Vulnerabilities > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-12 | CVE-2024-3163 | Cross-Site Request Forgery (CSRF) vulnerability in Realestateconnected Easy Property Listings The Easy Property Listings WordPress plugin before 3.5.4 does not have CSRF check when deleting contacts in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack | 4.3 |
| 2024-09-12 | CVE-2024-5799 | Cross-site Scripting vulnerability in Cminds CM Popup The CM Pop-Up Banners for WordPress plugin before 1.7.3 does not sanitise and escape some of its popup fields, which could allow high privilege users such as Contributors to perform Cross-Site Scripting attacks. | 4.8 |
| 2024-09-12 | CVE-2024-6017 | Cross-Site Request Forgery (CSRF) vulnerability in Scriptonite Music Request Manager The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | 6.1 |
| 2024-09-12 | CVE-2024-6018 | Cross-site Scripting vulnerability in Scriptonite Music Request Manager The Music Request Manager WordPress plugin through 1.3 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | 6.1 |
| 2024-09-12 | CVE-2024-6019 | Cross-site Scripting vulnerability in Scriptonite Music Request Manager The Music Request Manager WordPress plugin through 1.3 does not sanitise and escape incoming music requests, which could allow unauthenticated users to perform Cross-Site Scripting attacks against administrators | 6.1 |
| 2024-09-12 | CVE-2024-6887 | Cross-site Scripting vulnerability in Seedprod Rafflepress The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
| 2024-09-12 | CVE-2024-7816 | Cross-site Scripting vulnerability in Adeelraza Gixaw Chat The Gixaw Chat WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 6.1 |
| 2024-09-12 | CVE-2024-7817 | Cross-Site Request Forgery (CSRF) vulnerability in Michalaugustyniak Misiek Photo Album The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF checks in some places, which could allow attackers to make logged in users delete arbitrary albums via a CSRF attack | 6.5 |
| 2024-09-12 | CVE-2024-7818 | Cross-site Scripting vulnerability in Michalaugustyniak Misiek Photo Album The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | 6.1 |
| 2024-09-12 | CVE-2024-7820 | Cross-Site Request Forgery (CSRF) vulnerability in Elliot ILC Thickbox The ILC Thickbox WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 6.5 |