3 results (0.011 seconds)

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1

The Event List WordPress plugin before 0.8.8 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks against other admin even when the unfiltered_html is disallowed El plugin Event List de WordPress versiones anteriores a 0.8.8, no sanea ni escapa de algunos de sus parámetros, permitiendo a usuarios muy privilegiados, como los administradores, llevar a cabo ataques de tipo Cross-Site Scripting contra otros administradores, incluso cuando unfiltered_html no esta permitido The Event List WordPress plugin through 0.8.8 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks against other admin even when the unfiltered_html is disallowed • https://wpscan.com/vulnerability/74888a9f-fb75-443d-bb85-0120cbb764a0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The Event List plugin 0.7.9 for WordPress has XSS in the slug array parameter to wp-admin/admin.php in an el_admin_categories delete_bulk action. El plugin Event List en su versión 0.7.9 para WordPress tiene una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el parámetro slug array para wp-admin/admin.php en una acción el_admin_categories delete_bulk. • https://github.com/kevins1022/cve/blob/master/wordpress-event-list.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress allows an authenticated user to execute arbitrary SQL commands via the id parameter to wp-admin/admin.php. Una vulnerabilidad de inyección SQL en el plugin Event List versión 0.7.8 para WordPress, permite a un usuario autenticado ejecutar comandos SQL arbitrarios por medio del parámetro id en el archivo wp-admin/admin.php. The Event List plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in versions before 0.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. WordPress Event List versions 0.7.8 and below suffer from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/42173 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •