CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13118 – IP Based Login < 2.4.1 - Log Deletion via CSRF
https://notcve.org/view.php?id=CVE-2024-13118
06 Mar 2025 — The IP Based Login WordPress plugin before 2.4.1 does not have CSRF checks in some places, which could allow attackers to make logged in users delete all logs via a CSRF attack The IP Based Login plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to delete logs granted they can trick a site administrator into performing an action ... • https://wpscan.com/vulnerability/eba6f98e-b931-4f02-b190-ca855a674839 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2025-1762 – Event Tickets with Ticket Scanner < 2.5.4 - Arbitrary Tickets Deletion via CSRF
https://notcve.org/view.php?id=CVE-2025-1762
06 Mar 2025 — The Event Tickets with Ticket Scanner WordPress plugin before 2.5.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack The Event Tickets with Ticket Scanner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.3. This is due to missing or incorrect nonce validation on the executeJSON() function. This makes it possible for unauthenticated attackers to delete arb... • https://wpscan.com/vulnerability/d5cefdee-2ba0-465d-b176-0dff39fc322c • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-11847 – WP SVG Upload <= 1.0.0 - Author+ Stored XSS via SVG
https://notcve.org/view.php?id=CVE-2024-11847
05 Mar 2025 — The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. The Wp Svg Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbit... • https://wpscan.com/vulnerability/f57ecff2-0cff-40c7-b6e4-5b162b847d65 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13617 – Downloable by American Osteopathic Association <= 0.1.0 - Unauthenticated Arbitrary File Download
https://notcve.org/view.php?id=CVE-2024-13617
04 Mar 2025 — The aoa-downloadable WordPress plugin through 0.1.0 doesn't validate a parameter in its download function, allowing unauthenticated attackers to download arbitrary files from the server The Downloable by American Osteopathic Association plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 0.1.0. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. • https://wpscan.com/vulnerability/8d6dd979-21ef-4d14-9c42-bbd1d7b65c53 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13618 – Downloable by American Osteopathic Association <= 0.1.0 - Unauthenticated SSRF
https://notcve.org/view.php?id=CVE-2024-13618
04 Mar 2025 — The aoa-downloadable WordPress plugin through 0.1.0 lacks authorization and authentication for requests to its download.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. The Downloable by American Osteopathic Association plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.1.0. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be... • https://wpscan.com/vulnerability/d6a78233-3f23-4da4-9bc0-1439cde20a30 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2025-1798 – Design Comuni Italia < 1.1.2 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2025-1798
04 Mar 2025 — The does not sanitise and escape some parameters when outputting them back in a page, allowing unauthenticated users the ability to perform stored Cross-Site Scripting attacks. The Design Comuni Italia theme for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/c5c30191-857c-419c-9096-d1fe14d34eaa • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13124 – Photo Gallery by 10Web < 1.8.33 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-13124
02 Mar 2025 — The Photo Gallery by 10Web WordPress plugin before 1.8.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery Titles in all versions up to, and including, 1.8.32 due to insufficient input... • https://wpscan.com/vulnerability/5b3bf87b-73a1-47e8-bb00-0dfded07b191 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10558 – Form Maker by 10Web < 1.15.30 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-10558
02 Mar 2025 — The Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.15.29 due to ins... • https://wpscan.com/vulnerability/7028db78-2870-48d5-b06b-480ac8be3655 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-0718 – Nested Pages < 3.2.13 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-0718
02 Mar 2025 — The Nested Pages WordPress plugin before 3.2.13 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Nested Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping. This makes... • https://wpscan.com/vulnerability/69ddd8eb-33f1-49cf-9428-3d89262b1887 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13571 – Post Timeline < 2.3.10 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-13571
26 Feb 2025 — The Post Timeline WordPress plugin before 2.3.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. • https://wpscan.com/vulnerability/ad6ad44d-fdc3-494c-a371-5d7959d1fd23 •