CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2347 – Astra <= 4.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Display Name
https://notcve.org/view.php?id=CVE-2024-2347
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El tema de Astra para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del nombre para mostrar de un usuario en todas las versiones hasta la 4.6.8 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://themes.trac.wordpress.org/changeset/221725/astra https://www.wordfence.com/threat-intel/vulnerabilities/id/ed914e67-4cf7-49b1-96be-ed8c604e6dce?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49830 – WordPress Astra Pro Plugin <= 4.3.1 is vulnerable to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2023-49830
Improper Control of Generation of Code ('Code Injection') vulnerability in Brainstorm Force Astra Pro.This issue affects Astra Pro: from n/a through 4.3.1. Vulnerabilidad de control inadecuado de generación de código ("inyección de código") en Brainstorm Force Astra Pro. Este problema afecta a Astra Pro: desde n/a hasta 4.3.1. The Astra Pro Addon plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.3.1 via the ast-advanced-hook-php-code meta field. This makes it possible for authenticated attackers, with contributor access and above, to execute code on the server. • https://patchstack.com/database/vulnerability/astra-addon/wordpress-astra-pro-plugin-4-3-1-contributor-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24507 – Astra Pro Addon < 3.5.2 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24507
The Astra Pro Addon WordPress plugin before 3.5.2 did not properly sanitise or escape some of the POST parameters from the astra_pagination_infinite and astra_shop_pagination_infinite AJAX action (available to both unauthenticated and authenticated user) before using them in SQL statement, leading to an SQL Injection issues El plugin Astra Pro Addon WordPress versiones anteriores a 3.5.2, no saneaba o escapaba apropiadamente algunos de los parámetros POST de las acciones AJAX astra_pagination_infinite y astra_shop_pagination_infinite (disponibles tanto para usuarios no autenticados como autenticados) antes de usarlos en una sentencia SQL, conllevando a un problema de inyección SQL • https://github.com/RandomRobbieBF/CVE-2021-24507 https://wpastra.com/changelog/astra-pro-addon https://wpscan.com/vulnerability/a1a0dc0b-c351-4d46-ac9b-b297ce4d251c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •