Vulnerabilities > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-01-25 | CVE-2024-12817 | The Etsy Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'product_link' shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 |
| 2025-01-25 | CVE-2024-12826 | The GoHero Store Customizer for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wooh_action_settings_save_frontend() function in all versions up to, and including, 3.5. | 4.3 |
| 2025-01-25 | CVE-2024-12885 | The Connections Business Directory plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation when deleting a connections image directory in all versions up to, and including, 10.4.66. | 6.5 |
| 2025-01-25 | CVE-2024-13368 | Missing Authorization vulnerability in Kainelabs Youzify The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the youzify_offer_banner() function in all versions up to, and including, 1.3.2. | 4.3 |
| 2025-01-25 | CVE-2024-13370 | Missing Authorization vulnerability in Kainelabs Youzify The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the save_addon_key_license() function in all versions up to, and including, 1.3.2. | 6.5 |
| 2025-01-25 | CVE-2024-13441 | Cross-site Scripting vulnerability in Ylefebvre Bilingual Linker The Bilingual Linker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bl_otherlang_link_1 parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. | 5.4 |
| 2025-01-25 | CVE-2024-13458 | Cross-site Scripting vulnerability in Notice FAQ The WordPress SEO Friendly Accordion FAQ with AI assisted content generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'noticefaq' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
| 2025-01-25 | CVE-2024-13467 | Cross-site Scripting vulnerability in Mr-Kalathiya WP Contect Form7 Email Spam Blocker The WP Contact Form7 Email Spam Blocker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. | 6.1 |
| 2025-01-25 | CVE-2024-13548 | Cross-site Scripting vulnerability in Wppug Power UPS for Elementor The Power Ups for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
| 2025-01-25 | CVE-2024-13550 | Path Traversal vulnerability in Paulrosen ABC Notation The ABC Notation plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.1.3 via the 'file' attribute of the 'abcjs' shortcode. | 6.5 |