GCVE - cpe:2.3:a:smub:sydney_toolbox:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:smub:sydney_toolbox:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Smub (`de95b648-5e6e-5830-888e-6dff235e28e3`)
Product	Sydney Toolbox (`4a885903-8375-50a5-8e8a-ae0b9a62873b`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-4473`	vulnerable	2026-06-03 14:57:15.539276	Sydney Toolbox <= 1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via aThemes: Portfolio Widget MEDIUM (6.4) The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "aThemes: Portfolio" widget in all versions up to, and including, 1.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: 2024-05-14T12:49:59.513Z Updated: 2026-04-08T16:56:42.376Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/60f16abd-951b-48a0-a363-0221f7e0957d?source=cve https://plugins.trac.wordpress.org/changeset/3082233/sydney-toolbox	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-4036`	vulnerable	2026-06-03 14:57:14.588640	Sydney Toolbox <= 1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting MEDIUM (6.4) The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the style parameter in all versions up to, and including, 1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: 2024-05-02T16:52:36.724Z Updated: 2026-04-08T17:21:18.130Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/c6d5275d-43d0-41f6-96c7-e7646eac4534?source=cve https://plugins.trac.wordpress.org/browser/sydney-toolbox/trunk/inc/elementor/block-employee.php#L346 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3075394%40sydney-toolbox%2Ftrunk&old=3064481%40sydney-toolbox%2Ftrunk&sfp_email=&sfph_mail=	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-3208`	vulnerable	2026-06-03 14:56:23.704108	Sydney Toolbox <= 1.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery MEDIUM (6.4) The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Filterable Gallery widget in all versions up to, and including, 1.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: 2024-04-09T18:59:22.788Z Updated: 2026-04-08T17:23:55.669Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/ccf4554e-4b34-46b0-b423-5cee7150e6c2?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3063343%40sydney-toolbox&new=3063343%40sydney-toolbox&sfp_email=&sfph_mail=	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-2936`	vulnerable	2026-06-03 14:55:36.562472	Sydney Toolbox <= 1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via _id MEDIUM (6.4) The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _id attribute of widgets in all versions up to, and including, 1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: 2024-03-29T05:35:32.721Z Updated: 2026-04-08T16:34:49.212Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/0b20d638-82cb-48ce-96fa-fd42d06f649f?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3059286%40sydney-toolbox&new=3059286%40sydney-toolbox&sfp_email=&sfph_mail=	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-1447`	vulnerable	2026-06-03 14:54:26.946169	Sydney Toolbox <= 1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting MEDIUM (6.4) The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aThemes Slider button element in all versions up to, and including, 1.25 due to insufficient input sanitization and output escaping on user supplied link. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: 2024-02-20T18:56:20.239Z Updated: 2026-04-08T16:36:22.104Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/1227f3bc-0bb3-4b80-ad69-2d4314fafbe4?source=cve https://plugins.trac.wordpress.org/browser/sydney-toolbox/trunk/inc/elementor/block-slider.php#L679 https://plugins.trac.wordpress.org/browser/sydney-toolbox/trunk/inc/elementor/block-slider.php#L692 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3035233%40sydney-toolbox%2Ftrunk&old=2980978%40sydney-toolbox%2Ftrunk&sfp_email=&sfph_mail=	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.