CVE-2024-11278 – GD bbPress Attachments <= 4.7.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-11278
The GD bbPress Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.7.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/gd-bbpress-attachments/trunk/code/front.php#L280 https://plugins.trac.wordpress.org/changeset/3189863/gd-bbpress-attachments/trunk/code/front.php https://www.wordfence.com/threat-intel/vulnerabilities/id/6f598cfc-4d41-4d22-95f0-47efdb7d07a2?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-11198 – GD Rating System <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via extra_class Parameter
https://notcve.org/view.php?id=CVE-2024-11198
The GD Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘extra_class’ parameter in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/gd-rating-system/tags/3.6.1/d4plib/plugin/d4p.shortcodes.php#L63 https://plugins.trac.wordpress.org/changeset/3189622 https://wordpress.org/plugins/gd-rating-system/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/66cad18d-a433-47f1-9cb6-c619c8717a0d?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-18591 – GD Rating System < 2.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18591
The gd-rating-system plugin before 2.1 for WordPress has XSS in log.php. El plugin gd-rating-system antes de 2.1 para WordPress tiene XSS en log.php. The gd-rating-system plugin before 2.1 for WordPress has XSS in log.php via the status parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wordpress.org/plugins/gd-rating-system/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •