In WooCommerce Support Ticket System plugin for WordPress, versions 17.8 and prior a medium severity vulnerability CVE-2024-13775 was detected. This allows attackers with Subscriber-level access or higher to delete posts and access user data. To address this issue, users should upgrade WooCommerce Support Ticket System plugin to version 17.9 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-13775.
Read more E-commerceIn Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress versions 2.3.5 and prior a medium severity vulnerability CVE-2024-13798 was detected. This vulnerability allows unauthenticated attackers to create new orders for products and mark them as paid without completing a payment due to insufficient verification on form fields. To address this issue, users should upgrade Post Grid and Gutenberg Blocks – ComboBlocks plugin to version 2.3.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13798.
Read more CMSIn Rife Elementor Extensions & Templates plugin for WordPress versions 1.2.5 and prior a medium severity vulnerability CVE-2024-13564 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the Writing Effect Headline shortcode, enabling them to inject arbitrary web scripts that execute when users access an affected page due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Rife Elementor Extensions & Templates plugin to version 2.38.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13564.
Read more CMSIn IP2Location Country Blocker plugin for WordPress versions 2.38.8 and prior a medium severity vulnerability CVE-2025-1361 was detected. This vulnerability allows unauthenticated attackers to access and view the plugin’s settings due to missing capability checks on the admin_init() function. To address this issue, users should upgrade IP2Location Country Blocker plugin to version 2.38.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1361.
Read more CMSIn Maps for WP plugin for WordPress versions 1.2.4 and prior a medium severity vulnerability CVE-2024-13648 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the ‘MapOnePoint’ shortcode due to insufficient input sanitization and output escaping. Attackers can inject arbitrary web scripts that execute whenever a user accesses an affected page. To address this issue, users should upgrade Maps for WP plugin to version 1.2.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13648.
Read more CMS Newsflash Business and Enterprise SolutionsIn Ziggeo plugin for WordPress versions 3.1 and prior a medium severity vulnerability CVE-2024-12452 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the ‘ziggeo_event’ shortcode, enabling them to inject arbitrary web scripts that execute whenever a user accesses an affected page due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Ziggeo plugin to version 3.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12452.
Read more CMS Newsflash Business and Enterprise SolutionsIn Ajax Search Lite plugin for WordPress versions prior to 4.12.5 a medium severity vulnerability CVE-2024-13585 was detected. This vulnerability allows high-privilege users, such as administrators, to exploit Stored Cross-Site Scripting (XSS) due to improper sanitization and escaping of certain settings. This can be exploited even when the unfiltered_html capability is disallowed, such as in a multisite setup. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13585.
In igumbi Online Booking plugin for WordPress versions 1.40 and prior a medium severity vulnerability CVE-2024-13455 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the ‘igumbi_calendar’ shortcode by injecting arbitrary web scripts that execute whenever a user accesses an affected page due to insufficient input sanitization and output escaping. To address this issue, users should upgrade igumbi Online Booking plugin to version 1.41. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13455.
Read more CMS Newsflash Business and Enterprise SolutionsIn WP-Appbox plugin for WordPress versions 4.5. and prior a medium severity vulnerability CVE-2025-1489 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the appbox shortcode due to insufficient input sanitization and output escaping. To address this issue, users should upgrade WP-Appbox plugin to version 4.5.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1489.
Read more CMS Newsflash Business and Enterprise Solutions