NotCVE - vendor:"Futuriowp"

5 results (0.005 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-10695 – Futurio Extra <= 2.0.13 - Authenticated (Contributor+) Post Disclosure

https://notcve.org/view.php?id=CVE-2024-10695

11 Nov 2024 — The Futurio Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.0.13 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts that they should not have access to. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3184380%40futurio-extra&new=3184380%40futurio-extra&sfp_email=&sfph_mail=#file3 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-5646 – Futurio Extra <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Text Block Widget

https://notcve.org/view.php?id=CVE-2024-5646

11 Jun 2024 — The Futurio Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘header_size’ attribute within the Advanced Text Block widget in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Futurio Extra para WordPress es vulnerable a... • https://plugins.trac.wordpress.org/browser/futurio-extra/tags/2.0.5/inc/elementor/widgets/advanced-text-block.php#L265 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-40201 – WordPress Futurio Extra Plugin <= 1.8.4 is vulnerable to Cross Site Request Forgery (CSRF)

https://notcve.org/view.php?id=CVE-2023-40201

11 Aug 2023 — Cross-Site Request Forgery (CSRF) vulnerability in FuturioWP Futurio Extra plugin <= 1.8.4 versions leads to activation of arbitrary plugin. La vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento FuturioWP Futurio Extra en versiones <= 1.8.4 conduce a la activación de un complemento arbitrario. The Futurio Extra plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.2. This is due to missing or incorrect nonce validation on the 'futurio_ex... • https://patchstack.com/database/vulnerability/futurio-extra/wordpress-futurio-extra-plugin-1-8-2-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1

CVE-2021-25110 – Futurio Extra < 1.6.3 - Subscriber+ User Email Address Disclosure

https://notcve.org/view.php?id=CVE-2021-25110

14 Jan 2022 — The Futurio Extra WordPress plugin before 1.6.3 allows any logged in user, such as subscriber, to extract any other user's email address. El plugin Futurio Extra de WordPress versiones anteriores a 1.6.3 permitía que cualquier usuario conectado, incluso un suscriptor, pudiera extraer la dirección de correo electrónico de cualquier otro usuario • https://wpscan.com/vulnerability/b655fc21-47a1-4786-8911-d78ab823c153 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

CVE-2021-25109 – Futurio Extra < 1.6.3 - Authenticated SQL Injection

https://notcve.org/view.php?id=CVE-2021-25109

04 Jan 2022 — The Futurio Extra WordPress plugin before 1.6.3 is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against logged in admins by making send open a malicious link. El plugin Futurio Extra de WordPress versiones anteriores a 1.6.3, está afectado por una vulnerabilidad de inyección SQL que podría ser usada por usuarios con altos privilegios para extraer datos de la base de datos, así como... • https://wpscan.com/vulnerability/36261af9-3b34-4563-af3c-c9e54ae2d581 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •