CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6879 – Quiz and Survey Master (QSM) < 9.1.1 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-6879
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.1 fails to validate and escape certain Quiz fields before displaying them on a page or post where the Quiz is embedded, which could allows contributor and above roles to perform Stored Cross-Site Scripting (XSS) attacks. The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the redirect URL in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/4da0b318-03e7-409d-9b02-f108e4232c87 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3282 – WP Table Builder <= 1.5.0 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-3282
The WP Table Builder WordPress plugin through 1.5.0 does not sanitise and escape some of its Table data, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The WP Table Builder – WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/12bf5e8e-24c9-48b9-b94c-c14ed60d7c15 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6715 – Ditty 3.1.39-3.1.45 - Author+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-6715
The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39 The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Content Title' field in versions 3.1.39 to 3.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was previously patched as CVE-2024-3939 and was recently reintroduced. • https://wpscan.com/vulnerability/19406acc-3441-4d4a-9163-ace8f1dceb78 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1286 – Paid Memberships Pro - Membership Maps Add On < 0.7 - Contributor+ Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2024-1286
The pmpro-membership-maps WordPress plugin before 0.7 does not prevent users with at least the contributor role from leaking sensitive information about users with a membership on the site. The Paid Memberships Pro - Membership Maps Add On plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 0.7 (exclusive) through the 'pmpro_membership_maps' shortcode. This makes it possible for authenticated attackers, with Ccntributor-level access and above, to extract sensitive user meta data. • https://wpscan.com/vulnerability/49dc9ca3-d0ef-4a75-8b51-307e3e44e91b • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6362 – Ultimate Blocks < 3.2.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-6362
The Ultimate Blocks WordPress plugin before 3.2.0 does not validate and escape some of its post-grid block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks • https://wpscan.com/vulnerability/d2e2d06b-0f07-40b9-9b87-3373f62ae1a9 •