CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5667 – Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Featherlight.js JavaScript Library
https://notcve.org/view.php?id=CVE-2024-5667
04 Mar 2025 — Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Featherlight.js JavaScript library (versions 1.7.13 to 1.7.14) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Varios complementos para WordPress son vulne... • https://plugins.trac.wordpress.org/browser/wp-featherlight/trunk/js/wpFeatherlight.pkgd.js • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 14EXPL: 0CVE-2024-5020 – Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library
https://notcve.org/view.php?id=CVE-2024-5020
03 Dec 2024 — Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Varios complementos para WordPress son vulnerables a ... • https://plugins.trac.wordpress.org/changeset/3150376/woo-smart-quick-view • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6870 – Responsive Lightbox & Gallery <= 2.4.7 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload
https://notcve.org/view.php?id=CVE-2024-6870
21 Aug 2024 — The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping affecting the rl_upload_image AJAX endpoint. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the 3gp2 file. • https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.4.7/includes/class-remote-library.php#L261 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3230 – Download Attachments <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-3230
03 Jun 2024 — The Download Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'download-attachments' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Download Attachments para WordP... • https://wordpress.org/plugins/download-attachments • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1994 – Image Watermark <= 1.7.3 - Missing Authorization to Authenticated (Subscriber+) Watermark Modification
https://notcve.org/view.php?id=CVE-2024-1994
05 Apr 2024 — The Image Watermark plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the watermark_action_ajax() function in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to apply and remove watermarks from images. El complemento Image Watermark para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función wa... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3064501%40image-watermark&new=3064501%40image-watermark&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49174 – WordPress Responsive Lightbox Plugin <= 2.4.5 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-49174
29 Nov 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dFactory Responsive Lightbox & Gallery allows Stored XSS.This issue affects Responsive Lightbox & Gallery: from n/a through 2.4.5. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Cross-site Scripting') en dFactory Responsive Lightbox & Gallery permite almacenar XSS. Este problema afecta a Responsive Lightbox & Gallery: desde n/a hasta 2.4.5. The Re... • https://patchstack.com/database/vulnerability/responsive-lightbox/wordpress-responsive-lightbox-plugin-2-4-5-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0076 – Download Attachments < 1.3 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0076
13 Feb 2023 — The Download Attachments WordPress plugin before 1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Download Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 1.2.24 due to insufficient input sanitization and output esca... • https://wpscan.com/vulnerability/a0a44f8a-877c-40df-a3ba-b9b806ffb772 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24613 – Post Views Counter < 1.3.5 - Authenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-24613
23 Aug 2021 — The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed El plugin Post Views Counter de WordPress versiones anteriores a 1.3.5, no sanea ni escapa de su configuración de Post Views Label, que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting en el frontend... • https://wpscan.com/vulnerability/0b8c5947-bc73-448e-8f10-a4f4456e4000 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2243 – Responsive Lightbox & Gallery <= 1.7.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-2243
01 Dec 2016 — Cross-site scripting vulnerability in Responsive Lightbox prior to version 1.7.2 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en versiones anteriores a la 1.7.2 de Responsive Lightbox permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. • http://jvn.jp/en/jp/JVN39819446/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •