2 results (0.004 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Request Forgery (CSRF) vulnerability in CLUEVO CLUEVO LMS, E-Learning Platform plugin <= 1.10.0 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en CLUEVO CLUEVO LMS, complemento de E-Learning Platform en versiones &lt;= 1.10.0. The CLUEVO LMS, E-Learning Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.0. This is due to missing nonce validation on the save_settings() function. This makes it possible for unauthenticated attackers to modify the plugin's settings a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/cluevo-lms/wordpress-cluevo-lms-plugin-1-10-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

The CLUEVO LMS, E-Learning Platform WordPress plugin before 1.8.1 does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed El plugin CLUEVO LMS, E-Learning Platform de WordPress versiones anteriores a 1.8.1, no sanea y escapa del módulo Course's, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html está deshabilitada The CLUEVO LMS, E-Learning Platform WordPress plugin before 1.8.1 does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed The CLUEVO E-Learning Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping in the Course's module. This makes it possible for high privilege attackers, even when the unfiltered_html capability is disallowed, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/723d0d07-c48b-4fe3-9fb2-7dae3c7d3cfb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •