CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12329 – Essential Real Estate <= 5.1.6 - Missing Authorization to Authenticated (Contributor+) Information Exposure
https://notcve.org/view.php?id=CVE-2024-12329
The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, and including, 5.1.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to access invoices and transaction logs • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3204549%40essential-real-estate&new=3204549%40essential-real-estate&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/fa5b1bf3-344e-4ae6-87b9-2dcaafd417a5?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4274 – Essential Real Estate <= 4.4.2 - Insecure Direct Object Reference to Arbitrary Attachment Deletion
https://notcve.org/view.php?id=CVE-2024-4274
The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the remove_property_attachment_ajax() function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachments. El complemento Essential Real Estate para WordPress es vulnerable a la pérdida no autorizada de datos debido a una validación insuficiente de la función remove_property_attachment_ajax() en todas las versiones hasta la 4.4.2 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen archivos adjuntos arbitrarios. • https://plugins.trac.wordpress.org/browser/essential-real-estate/trunk/public/partials/property/class-ere-property.php#L28 https://www.wordfence.com/threat-intel/vulnerabilities/id/7dc41eb7-5c9a-4a67-902d-9a855840668b?source=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4273 – Essential Real Estate <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2024-4273
The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ere_property_map' shortcode in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Essential Real Estate para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del código corto 'ere_property_map' del complemento en todas las versiones hasta la 4.4.2 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://wordpress.org/plugins/essential-real-estate https://www.wordfence.com/threat-intel/vulnerabilities/id/c62ec31a-55e9-4404-b860-fa9a51ba3d3f?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3933 – Essential Real Estate < 3.9.6 - Reflected Cross-Site-Scripting
https://notcve.org/view.php?id=CVE-2022-3933
The Essential Real Estate WordPress plugin before 3.9.6 does not sanitize and escapes some parameters, which could allow users with a role as low as Admin to perform Cross-Site Scripting attacks. El complemento Essential Real Estate de WordPress anterior a 3.9.6 no sanitiza y escapa a algunos parámetros, lo que podría permitir a los usuarios con un rol tan bajo como Administrador realizar ataques de Cross-Site Scripting. The Essential Real Estate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.9.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/6395f3f1-5cdf-4c55-920c-accc0201baf4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •