CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-4363 – Wholesale Market <= 2.2.2 - Settings Update via CSRF
https://notcve.org/view.php?id=CVE-2022-4363
16 May 2025 — The Wholesale Market WordPress plugin before 2.2.2, Wholesale Market for WooCommerce WordPress plugin before 2.0.1 have a flawed CSRF check when updating their settings, which could allow attackers to make a logged in admin update them via a CSRF attack • https://wpscan.com/vulnerability/734dba0b-f550-4372-884a-d42f7b0c00c7 •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3516 – Simple Lightbox < 2.9.4 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-3516
16 May 2025 — The Simple Lightbox WordPress plugin before 2.9.4 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. • https://wpscan.com/vulnerability/336a78cd-297b-4f47-a007-e33eac7f1dad •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3201 – Kali Forms < 2.4.3 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-3201
16 May 2025 — The Contact Form builder with drag & drop for WordPress WordPress plugin before 2.4.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks. • https://wpscan.com/vulnerability/4248289f-36d2-41c5-baf6-bb2c630482ef •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-8009 – Sensei LMS < 4.20.0 - Teacher+ Users Email Address Disclosure
https://notcve.org/view.php?id=CVE-2024-8009
15 May 2025 — The Sensei LMS WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page • https://wpscan.com/vulnerability/737bb010-b2fa-4bf4-b124-5fbba67cf935 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4665 – EventPrime – Events Calendar, Bookings and Tickets < 3.5.0 - Subscriber+ Arbitrary booking settings update
https://notcve.org/view.php?id=CVE-2024-4665
15 May 2025 — The EventPrime WordPress plugin before 3.5.0 does not properly validate permissions when updating bookings, allowing users to change/cancel bookings for other users. Additionally, the feature is lacking a nonce. • https://wpscan.com/vulnerability/50b78cac-cad1-4526-9655-ae0440739796 •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4091 – Responsive Gallery Grid < 2.3.15 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-4091
15 May 2025 — The Responsive Gallery Grid WordPress plugin before 2.3.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed • https://wpscan.com/vulnerability/e28e79fa-f461-41fe-ad1c-ca768ea5f982 •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4004 – Advanced Cron Manager < 2.5.7 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-4004
15 May 2025 — The Advanced Cron Manager WordPress plugin before 2.5.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) • https://wpscan.com/vulnerability/8e5e7040-b824-4af7-90a1-90801d12abb6 •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3901 – Genesis Blocks <= 3.1.3 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-3901
15 May 2025 — The Genesis Blocks WordPress plugin through 3.1.3 does not properly escape attributes provided to some of its custom blocks, making it possible for users allowed to write posts (like those with the contributor role) to conduct Stored XSS attacks. • https://wpscan.com/vulnerability/9502e1ac-346e-4431-90a6-61143d2df37b •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3062 – Save as PDF by Pdfcrowd < 3.2.2 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-3062
15 May 2025 — The Save as Image Plugin by Pdfcrowd WordPress plugin before 3.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) • https://wpscan.com/vulnerability/1526985d-2f8f-4b2a-97f3-633c51d024b8 •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2869 – Easy Property Listings <= 3.5.3 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-2869
15 May 2025 — The Easy Property Listings WordPress plugin before 3.5.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) • https://wpscan.com/vulnerability/4093c12e-f62b-4357-8893-649cd2aaeace •