Vulnerabilities > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-21 | CVE-2024-4616 | Cross-site Scripting vulnerability in Devnath Verma Widget Bundle 2.0.0 The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users | 6.1 |
| 2024-06-21 | CVE-2024-4755 | Cross-site Scripting vulnerability in Erikeng Google CSE 1.0.7 The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
| 2024-06-21 | CVE-2024-4969 | Cross-Site Request Forgery (CSRF) vulnerability in Devnath Verma Widget Bundle The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack | 4.3 |
| 2024-06-21 | CVE-2024-4970 | Cross-site Scripting vulnerability in Devnath Verma Widget Bundle The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
| 2024-06-21 | CVE-2024-5447 | Cross-site Scripting vulnerability in Mohsinrasool Paypal PAY Now, BUY Now, Donation and Cart Buttons Shortcode The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
| 2024-06-21 | CVE-2024-5448 | Cross-site Scripting vulnerability in Mohsinrasool Paypal PAY Now, BUY Now, Donation and Cart Buttons Shortcode The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 5.4 |
| 2024-06-21 | CVE-2024-3961 | Missing Authorization vulnerability in Convertkit - Email Marketing, Email Newsletter and Landing Pages The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. | 5.3 |
| 2024-06-21 | CVE-2024-1639 | Incorrect Authorization vulnerability in Wpexperts License Manager for Woocommerce The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. | 6.5 |
| 2024-06-21 | CVE-2024-1955 | Missing Authorization vulnerability in Wprepublic Hide Dashboard Notifications The Hide Dashboard Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'warning_notices_settings' function in all versions up to, and including, 1.3. | 4.3 |
| 2024-06-21 | CVE-2024-3610 | Missing Authorization vulnerability in Wensolutions WP Child Theme Generator The WP Child Theme Generator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wctg_easy_child_theme() function in all versions up to, and including, 1.1.1. | 5.3 |