CVSS: -EPSS: %CPEs: 1EXPL: 1CVE-2024-10104 – Jobs for WordPress < 2.7.8 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-10104
The Jobs for WordPress plugin before 2.7.8 does not sanitise and escape some of its Job settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks • https://wpscan.com/vulnerability/f0a9c8ae-f2cf-4322-8216-4778b0e37a48 •
CVSS: -EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9186 – Automation By Autonami < 3.3.0 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2024-9186
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before 3.3.0 does not sanitize and escape the bwfan-track-id parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks • https://wpscan.com/vulnerability/fab29b59-7e87-4289-88dd-ed5520260c26 •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10146 – Simple File List < 6.1.13 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-10146
The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins. • https://wpscan.com/vulnerability/9ee74a0f-83ff-4c15-a114-f8f6baab8bf5 •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9836 – RSS Feed Widget < 3.0.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-9836
The RSS Feed Widget WordPress plugin before 3.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. • https://wpscan.com/vulnerability/f87af54e-3e58-4c29-8a30-e7d52234c9d4 •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9835 – RSS Feed Widget < 3.0.1 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-9835
The RSS Feed Widget WordPress plugin before 3.0.1 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers • https://wpscan.com/vulnerability/0277b060-805d-4b85-b5a4-fa93a731cd8d •