Vulnerabilities
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-12 | CVE-2024-8622 | Cross-site Scripting vulnerability in Amcharts Amcharts: Charts and Maps The amCharts: Charts and Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'amcharts_javascript' parameter in all versions up to, and including, 1.4.4 due to the ability to supply arbitrary JavaScript a lack of nonce validation on the preview functionality. | 6.1 |
| 2024-09-12 | CVE-2024-3163 | Cross-Site Request Forgery (CSRF) vulnerability in Realestateconnected Easy Property Listings The Easy Property Listings WordPress plugin before 3.5.4 does not have CSRF check when deleting contacts in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack | 4.3 |
| 2024-09-12 | CVE-2024-5799 | Cross-site Scripting vulnerability in Cminds CM Popup The CM Pop-Up Banners for WordPress plugin before 1.7.3 does not sanitise and escape some of its popup fields, which could allow high privilege users such as Contributors to perform Cross-Site Scripting attacks. | 4.8 |
| 2024-09-12 | CVE-2024-6017 | Cross-Site Request Forgery (CSRF) vulnerability in Scriptonite Music Request Manager The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | 6.1 |
| 2024-09-12 | CVE-2024-6018 | Cross-site Scripting vulnerability in Scriptonite Music Request Manager The Music Request Manager WordPress plugin through 1.3 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | 6.1 |
| 2024-09-12 | CVE-2024-6019 | Cross-site Scripting vulnerability in Scriptonite Music Request Manager The Music Request Manager WordPress plugin through 1.3 does not sanitise and escape incoming music requests, which could allow unauthenticated users to perform Cross-Site Scripting attacks against administrators | 6.1 |
| 2024-09-12 | CVE-2024-6887 | Cross-site Scripting vulnerability in Seedprod Rafflepress The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
| 2024-09-12 | CVE-2024-7766 | SQL Injection vulnerability in Erichamby Adicon Server The Adicon Server WordPress plugin through 1.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | 7.2 |
| 2024-09-12 | CVE-2024-7816 | Cross-site Scripting vulnerability in Adeelraza Gixaw Chat The Gixaw Chat WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 6.1 |
| 2024-09-12 | CVE-2024-7817 | Cross-Site Request Forgery (CSRF) vulnerability in Michalaugustyniak Misiek Photo Album The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF checks in some places, which could allow attackers to make logged in users delete arbitrary albums via a CSRF attack | 6.5 |