In The Ninja Forms – The Contact Form Builder That Grows With You WordPress plugin versions up to and including 3.8.22 a medium severity vulnerability CVE-2024-12238 was detected. This vulnerability allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes due to improper validation of values before running the `do_shortcode` function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12238.
Read more CMS
In DN Shipping by Weight for WooCommerce WordPress plugin before version 1.2 a medium severity vulnerability CVE-2024-11842 was detected. This vulnerability allows attackers to change plugin settings via a Cross-Site Request Forgery (CSRF) attack, exploiting the lack of a CSRF check. To address this issue, users should upgrade to version 1.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11842.
Read more CMS
In Jetpack WordPress plugin versions 13.x before 14.1 a medium severity vulnerability CVE-2024-10858 was detected. This vulnerability allows attackers to exploit improper origin checks in the `postMessage` function, leading to DOM-based Cross-Site Scripting (XSS) attacks. To address this issue, users should upgrade to version 14.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10858.
Read more CMS
In wp-publications WordPress plugin versions 1.2 and prior a low severity vulnerability CVE-2024-11605 was detected. This vulnerability allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks by exploiting unescaped filenames, even when the unfiltered_html capability is disallowed (e.g., in a multisite setup). No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11605.
Read more CMS
In GiveWP WordPress plugin versions before 3.19.0 a high severity vulnerability CVE-2024-11921 was detected. This vulnerability allows attackers to execute Reflected Cross-Site Scripting (XSS) attacks by exploiting an unsanitized parameter, potentially targeting high-privilege users such as administrators. To address this issue, users should upgrade to version 3.19.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11921.
Read more CMS
In WP-SVG WordPress plugin versions 0.9 and prior a medium severity vulnerability CVE-2024-11644 was detected. This vulnerability allows users with the contributor role and above to perform Stored Cross-Site Scripting (XSS) attacks by exploiting unvalidated and unescaped shortcode attributes. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11644.
Read more CMS
In float block WordPress plugin versions 1.7 and prior a low severity vulnerability CVE-2024-11645 was detected. This vulnerability allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks by exploiting unsanitized and unescaped settings, even when the unfiltered_html capability is disallowed (e.g., in a multisite setup). No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11645.
Read more CMS
In the Calculated Fields Form plugin for WordPress versions 5.2.63 and prior a medium severity vulnerability CVE-2024-12601 was detected. This vulnerability allows attackers to overload server resources by sending multiple requests with excessively large CAPTCHA image dimensions, leading to potential denial of service. To fix this issue, users should upgrade Calculated Fields Form plugin for WordPress to version 5.2.64 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-12601.
Read more CMS
In Liferay Portal versions starting from 7.0.0 through 7.4.3.87 and Liferay DXP versions starting from 7.4 GA through update 87, 7.3 GA through update 29 a medium severity vulnerability CVE-2024-37940 was detected. This vulnerability allows attackers to inject arbitrary web scripts or HTML into the Service Class text field in Liferay Portal and Liferay DXP, potentially leading to cross-site scripting attacks. To fix this issue, users should upgrade Liferay Portal to version 7.4.3.88 and Liferay DXP to versions 2023.Q3.1, 7.4 update 88, 7.3 update 30. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-37940.
Read more CMS