Vulnerabilities > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-29 | CVE-2023-4017 | The Goya theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attra-color’, 'attra-size', and 'product-cata' parameters in versions up to, and including, 1.0.8.7 due to insufficient input sanitization and output escaping. network low complexity | 6.1 |
| 2024-06-29 | CVE-2024-5819 | The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 3.2.45 due to insufficient input sanitization and output escaping on user supplied attributes. network low complexity | 6.4 |
| 2024-06-29 | CVE-2024-5666 | Cross-site Scripting vulnerability in Idioweb Extensions for Elementor The Extensions for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the EE Button widget in all versions up to, and including, 2.0.30 due to insufficient input sanitization and output escaping. | 5.4 |
| 2024-06-29 | CVE-2024-5790 | Cross-site Scripting vulnerability in Wedevs Happy Addons for Elementor The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Gradient Heading widget in all versions up to, and including, 3.11.1 due to insufficient input sanitization and output escaping. | 5.4 |
| 2024-06-29 | CVE-2024-6363 | Cross-site Scripting vulnerability in Urosevic Stock Ticker The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock_ticker shortcode in all versions up to, and including, 3.24.4 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
| 2024-06-29 | CVE-2024-5192 | Cross-site Scripting vulnerability in Funnelkit Funnel Builder The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mimes’ parameter in all versions up to, and including, 3.3.1 due to insufficient input sanitization and output escaping. | 5.4 |
| 2024-06-29 | CVE-2024-5889 | Cross-site Scripting vulnerability in Pixelite Events Manager The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘country’ parameter in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping. | 6.1 |
| 2024-06-29 | CVE-2024-5942 | Authorization Bypass Through User-Controlled Key vulnerability in Carlosfazenda Page and Post Clone The Page and Post Clone plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.0 via the 'content_clone' function due to missing validation on a user controlled key. | 5.4 |
| 2024-06-29 | CVE-2024-6405 | Cross-Site Request Forgery (CSRF) vulnerability in Varniinfotech Floating Social Buttons The Floating Social Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. | 5.4 |
| 2024-06-28 | CVE-2024-25031 | Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Storage Defender 2.0.0/2.0.4 IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.4 uses an inadequate account lockout setting that could allow an attacker on the network to brute force account credentials. | 6.5 |