player-with-playlist-ultimate/wordpress-audio-player-with-playlist-ultimate-plugin-1-2-2-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38077 – WordPress Popup Anything Plugin <= 2.2.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-38077
28 Mar 2023 — Cross-Site Request Forgery (CSRF) vulnerability in WP OnlineSupport, Essential Plugin Popup Anything – A Marketing Popup and Lead Generation Conversions plugin <= 2.2.1 versions. The WP OnlineSupport, Essential Plugin Popup Anything plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.1. This is due to missing nonce validation on the popupaoc_register_settings() function. This makes it possible for unauthenticated attackers to reset the plugin's settings gra... • https://patchstack.com/database/vulnerability/popup-anything-on-click/wordpress-popup-anything-plugin-2-2-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45818 – WordPress Hero Banner Ultimate Plugin <= 1.3.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-45818
22 Feb 2023 — Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WP OnlineSupport, Essential Plugin Hero Banner Ultimate plugin <= 1.3.4 versions. The Hero Banner Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting possibly via unspecified shortcodes in versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level access, and above, to inject arbitrary web scripts in pag... • https://patchstack.com/database/vulnerability/hero-banner-ultimate/wordpress-hero-banner-ultimate-plugin-1-3-4-auth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4824 – WP Blog and Widget < 2.3.1 - Contributor+ Stored XSS via Shortcode
https://notcve.org/view.php?id=CVE-2022-4824
12 Jan 2023 — The WP Blog and Widgets WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. The WP Blog and Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 2.3 due to insufficient input sani... • https://wpscan.com/vulnerability/9af8e425-c477-4e2b-9445-70ffb769f3f0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4791 – Product Slider and Carousel with Category for WooCommerce < 2.8 - Contributor+ Stored XSS via Shortcode
https://notcve.org/view.php?id=CVE-2022-4791
04 Jan 2023 — The Product Slider and Carousel with Category for WooCommerce WordPress plugin before 2.8 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. The Product Slider and Carousel with Category for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping o... • https://wpscan.com/vulnerability/0a6e4c45-3f6d-4150-9546-141c2e3a1782 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4747 – Post Category Image With Grid and Slider < 1.4.8 - Contributor+ Stored XSS via Shortcode
https://notcve.org/view.php?id=CVE-2022-4747
04 Jan 2023 — The Post Category Image With Grid and Slider WordPress plugin before 1.4.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. The Post Category Image With Grid and Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and in... • https://wpscan.com/vulnerability/004f1872-1576-447f-8837-f29fa319cbdc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2115 – Popup Anything < 2.1.7 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2115
04 Jul 2022 — The Popup Anything WordPress plugin before 2.1.7 does not sanitise and escape a parameter before outputting it back in a frontend page, leading to a Reflected Cross-Site Scripting El plugin Popup Anything de WordPress versiones anteriores a 2.1.7, no sanea y escapa de un parámetro antes de devolverlo a una página del frontend, conllevando a un ataque de tipo Cross-Site Scripting Reflejado The Popup Anything – A Marketing Popup and Lead Generation Conversions plugin for WordPress is vulnerable to Reflected C... • https://wpscan.com/vulnerability/1f0ae535-c560-4510-ae9a-059e2435ad39 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24883 – Popup Anything < 2.0.4 - Contributor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24883
25 Oct 2021 — The Popup Anything WordPress plugin before 2.0.4 does not escape the Link Text and Button Text fields of Popup, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks El plugin Popup Anything de WordPress versiones anteriores a 2.0.4, no escapa los campos Link Text y Button Text del Popup, que podría permitir a usuarios con un rol tan bajo como el de Contributor llevar a cabo ataques de tipo Cross-Site Scripting • https://plugins.trac.wordpress.org/changeset/2610975 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •