CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10554 – WP-Advanced-Search < 3.3.9.3 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-10554
03 Mar 2025 — The WordPress WP-Advanced-Search WordPress plugin before 3.3.9.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The WordPress WP-Advanced-Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.9.2 due to insufficient input sanitization and ... • https://wpscan.com/vulnerability/7c15b082-caa5-4cf2-9986-2eb519dcb7c5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 74%CPEs: 1EXPL: 5CVE-2024-9796 – WP-Advanced-Search < 3.3.9.2 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-9796
17 Sep 2024 — The WP-Advanced-Search WordPress plugin before 3.3.9.2 does not sanitize and escape the t parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks El complemento WP-Advanced-Search para WordPress anterior a la versión 3.3.9.2 no desinfecta ni escapa el parámetro t antes de usarlo en una declaración SQL, lo que permite que usuarios no autenticados realicen ataques de inyección SQL. The WordPress WP-Advanced-Search plugin for WordPress is vulnerable to SQL ... • https://github.com/RandomRobbieBF/CVE-2024-9796 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •