Threat Entry Updated 2025-06-04

CVE-2024-10076 - Before 13 Plugin

The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and above users to perform Stored XSS attacks

PLUGIN Before 13

CVE-2024-10076

MEDIUM CVSS 5.9 2025-05-15

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-04

CVE-2024-10075 - Before 13 Plugin

The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block.

PLUGIN Before 13

CVE-2024-10075

MEDIUM CVSS 5.6 2025-05-15

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-08

CVE-2024-2310 - Before 13 Plugin

The WP Google Review Slider WordPress plugin before 13.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 13

CVE-2024-2310

MEDIUM CVSS 5.9 2024-04-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-11

CVE-2023-6456 - Before 13 Plugin

The WP Review Slider WordPress plugin before 13.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 13

CVE-2023-6456

MEDIUM CVSS 4.8 2024-01-22

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-1005 - Before 13 Plugin

The WP Statistics WordPress plugin before 13.2.2 does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters

PLUGIN Before 13

CVE-2022-1005

MEDIUM CVSS 6.1 2022-06-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-0211 - Before 13 Plugin

The Shield Security WordPress plugin before 13.0.6 does not sanitise and escape admin notes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

PLUGIN Before 13

CVE-2022-0211

MEDIUM CVSS 4.8 2022-02-21

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24915 - Before 13 Plugin

The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address

PLUGIN Before 13

CVE-2021-24915

CRITICAL CVSS 9.8 2021-11-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24340 - Before 13 Plugin

The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.

PLUGIN Before 13

CVE-2021-24340

HIGH CVSS 7.5 2021-06-07

Risk Score

Open Full Technical Breakdown