Vulnerabilities > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-06-14 | CVE-2024-3971 | Cross-Site Request Forgery (CSRF) vulnerability in Davidjmiller Similarity 3.0 The Similarity WordPress plugin through 3.0 does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack | 4.3 |
2024-06-14 | CVE-2024-3972 | Cross-Site Request Forgery (CSRF) vulnerability in Davidjmiller Similarity 3.0 The Similarity WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | 4.3 |
2024-06-14 | CVE-2024-3977 | Cross-site Scripting vulnerability in Andrewabarber Wordpress Jitsi Shortcode The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2024-06-14 | CVE-2024-3978 | Cross-site Scripting vulnerability in Andrewabarber Wordpress Jitsi Shortcode The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 5.4 |
2024-06-14 | CVE-2024-3992 | Cross-site Scripting vulnerability in Joshua Vandercar Amen The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2024-06-14 | CVE-2024-4005 | Cross-site Scripting vulnerability in Social Pixel Social Pixel The Social Pixel WordPress plugin through 2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2024-06-14 | CVE-2024-4270 | Cross-site Scripting vulnerability in Andibauer Svgmagic 1.1 The SVGMagic WordPress plugin through 1.1 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. | 5.4 |
2024-06-14 | CVE-2024-4751 | Cross-Site Request Forgery (CSRF) vulnerability in Goprayer WP Prayer The WP Prayer II WordPress plugin through 2.4.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 4.3 |
2024-06-14 | CVE-2023-6492 | The Simple Sitemap – Create a Responsive HTML Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.13. network low complexity | 4.3 |
2024-06-14 | CVE-2024-0892 | The Schema App Structured Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. network low complexity | 4.3 |