Vulnerabilities > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-11 | CVE-2024-6256 | Cross-site Scripting vulnerability in Smashballoon Feeds for Youtube The Feeds for YouTube (YouTube video, channel, and gallery plugin) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'youtube-feed' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
| 2024-07-11 | CVE-2024-4655 | Cross-site Scripting vulnerability in Dotcamp Ultimate Blocks The Ultimate Blocks WordPress plugin before 3.1.9 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 5.4 |
| 2024-07-11 | CVE-2024-5444 | Cross-site Scripting vulnerability in Bible Text Project Bible Text The Bible Text WordPress plugin through 0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 5.4 |
| 2024-07-11 | CVE-2024-6025 | Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master The Quiz and Survey Master (QSM) WordPress plugin before 9.0.5 does not sanitise and escape some of its Quiz settings, which could allow contributors and higher to perform Stored Cross-Site Scripting attacks | 5.4 |
| 2024-07-11 | CVE-2024-6026 | Cross-site Scripting vulnerability in 10Web Slider The Slider by 10Web WordPress plugin before 1.2.56 does not sanitise and escape some of its Slide options, which could allow authenticated users with access to the Sliders (by default Administrator, however this can be changed via the Slider by 10Web WordPress plugin before 1.2.56's options) and the ability to add images (Editor+) to perform Stored Cross-Site Scripting attacks | 5.4 |
| 2024-07-11 | CVE-2024-6138 | Cross-site Scripting vulnerability in Ays-Pro Secure Copy Content Protection and Content Locking The Secure Copy Content Protection and Content Locking WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
| 2024-07-11 | CVE-2024-0619 | Missing Authorization vulnerability in Payflex Payment Gateway The Payflex Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the payment_callback() function in all versions up to, and including, 2.5.0. | 5.3 |
| 2024-07-11 | CVE-2024-6554 | Unspecified vulnerability in Wpmudev Branda The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.18. | 5.3 |
| 2024-07-11 | CVE-2024-6210 | The Duplicator plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 1.5.9. network low complexity | 5.3 |
| 2024-07-10 | CVE-2024-39511 | An Improper Input Validation vulnerability in the 802.1X Authentication (dot1x) Daemon of Juniper Networks Junos OS allows a local, low-privileged attacker with access to the CLI to cause a Denial of Service (DoS). On running a specific operational dot1x command, the dot1x daemon crashes. local low complexity | 5.5 |