Vulnerabilities > Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-12 | CVE-2024-7818 | Cross-site Scripting vulnerability in Michalaugustyniak Misiek Photo Album The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 6.1 |
| 2024-09-12 | CVE-2024-7822 | Cross-site Scripting vulnerability in Gwycon Quick Code The Quick Code WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 6.1 |
| 2024-09-12 | CVE-2024-7860 | Cross-site Scripting vulnerability in Outtolunchproductions Simple Headline Rotator The Simple Headline Rotator WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 6.1 |
| 2024-09-12 | CVE-2024-7861 | Cross-site Scripting vulnerability in Michalaugustyniak Misiek Paypal The Misiek Paypal WordPress plugin through 1.1.20090324 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 6.1 |
| 2024-09-12 | CVE-2024-8054 | Cross-site Scripting vulnerability in Mm-Breaking News Project Mm-Breaking News The MM-Breaking News WordPress plugin through 0.7.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 6.1 |
| 2024-09-12 | CVE-2024-8056 | Cross-site Scripting vulnerability in Mm-Breaking News Project Mm-Breaking News The MM-Breaking News WordPress plugin through 0.7.9 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | 6.1 |
| 2024-09-12 | CVE-2024-8708 | Cross-site Scripting vulnerability in Mayurik Best House Rental Management System 1.0 A vulnerability was found in SourceCodester Best House Rental Management System 1.0. | 6.1 |
| 2024-09-11 | CVE-2024-44851 | Cross-site Scripting vulnerability in Perfexcrm Perfex CRM 1.1.0 A stored cross-site scripting (XSS) vulnerability in the Discussion section of Perfex CRM v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content parameter. | 5.4 |
| 2024-09-11 | CVE-2024-43793 | Cross-site Scripting vulnerability in Halo Halo is an open source website building tool. | 6.4 |
| 2024-09-11 | CVE-2024-5416 | Cross-site Scripting vulnerability in Elementor Website Builder The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter of multiple widgets in all versions up to, and including, 3.23.4 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |