CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11278 – GD bbPress Attachments <= 4.7.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-11278
The GD bbPress Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.7.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/gd-bbpress-attachments/trunk/code/front.php#L280 https://plugins.trac.wordpress.org/changeset/3189863/gd-bbpress-attachments/trunk/code/front.php https://www.wordfence.com/threat-intel/vulnerabilities/id/6f598cfc-4d41-4d22-95f0-47efdb7d07a2?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45816 – WordPress GD bbPress Attachments Plugin <= 4.3.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-45816
Auth. Stored Cross-Site Scripting (XSS) vulnerability in GD bbPress Attachments plugin <= 4.3.1 on WordPress. Vulnerabilidad de Cross-Site Scripting (XSS) Almacenado, autenticada en el complemento GD bbPress Attachments en versiones <= 4.3.1 en WordPress. The GD bbPress Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/gd-bbpress-attachments/wordpress-gd-bbpress-attachments-plugin-4-3-1-auth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2015-5482 – GD bbPress Attachments < 2.3 - Directory Traversal
https://notcve.org/view.php?id=CVE-2015-5482
Directory traversal vulnerability in the GD bbPress Attachments plugin before 2.3 for WordPress allows remote administrators to include and execute arbitrary local files via a .. (dot dot) in the tab parameter in the gdbbpress_attachments page to wp-admin/edit.php. Vulnerabilidad de salto de directorio en el plugin GD bbPress Attachments en versiones anteriores a 2.3 para WordPress, permite a administradores remotos incluir y ejecutar archivos locales arbitrarios a través de un .. (punto punto) en el parámetro tab en la página gdbbpress_attachments a wp-admin/edit.php. • https://packetstormsecurity.com/files/132656/wpgdbbpress-lfi.txt https://security.dxw.com/advisories/local-file-include-vulnerability-in-gd-bbpress-attachments-allows-attackers-to-include-arbitrary-php-files https://wordpress.org/plugins/gd-bbpress-attachments/changelog https://wpvulndb.com/vulnerabilities/8087 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 3CVE-2015-5481 – GD bbPress Attachments < 2.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-5481
Cross-site scripting (XSS) vulnerability in forms/panels.php in the GD bbPress Attachments plugin before 2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter in the gdbbpress_attachments page to wp-admin/edit.php. Vulnerabilidad de XSS en forms/panels.php en el plugin GD bbPress Attachments en versiones anteriores a 2.3 para WordPress, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro tab en la página gdbbpress_attachments a wp-admin/edit.php. • http://packetstormsecurity.com/files/132657/WordPress-GD-bbPress-Attachments-2.1-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Jul/53 https://security.dxw.com/advisories/reflected-xss-in-gd-bbpress-attachments-allows-an-attacker-to-do-almost-anything-an-admin-can https://wordpress.org/plugins/gd-bbpress-attachments/changelog https://wpvulndb.com/vulnerabilities/8088 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •