CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7092 – Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via no_more_items_text Parameter
https://notcve.org/view.php?id=CVE-2024-7092
12 Aug 2024 — The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘no_more_items_text’ parameter in all versions up to, and including, 5.9.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://essential-addons.com/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6557 – SchedulePress <= 5.1.3 - Unauthenticated Full Path Disclosure
https://notcve.org/view.php?id=CVE-2024-6557
15 Jul 2024 — The SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 5.1.3. This is due the plugin utilizing the wpdeveloper library and leaving the demo files in place with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information ... • https://plugins.trac.wordpress.org/browser/wp-scheduled-posts/trunk/vendor/wpdevelopers/pinterest-api-php/demo/boot.php • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1565 – EmbedPress <= 3.9.10 - Authenticated(Contributor+) Stored Cross-Site Scripting via PDF Widget URL
https://notcve.org/view.php?id=CVE-2024-1565
12 Jun 2024 — The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the PDF Widget URL in all versions up to, and including, 3.9.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever ... • https://plugins.trac.wordpress.org/browser/embedpress/tags/3.9.8/EmbedPress/Elementor/Widgets/Embedpress_Pdf.php#L705 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5189 – Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.23 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-5189
10 Jun 2024 — The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_js’ parameter in all versions up to, and including, 5.9.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Los complementos... • https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/5.9.21/includes/Classes/Asset_Builder.php#L264 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5073 – Essential Addons for Elementor <= 5.9.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Feed
https://notcve.org/view.php?id=CVE-2024-5073
29 May 2024 — The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Twitter Feed component in all versions up to, and including, 5.9.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Los complemento... • https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Twitter_Feed.php#L210 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1803 – EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.12 - Insufficient Authorization Checks to Block Usual
https://notcve.org/view.php?id=CVE-2024-1803
22 May 2024 — The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of functionality due to insufficient authorization validation on the PDF embed block in all versions up to, and including, 3.9.12. This makes it possible for authenticated attackers, with contributor-level access and above, to embed PDF blocks. El complemento EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embe... • https://plugins.trac.wordpress.org/changeset/3055856 • CWE-285: Improper Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4891 – Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.5.12 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-4891
16 May 2024 — The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tagName’ parameter in versions up to, and including, 4.5.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Essential Blocks – Page Bui... • https://plugins.trac.wordpress.org/browser/essential-blocks/trunk/blocks/AdvancedHeading.php#L115 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4624 – Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.20 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-4624
13 May 2024 — The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugins for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eael_ext_toc_title_tag’ parameter in versions up to, and including, 5.9.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. L... • https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/5.9.19/includes/Traits/Elements.php#L550 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4448 – Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Dual Color Header', 'Event Calendar', & 'Advanced Data Table'
https://notcve.org/view.php?id=CVE-2024-4448
09 May 2024 — The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Dual Color Header', 'Event Calendar', & 'Advanced Data Table' widgets in all versions up to, and including, 5.9.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts ... • https://plugins.trac.wordpress.org/changeset/3083162/essential-addons-for-elementor-lite/tags/5.9.20/includes/Elements/Advanced_Data_Table.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4275 – Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Interactive Circles'
https://notcve.org/view.php?id=CVE-2024-4275
09 May 2024 — The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Interactive Circle widget in all versions up to, and including, 5.9.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user ac... • https://plugins.trac.wordpress.org/changeset/3083162/essential-addons-for-elementor-lite/tags/5.9.20/includes/Elements/Interactive_Circle.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •