14 results (0.015 seconds)

CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Formilla Live Chat by Formilla plugin <= 1.3 versions. The Formilla Chat and Marketing Automation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'FormillaID' parameter in versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/formilla-live-chat/wordpress-live-chat-by-formilla-real-time-chat-chatbots-plugin-plugin-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

The Crisp Live Chat WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the crisp_plugin_settings_page function found in the ~/crisp.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 0.31. El plugin Crisp Live Chat de WordPress es vulnerable a un ataque de tipo Cross-Site Request Forgery debido a la falta de comprobación de nonce por medio de la función crisp_plugin_settings_page que es encontrada en el archivo ~/crisp.php, lo que permite a atacantes inyectar scripts web arbitrarios en las versiones hasta 0.31 incluyéndola • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2643954%40crisp&new=2643954%40crisp&sfp_email=&sfph_mail= https://www.wordfence.com/vulnerability-advisories/#CVE-2021-43353 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

The WP Live Chat Support plugin before 8.0.33 for WordPress accepts certain REST API calls without invoking the wplc_api_permission_check protection mechanism. El plugin WP Live Chat Support versiones anteriores a 8.0.33 para WordPress, acepta determinadas llamadas de la API REST sin invocar el mecanismo de protección en la función wplc_api_permission_check. • https://plugins.trac.wordpress.org/changeset/2098577/wp-live-chat-support/trunk https://plugins.trac.wordpress.org/log/wp-live-chat-support https://wordpress.org/plugins/wp-live-chat-support/#developers • CWE-862: Missing Authorization •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page. El plugin wp-live-chat-support anterior a la versión 8.0.27 para WordPress tiene XSS a través de la página GDPR. • https://wordpress.org/plugins/wp-live-chat-support/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1

The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file extension, and prepending "magic bytes" to the payload to pass MIME checks. Specifically, an unauthenticated remote user submits a crafted file upload POST request to the REST api remote_upload endpoint. The file contains data that will fool the plugin's MIME check into classifying it as an image (which is a whitelisted file extension) and finally a trailing .phtml file extension. • https://wordpress.org/plugins/wp-live-chat-support/#developers https://wp-livechat.com https://wpvulndb.com/vulnerabilities/9320 • CWE-434: Unrestricted Upload of File with Dangerous Type •