CyberAlerts

CVE-2024-13602

Description: The Poll Maker WordPress plugin before 5.5.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

EPSS Score: 0.03%

Source: CVE

March 16th, 2025 (3 months ago)

CVE-2024-13126

Download Manager < 3.3.07 - Unauthenticated Data Exposure

Description: The Download Manager WordPress plugin before 3.3.07 doesn't prevent directory listing on web servers that don't use htaccess, allowing unauthorized access of files.

EPSS Score: 1.17%

Source: CVE

March 16th, 2025 (3 months ago)

CVE-2024-3368

All in One SEO < 4.6.1.1 - Contributor+ Stored XSS

Description: The All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields before outputting them back, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

EPSS Score: 0.15%

SSVC Exploitation: poc

Source: CVE

March 14th, 2025 (3 months ago)

CVE-2024-6517

Contact Form 7 Math Captcha <= 2.0.1 - Reflected XSS

Description: The Contact Form 7 Math Captcha WordPress plugin through 2.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users.

EPSS Score: 2.61%

SSVC Exploitation: poc

Source: CVE

March 14th, 2025 (3 months ago)

CVE-2024-6230

Pardakht Delkhah <= 2.9.8 - Form Fields Reset via CSRF

Description: The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack

EPSS Score: 0.13%

SSVC Exploitation: none

Source: CVE

March 14th, 2025 (3 months ago)

CVE-2024-5003

WP Stacker <= 1.8.5 - Stored XSS via CSRF

Description: The WP Stacker WordPress plugin through 1.8.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

EPSS Score: 0.08%

SSVC Exploitation: poc

Source: CVE

March 14th, 2025 (3 months ago)

CVE-2024-3939

Ditty < 3.1.36 - Author+ Stored XSS

Description: The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

EPSS Score: 0.25%

SSVC Exploitation: none

Source: CVE

March 14th, 2025 (3 months ago)

CVE-2024-3937

Playlist for Youtube <= 1.32 - Editor+ Stored XSS

Description: The Playlist for Youtube WordPress plugin through 1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

EPSS Score: 0.14%

SSVC Exploitation: none

Source: CVE

March 14th, 2025 (3 months ago)

CVE-2024-3475

Sticky Buttons < 3.2.4 - Button Deletion via CSRF

Description: The Sticky Buttons WordPress plugin before 3.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks

EPSS Score: 0.3%

SSVC Exploitation: none

Source: CVE

March 14th, 2025 (3 months ago)

CVE-2024-3405

WP Prayer <= 2.0.9 - Settings Update via CSRF

Description: The WP Prayer WordPress plugin through 2.0.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

EPSS Score: 0.2%

SSVC Exploitation: none

Source: CVE

March 14th, 2025 (3 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-13602	Poll Maker < 5.5.4 - Admin+ Stored XSS Description: The Poll Maker WordPress plugin before 5.5.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). EPSS Score: 0.03% Source: CVE March 16th, 2025 (3 months ago)
CVE-2024-13126	Download Manager < 3.3.07 - Unauthenticated Data Exposure Description: The Download Manager WordPress plugin before 3.3.07 doesn't prevent directory listing on web servers that don't use htaccess, allowing unauthorized access of files. EPSS Score: 1.17% Source: CVE March 16th, 2025 (3 months ago)
CVE-2024-3368	All in One SEO < 4.6.1.1 - Contributor+ Stored XSS Description: The All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields before outputting them back, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks EPSS Score: 0.15% SSVC Exploitation: poc Source: CVE March 14th, 2025 (3 months ago)
CVE-2024-6517	Contact Form 7 Math Captcha <= 2.0.1 - Reflected XSS Description: The Contact Form 7 Math Captcha WordPress plugin through 2.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users. EPSS Score: 2.61% SSVC Exploitation: poc Source: CVE March 14th, 2025 (3 months ago)
CVE-2024-6230	Pardakht Delkhah <= 2.9.8 - Form Fields Reset via CSRF Description: The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack EPSS Score: 0.13% SSVC Exploitation: none Source: CVE March 14th, 2025 (3 months ago)
CVE-2024-5003	WP Stacker <= 1.8.5 - Stored XSS via CSRF Description: The WP Stacker WordPress plugin through 1.8.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack EPSS Score: 0.08% SSVC Exploitation: poc Source: CVE March 14th, 2025 (3 months ago)
CVE-2024-3939	Ditty < 3.1.36 - Author+ Stored XSS Description: The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) EPSS Score: 0.25% SSVC Exploitation: none Source: CVE March 14th, 2025 (3 months ago)
CVE-2024-3937	Playlist for Youtube <= 1.32 - Editor+ Stored XSS Description: The Playlist for Youtube WordPress plugin through 1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) EPSS Score: 0.14% SSVC Exploitation: none Source: CVE March 14th, 2025 (3 months ago)
CVE-2024-3475	Sticky Buttons < 3.2.4 - Button Deletion via CSRF Description: The Sticky Buttons WordPress plugin before 3.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks EPSS Score: 0.3% SSVC Exploitation: none Source: CVE March 14th, 2025 (3 months ago)
CVE-2024-3405	WP Prayer <= 2.0.9 - Settings Update via CSRF Description: The WP Prayer WordPress plugin through 2.0.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack EPSS Score: 0.2% SSVC Exploitation: none Source: CVE March 14th, 2025 (3 months ago)