Vulnerabilities > Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-16 | CVE-2023-3647 | Cross-site Scripting vulnerability in Indigitall Iurny The IURNY by INDIGITALL WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
| 2024-01-16 | CVE-2023-4757 | Cross-site Scripting vulnerability in Miniorange Staff / Employee Business Directory for Active Directory The Staff / Employee Business Directory for Active Directory WordPress plugin before 1.2.3 does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin. | 5.4 |
| 2024-01-16 | CVE-2023-5558 | Cross-site Scripting vulnerability in Thimpress Learnpress The LearnPress WordPress plugin before 4.2.5.5 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 6.1 |
| 2024-01-16 | CVE-2023-6046 | Cross-site Scripting vulnerability in Myeventon Eventon The EventON WordPress plugin before 2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored HTML Injection attacks even when the unfiltered_html capability is disallowed. | 4.8 |
| 2024-01-16 | CVE-2023-6732 | Cross-site Scripting vulnerability in Supsystic Ultimate Maps The Ultimate Maps by Supsystic WordPress plugin before 1.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | 4.8 |
| 2024-01-16 | CVE-2023-7084 | Cross-site Scripting vulnerability in Davidjmiller Voting Record The Voting Record WordPress plugin through 2.0 is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks | 5.4 |
| 2024-01-16 | CVE-2023-7151 | Cross-site Scripting vulnerability in Piwebsolution Product Enquiry for Woocommerce The Product Enquiry for WooCommerce WordPress plugin before 3.2 does not sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 6.1 |
| 2024-01-16 | CVE-2023-7154 | Cross-site Scripting vulnerability in Morehubbub Hubbub Lite The Hubbub Lite (formerly Grow Social) WordPress plugin before 1.32.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
| 2024-01-16 | CVE-2024-0187 | Cross-site Scripting vulnerability in Peepso The Community by PeepSo WordPress plugin before 6.3.1.2 does not sanitise and escape various parameters and generated URLs before outputting them back attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 6.1 |
| 2024-01-16 | CVE-2024-0239 | Cross-site Scripting vulnerability in Ari-Soft Contact Form 7 Connector The Contact Form 7 Connector WordPress plugin before 1.2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators. | 6.1 |