CVE-2024-5341 – The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Heading Title Widget
https://notcve.org/view.php?id=CVE-2024-5341
The The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' attribute of the Heading Title widget in all versions up to, and including, 5.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento The Plus Addons para Elementor Page Builder para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del atributo 'tamaño' del widget Título del encabezado en todas las versiones hasta la 5.5.4 incluida debido a una sanitización de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://roadmap.theplusaddons.com/updates https://www.wordfence.com/threat-intel/vulnerabilities/id/39c8e951-8e8c-4a72-9ecf-1dd96392105d?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-4094 – Simple Share Buttons Adder < 8.5.1 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-4094
The Simple Share Buttons Adder WordPress plugin before 8.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El complemento Simple Share Buttons Adder de WordPress anterior a 8.5.1 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios, como editores, realizar ataques de cross site scripting incluso cuando unfiltered_html no está permitido. The Simple Share Buttons Adder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/04b2feba-e009-4fce-8539-5dfdb4300433 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-4305 – PostX < 4.1.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-4305
The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress plugin before 4.1.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks El complemento Post Grid Gutenberg Blocks and WordPress Blog Plugin de WordPress anterior a 4.1.0 no valida ni escapa algunas de sus opciones de bloqueo antes de devolverlas a una página/publicación donde está incrustado el bloque, lo que podría permitir a los usuarios con el rol de colaborador y superior para realizar ataques de Cross-Site Scripting Almacenado The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the filterMobileText parameter in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/635be98d-4c17-4e75-871f-9794d85a2eb1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-3236 – Easy Notify Lite < 1.1.33 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-3236
The Popup Builder WordPress plugin before 1.1.33 does not sanitise and escape some of its Notification fields, which could allow users such as contributor and above to perform Stored Cross-Site Scripting attacks. El complemento Popup Builder de WordPress anterior a 1.1.33 no sanitiza ni escapa a algunos de sus campos de notificación, lo que podría permitir a usuarios como colaborador y superiores realizar ataques de Cross-Site Scripting Almacenado. The Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.1.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://github.com/chucrutis/CVE-2024-32369 https://wpscan.com/vulnerability/a6c2da28-dc03-4bcc-a6c3-ee55a73861db • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-3978 – WordPress Jitsi Shortcode <= 0.1 - Contributor+ Stored XSS via Shortcode
https://notcve.org/view.php?id=CVE-2024-3978
The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks El complemento WordPress Jitsi Shortcode de WordPress hasta la versión 0.1 no valida ni escapa algunos de sus atributos de shortcode antes de devolverlos a una página/publicación donde está incrustado el shortcode, lo que podría permitir a los usuarios con el rol de colaborador y superior realizar ataques de Cross-Site Scripting Almacenado. The WordPress Jitsi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/a9f47d11-47ac-4998-a82a-dc2f3b0decdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •